Connectivity issue VPN Tunnel Between Mikrotik and CiscoPIX

shivaguntu · November 12, 2009, 3:39pm

Hi ,

I am trying to establish a vpn tunnel between Mikrotik 4.1 and Cisco PIX:

The wan IP for the Mikrotik: 120.69.226.111 Wan IP for PIX :125.149.94.253
Internal IP Range : 192.168.20/23 ( Mikrotik ) 172.16.0.0/16 ( Cisco PIX)

I am able to see the tunnel established and i am able to ping the internal IP of Mikrotik from Cisco.
but when i try to connect the internal IP of the cisco from Mikrotik its not working.

Can any of you guys shed some light on this.

The following is the existing configuration i have.

/interface> pr
Flags: D - dynamic, X - disabled, R - running, S - slave

NAME TYPE MTU L2MTU

0 R wlan2 ether 1500 1600
1 R Local ether 1500
2 R wlan1 ether 1500

/ip address> pr
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK BROADCAST INTERFACE

0 192.168.20.1/23 192.168.20.0 192.168.21.255 Local
1 210.135.61.226/30 210.135.61.224 210.135.61.227 wlan1
2 120.69.226.111/24 120.69.226.0 120.69.226.255 wlan2
3 210.135.61.233/29 210.135.61.232 210.135.61.239 Local

/ip firewall filter> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1
address-list=port scanners address-list-timeout=0s

1 ;;; Port scanners to list
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1
address-list=port scanners address-list-timeout=2w

2 ;;; NMAP FIN Stealth scan
chain=input action=add-src-to-address-list
tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w

3 ;;; SYN/FIN scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn
protocol=tcp address-list=port scanners address-list-timeout=2w

4 ;;; SYN/RST scan
chain=input action=add-src-to-address-list tcp-flags=syn,rst
protocol=tcp address-list=port scanners address-list-timeout=2w

5 ;;; FIN/PSH/URG scan
chain=input action=add-src-to-address-list
tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp
address-list=port scanners address-list-timeout=2w

6 ;;; ALL/ALL scan
chain=input action=add-src-to-address-list
tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp
address-list=port scanners address-list-timeout=2w

7 ;;; NMAP NULL scan
chain=input action=add-src-to-address-list
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w

8 ;;; dropping port scanners
chain=input action=drop src-address-list=port scanners

9 chain=input action=drop protocol=tcp dst-port=445

10 chain=forward action=drop protocol=tcp dst-port=445

11 chain=input action=drop protocol=udp dst-port=445

12 chain=forward action=drop protocol=udp dst-port=445

13 chain=input action=drop protocol=tcp dst-port=135-139

14 chain=forward action=drop protocol=tcp dst-port=135-139

15 chain=input action=drop protocol=udp dst-port=135-139

16 chain=forward action=drop protocol=udp dst-port=135-139

17 X chain=input action=drop dst-address=208.43.117.69

18 X chain=forward action=drop dst-address=208.43.117.69

19 chain=input action=drop dst-address=74.125.65.85

20 chain=forward action=drop dst-address=74.125.65.85

21 chain=input action=drop dst-address=74.125.113.85

22 chain=forward action=drop dst-address=74.125.113.85

23 chain=input action=drop dst-address=209.85.225.85

24 chain=forward action=drop dst-address=209.85.225.85

25 chain=forward action=accept protocol=ipsec-esp src-address=125.149.94.253
dst-address=120.69.226.111 in-interface=wlan2

26 chain=input action=accept protocol=ipsec-esp src-address=125.149.94.253
dst-address=120.69.226.111 in-interface=wlan2

27 chain=input action=accept protocol=ipsec-esp src-address=120.69.226.111
dst-address=125.149.94.253 in-interface=wlan2

28 chain=forward action=accept protocol=ipsec-esp src-address=120.69.226.11>
dst-address=125.149.94.253 in-interface=wlan2

29 chain=input action=drop src-address=0.0.0.0 dst-address=64.226.42.158

30 chain=input action=drop src-address=64.226.42.158 dst-address=0.0.0.0

31 chain=forward action=accept src-address=192.168.172.0/24
dst-address=192.168.21.0/24 in-interface=wlan2 out-interface=Local

32 chain=forward action=accept src-address=172.16.0.0/16
dst-address=192.168.21.0/24 in-interface=wlan2 out-interface=Local

33 chain=input action=accept src-address=192.168.20.0/23
dst-address=172.16.0.0/16 in-interface=Local

34 chain=forward action=accept src-address=192.168.20.0/23
dst-address=172.16.0.0/16 out-interface=wlan2

/ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=wlan1

1 chain=srcnat action=masquerade out-interface=wlan2

2 chain=srcnat action=accept src-address=192.168.20.0/23 dst-address=172.16.0.0/16

3 chain=srcnat action=accept src-address=120.69.226.111 dst-address=125.149.94.253

4 chain=dstnat action=accept src-address=120.69.226.111 dst-address=125.149.94.253

/ip ipsec proposal> pr
Flags: X - disabled
0 name=“default” auth-algorithms=sha1 enc-algorithms=aes-256 lifetime=8h pfs-group=modp1024

1 name=“ipsec” auth-algorithms=sha1 enc-algorithms=aes-256 lifetime=8h pfs-group=modp1024

/ip ipsec installed-sa> pr
Flags: A - AH, E - ESP, P - pfs
0 E spi=0x52E6E0A src-address=125.149.94.253 dst-address=120.69.226.111 auth-algorithm=sha1 enc-algorithm=aes replay=4 state=mature
auth-key=“76f1b991134dfeca0d8d309c57798756cab253c8” enc-key=“98cb07a528cf4acf74e8a94d08cdeacd5e9121a32cc4b348f7b5d94cd62db09e” addtime=nov/10/2009 19:53:54
add-lifetime=24m/30m usetime=nov/10/2009 19:53:56 use-lifetime=0s/0s current-bytes=528 lifebytes=0/0

1 E spi=0xBC4638E0 src-address=120.69.226.111 dst-address=125.149.94.253 auth-algorithm=sha1 enc-algorithm=aes replay=4 state=mature
auth-key=“7fda93f56d3a0b4466a97d56aca07b3bb19e36fe” enc-key=“bd348501b318ae45aa25585c4315866ecaf13b1627bf82bf5f3cce2e535f1174” add-lifetime=24m/30m
use-lifetime=0s/0s lifebytes=0/0

/ip ipsec peer> pr
Flags: X - disabled
0 address=125.149.94.253/32:500 auth-method=pre-shared-key secret=“tradu-hE8ETES-Er” generate-policy=yes exchange-mode=main send-initial-contact=yes nat-traversal=yes
proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1536 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1

/ip ipsec policy> pr
Flags: X - disabled, D - dynamic, I - inactive
0 D src-address=172.16.0.0/16:any dst-address=192.168.20.0/23:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=120.69.226.111
sa-dst-address=125.149.94.253 proposal=default priority=2

1 D src-address=172.16.0.0/16:any dst-address=192.168.20.0/23:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=120.69.226.111
sa-dst-address=125.149.94.253 proposal=default priority=2

2 D src-address=192.168.20.0/23:any dst-address=172.16.0.0/16:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=125.149.94.253
sa-dst-address=120.69.226.111 proposal=default priority=2

/ip ipsec statistics> pr
in-errors: 0
in-buffer-errors: 0
in-header-errors: 0
in-no-states: 1
in-state-protocol-errors: 0
in-state-mode-errors: 0
in-state-sequence-errors: 0
in-state-expired: 0
in-state-mismatches: 0
in-state-invalid: 0
in-template-mismatches: 840
in-no-policies: 0
in-policy-blocked: 0
in-policy-errors: 0
out-errors: 0
out-bundle-errors: 0
out-bundle-check-errors: 0
out-no-states: 250
out-state-protocol-errors: 0
out-state-mode-errors: 0
out-state-sequence-errors: 0
out-state-expired: 0
out-policy-blocked: 0
out-policy-dead: 0
out-policy-errors: 0