ipsec failed between Cisco & Mikrotiik

raktim · May 26, 2015, 1:41pm

Please Need help to establish Ipsec connection between Cisco & Mikrotik.

Cisco

crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key ******** address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery

crypto ipsec transform-set test esp-3des esp-md5-hmac

crypto map try_bd 9999 ipsec-isakmp
set peer 10.30.2.71
set transform-set test
match address acl_test_9999

Mikrotik

[admin@MikroTik]/ip ipsec policy> print
src-address=0.0.0.0/32 src-port=any dst-address=0.0.0.0/32 dst-port=any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=no
sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=IPSec priority=0

[admin@MikroTik]/ip ipsec> peer print
address=10.30.1.4/32 local-address=10.30.2.71 passive=no port=500
auth-method=pre-shared-key secret=“**********” generate-policy=no
policy-group=default exchange-mode=main send-initial-contact=yes
nat-traversal=no proposal-check=obey hash-algorithm=md5 enc-algorithm=3des
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m
dpd-maximum-failures=5

[admin@MikroTik] /ip ipsec proposal> print
name=“IPSec” auth-algorithms=md5 enc-algorithms=3des lifetime=30m pfs-group=modp1024

[admin@MikroTik]/ip ipsec remote-peers print
0 local-address=10.30.2.71 remote-address=10.30.1.4 state=message-1-sent
side=initiator

ipsec_error.JPG

cdiedrich · May 26, 2015, 7:01pm

In your proposal, try to set pfs-group to none or mopd768, if the peer is a PIX firewall.

raktim · May 27, 2015, 1:37am

Thanks “cdiedrich”, i have changed pfs-group but it’s not working. It is Cisco ASR1002.

cdiedrich · May 27, 2015, 5:32am

Hmmm…

Are you sure your Cisco is using 3des for IKE encryption?
Try setting enc-algorithms to aes-128-cbc instead of 3des. Leave PFS-group on modp1024.

Good luck,
-Chris

raktim · May 28, 2015, 3:58am

Thanks, but Bad Luck it’s not working, i have tried & selected all possible parameters, Ipsec error shows on Mikrotik “failed to get valid proposal”

cdiedrich · May 28, 2015, 5:33am

You might probably want to add topics=ipsec to /system logging and see what’s going wrong in more detail.
Also a deep look into the Cisco logs can help. From my experience the Cisco logs are easier to understand with IKE problems.
Additionally, a debug crypto isakmp or debug crypto ipsec command on the cisco can reveal a full set hints where to look at.

Good luck, again
-Chris

raktim · May 28, 2015, 5:49am

Again Thanks for helping me.
ipsec_error1.JPG

raktim · May 31, 2015, 6:31am

Problem has not solved yet.

Cisco debug log shows::
entry number 47755 : CRYPTO-4-RECVD_PKT_NOT_IPSEC
Rec’d packet not an IPSEC packet.
(ip) vrf/dest_addr= /10.30.1.4, src_addr= 10.30.2.71, prot= 47
timestamp: 777181959

Mikrotik Ipsec error Shows::
03:38:41 ipsec,debug rejected enctype: DB(prop#1:trns#1)

Peer(prop#1:trns#2) = 3DES-CBC:DES-CBC
03:38:41 ipsec,debug rejected authmethod: DB(prop#1:trns#1)
Peer(prop#1:trns#2) = pre-shared key:RSA signatures
03:38:41 ipsec,debug rejected hashtype: DB(prop#1:trns#1)
Peer(prop#1:trns#2) = MD5:SHA

Please help me…

BartoszP · May 31, 2015, 8:04am

A. IMHO log shows problem with DH_GROUP: 1024 vs 768 bit
B. Could you make time be more accurate on Mikrotik. We are in 2015 not in 2002.

raktim · May 31, 2015, 9:58am

i have already tried with this (DH Group & PFS Group) parameter. but not working…

raktim · June 2, 2015, 3:56pm

“cdiedrich” was right, it should be DES When i change ipsec enc-algorithm=3des to DES now log shows “failed to pre-process ph2 packet.”
ipsec_ph2_error.JPG
Any one can help me please…

cdiedrich · June 2, 2015, 4:11pm

As said before, have a look at your time settings.
The world of IPsec is very picky.
Best choice would be to sync the Cisco and your MikroTik against the very same NTP server.

Cheers
-Chris

cdiedrich · June 3, 2015, 6:35am

Ah, I guess I found your problem
Reading your first post again makes me think that you don’t have a policy defined for your IPsec tunnel - hence the system does not know which packets should go through that tunnel.

You need to add a policy for the remote subnet.

Let’s consider the local (MikroTik) Network being 192.168.88.0/24 and the remote (Cisco) Network 192.168.10.0/24.
I assume the Cisco’s public address is 10.30.1.4

add this policy:

/ip ipsec policy
add src-address=192.168.88.0/24 src-port=any dst-address=192.168.10.0/24 
       dst-port=any protocol=all action=encrypt level=require 
       ipsec-protocols=esp tunnel=yes sa-src-address=10.30.2.71 
       sa-dst-address=10.30.1.4 proposal=IPsec priority=0

Additionally, don’t forget to add a NAT exception rule for the target subnet:

/ip firewall nat
add chain=srcnat action=accept to-addresses=0.0.0.0 
      src-address=192.168.88.0/24 dst-address=192.168.10.0/24 log=no 
      log-prefix="" place-before=0

-Chris