Slowly going insane dealing with a connection I have been trying to make.
Cisco firewall people tell me to set up ipsec to thrm. They give me the external ip to connect too. But no info about what is on the other side of the tunnel.
After getting a “try telnet ing to”… i take a guess at what goes in ipsec.
/ip ipsec policy
add comment=“Tunnel Works” dst-address=151.193.14x.xxx/32 level=unique
proposal=4Cisco sa-dst-address=151.193.22x.xxx sa-src-address=
64.xxx.xxx.xxx src-address=64.xxx.xxx.xxx/32 tunnel=yes
I ask them for a peer IP to make a tunnel and get told that they are expecting the ipsec to be masq. ??? Well that’s a first.
I get SAs.
Everything keeps error ing out… going nuts.
I would have thought to try ip to ip tunnel. Then put the ipsec in that tunnel.
You need to know the EXACT config of the other side to get IPsec to work.
When they cannot tell you that, it is going to be poking in the dark.
Debugging is very difficult due to the useless error messages that you get when it does not work.
(this is not MikroTik’s fault, it is the same in every IPsec configuration, you get either a working connection
or some useless diagnostic like “timeout in phase 1” or “proposals do not match”, without an exact specification
of what is not matching. I think this is because it is all encrypted and the router itself also does not know what
is wrong, it just gets a wrong hash value or somesuch to work with)
Yes but that is what I mean with “the EXACT config”.
You NEED to know what they have configured at the other end.
An IPsec tunnel? For what subnet on each end?
An L2TP/IPsec connection? With what kind of authentication? With what routes?
Without such info you will have lots of trying to go…
If your tunnel is up, fase1 and fase2, and your policy is set right is should work with a clean router setup.
Reason its probably not working is you have a srcnat/masquerade rule which ‘overrules’ your traffic so it wont be send to the tunnel.
Either make a exemption in the masquerade rule to not nat the traffic thats intended to the other end of the tunnel, or make a new srcnat which is placed higher (on top) that only accepts traffic from your lan to the other end.
That's the problem... they want the external ip on it. When I send packets to the cisco with a local ip... the cisco tears down the tunnel. This is intentional... they tell me.
I literally need something like when I made a pptp connection between 2 routers. Router 1 only saw traffic from the WAN IP of router 2.
The cisco wants to see my wan ip on the packets.
This flies in the face of every article I have read.
I have a connection... just no way to force packets into it. I have wasted hours and hours on this.
They gave me an IP to connect to. They expect packets from my Wan IP. Then they told me a PUBLIC IP TO CONNECT TO ONCE TUNNELED. That confused the hell out me. So now I have my source IP as WAN ip. I have the odd public ip in there to. In the scone tab I have my wan and their wan. That connects.
My 2 cents:
Then you should just ask from the cisco guys what they expect from you to configure?! If they only expect a external address over the ‘tunnel’ it sounds to me you just need to make a client-vpn with them? (PPP → L2TP/ipsec ?). Then you get a new interface with a network-address from them where you or they can work with?
The Mikrotik/Winbox ‘IP → IPSEC’ menu is all about site2site VPN. Just like pe1chl mentioned you would need to know the exact configuration on both ends, this must include both private IP ranges or adresses you want to route over it.
If there is still a site2site necessary it should like more like this:
/ip ipsec policy
add comment=“Tunnel Works” dst-address=OTHER.END.TUNNEL.RANGE/24 proposal=4Cisco sa-dst-address=151.193.22x.xxx sa-src-address=64.xxx.xxx.xxx src-address=MY.LAN.RANGE.MIKROTIK/24 tunnel=yes
And the NAT rule which is on top so its forwarded in the tunnel instead of masquarating out:
/ip firewall nat
add action=accept chain=srcnat dst-address=OTHER.END.TUNNEL.RANGE/24 src-address=MY.LAN.RANGE.MIKROTIK/24
I have several working site2site VPN configurations with IPSEC with use of Mikrotik and Cisco. We do manage both ends making it more easier to setup
When Cisco users talk about “Cisco VPN” they mean L2TP/IPsec. The IPsec policies would refer only to public
addresses and the L2TP tunnel runs over that, and can transport any inside addresses.
