I am trying to setup a IPSEC tunnel to a Cisco ASA. I have given my public and private ips to the cisco person. They setup their site and I have to setup my site. This Is what I was given
Peer:
Phase 1 and 2: ESP-AES-256-SHA
Local ip: 172.16.1.202
pre-shared-key:
no PFS
I gave them:
Peer:
Local ip: 192.168.2.112
How can I translate their info to the mikrotik to make it work?
Thanks
I’d suggest this one:
/ip ipsec proposal
add auth-algorithms=sha1 disabled=no enc-algorithms=aes-256-cbc lifetime=1d name=myProposal pfs-group=none
/ip ipsec peer
add address=<their peer address> auth-method=pre-shared-key dh-group=modp1024 dpd-interval=2m dpd-maximum-failures=5 \
enc-algorithm=aes-256 exchange-mode=main generate-policy=no hash-algorithm=sha1 lifebytes=0 lifetime=1d local-address=<your public IP>\
nat-traversal=no passive=no policy-template-group=default port=500 proposal-check=obey secret=<their secret>\
send-initial-contact=yes
/ip ipsec policy
add action=encrypt dst-address=172.16.1.0/24 dst-port=any ipsec-protocols=esp level=require priority=0 proposal=myProposal protocol=all \
sa-dst-address=<their public IP> sa-src-address=<your public IP> src-address=192.168.2.0/24 src-port=any tunnel=yes
/ip firewall filter
add chain=input in-interface=<your WAN interface> dst-port=500 protocol=udp
add chain=input in-interface=<your WAN interface> protocol=ipsec-esp
/ip firewall nat
add chain=srcnat dst-address=172.16.1.0/24 src-address=192.168.2.0/24
add chain=srcnat dst-address=192.168.2.0/24 src-address=172.16.1.0/24
…and this should be it.
Be sure your router uses the very same NTP server as the ASA does. IPsec is very delicate in terms of time stamps.
-Chris
Thanks. I got all my settings in place. How do I tell if its up? I know with l2tp, I can see when its connected. I am pinging 172.16.1.202 from my 192.168.2.112 but get request timed out.
check
/ip ipsec remote-peers
and
/ip ipsec installed-sas
Turn on debug logging for ipsec to see where it’s going wrong.
From my experience the ASA’s debug logs are a little more helpful.
-Chris
ok. Not to question you, I am learning, but shouldn’t one of these be dstnat not both srcnat?
/ip firewall nat
add chain=srcnat dst-address=172.16.1.0/24 src-address=192.168.2.0/24
add chain=srcnat dst-address=192.168.2.0/24 src-address=172.16.1.0/24
Remote peers has it listed. If you click on it, it says side: initiator then Established: is blank then at bottom it says message sent.
Installed SAs, is blank.
In my mikrotik log it has the two peers and has an error that’s says times up. What does that mean?
Is it “phase2 negotiation failed due to timeup”?
As I said - ask for debug logs from the ASA. I had this a couple of times and a single line from an ASA debug log can solve the problem.
You can quickly get a hint like “DH-group 5 expected” or similar stuff that makes life so easy.
In your initial post you mentioned they don’t use PFS - I considered this info for phase1 only (which can occur) - but probably they also mean it for phase2 (which is rather uncommon and not a default ASA behaviour)..
Try to remove all DH-groups from your peer definition and try it agin.
-Chris
Chris thanks for your help. We looked on the ASA and it wasn’t reaching it. We double checked the peer ip for that side and the number was 1 off. After changing that, the tunnel came up fine. Its working great. Thanks so much for your time you have saved me a ton of time. Have a great day and God bless.
So glad to hear it’s working.
And that the reason was so simple.
-Chris