IPSEC behind CISCO Router

ctcolsen · December 23, 2013, 2:23pm

Guys, I need your help here please. What I’m trying to do is to set up an IPSEC tunnel from a RouterOS behind a Cisco Router(NAT?) but I can’t seem to get this to work. Set up is like this.

RouterOS — CISCO ---- Internet(IPSEC) ----- Mikrotik

RouterOS:
LAN: 192.168.8.1
WAN: 192.168.230.246(yes this is still private)

CISCO:
LAN:192.168.230.1
WAN:x.x.x.x (some public IP)

I am a total beginner on Mikrotik environment but I have some experience in Networking but totally new to IPSEC tunneling. I wanted to create a tunnel to the Mikrotik device(our client) but its not working. Below is my config.

#RouterOS 

/interface bridge add name=BR_LOOP disabled=no
/ip firewall nat
add action=src-nat chain=srcnat disabled=no to-address=172.15.46.254/32 dst-address=172.15.0.0/16 place-before=0 comment="MUST BE FIRST RULE"
/interface ipip
add disabled=no dscp=0 remote-address=xx.xx.xx.xx mtu=1480 name=ipipTest local-address=192.168.230.246
/ip address
add address=10.1.0.22/30 disabled=no interface=ipipTest
add address=172.15.46.254/32 disabled=no interface=BR_LOOP
/ip ipsec proposal
add auth-algorithms=md5 disabled=no enc-algorithms=3des lifetime=30m name=proposal1 pfs-group=none
/ip ipsec policy
add action=encrypt comment="RouterOS" disabled=no src-address=172.15.46.254/32 dst-port=any \
    ipsec-protocols=esp level=require priority=0 proposal=default protocol=all sa-src-address=10.1.0.22 \
    sa-dst-address=10.0.0.21 dst-address=172.16.0.0/16 src-port=any tunnel=yes
/ip ipsec peer
add address=10.0.0.21/32 auth-method=pre-shared-key comment="Remote" dh-group=modp1024 \
    disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des exchange-mode=main \
    generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d my-id-user-fqdn="" nat-traversal=no \
    port=500 proposal-check=obey secret=SOMESECRET send-initial-contact=yes
-----

My questions please:

Since my MikroTik RouterOS is behind a CISCO router, what port do I need to forward or how to I forward the packets going in to the local IP?
How do I check peer logs?
What am I missing here please?

ctcolsen · December 23, 2013, 4:54pm

I think I got the problem but not the solution yet. The IPIP tunnel is not working yet.

RouterOS — CISCO ---- Internet(IPSEC) ----- Mikrotik

RouterOS:
LAN: 192.168.8.1
WAN: 192.168.230.246(yes this is still private)

CISCO:
LAN:192.168.230.1
WAN:x.x.x.x (some public IP)

RouterOS: I assigned 10.1.0.22/30
MikroTik: I assigned 10.1.0.21/30

How do I tell the CISCO router to forward the packets to the internal IP? I cannot ping 10.1.0.21.

Gesha24 · December 23, 2013, 8:42pm

For this to work, you need to do 2 things:

Set up static NAT entry on Cisco router to forward incoming UDP traffic with destination port 4500 to Mikrotik
Make sure that Nat-traversal is enabled in Mikrotik’s IPSEC tunnel.

Alternatively, you can do L2TP/IPSEC tunnel which usually plays nicer with NAT, in that case you will need to set up NAT for UDP port 1701.

ctcolsen · December 24, 2013, 3:16pm

Thanks Gesha.

I ran this tool the CISCO router.

ip nat inside source static udp 192.168.230.246 4500 interface FastEthernet3/0 4500

At Peer, I have NAT Traversal set to no.

 0   ;;; RouterOS
     address=10.1.0.21/32 passive=no port=500 auth-method=pre-shared-key secret="SOMEPASSWORD"
     generate-policy=port-override exchange-mode=main send-initial-contact=yes nat-traversal=yes
     proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d
     lifebytes=0 dpd-interval=2m dpd-maximum-failures=5

Unfortunately, I’m still not able to ping.

Alternatively, you can do L2TP/IPSEC tunnel which usually plays nicer with NAT, in that case you will need to set up NAT for UDP port 1701.

I don’t have control over the server side since they are our clients. I’m trying too make this work as much as I can with the info that they gave.

Gesha24 · December 24, 2013, 9:55pm

2 things:

NAT traversal MUST BE ON on both sides, otherwise it won’t work. If remote side doesn’t have it on - just don’t bother, start setting up IPSEC on your Cisco.
I am a little rusty on Cisco’s static NAT config, but it looks to me like you did a destination nat and not a source nat. I can be easily wrong though, I would recommend double-checking.

andriys · December 25, 2013, 2:42pm

Static NAT on your Cisco should not be required. I’d suggest removing the rule.
NAT Traversal should be enabled (set it to YES) on your Mikrotik. Also make sure NAT-T is supported and enabled on the remote side as well. And take into account that your Mikrotik device won’t be able to be a responder. It should always be the initiator.

ctcolsen · January 5, 2014, 6:12pm

Thanks guys. I missed your post about static NAT. This isn’t a feasible option for us since we have NAT overload here.

Regarding on the NAT T enabled on remote site, it will be controlled by our client. I guess we will set this up as public IP instead. No router this time.

ctcolsen · January 7, 2014, 5:49pm

Problem solved! Thanks guys. I went ahead and assigned a public IP address for this instead.