Hi guys.
I have some problems with configuring IPSec tunnel (tunnel mode) between Cisco 2821 and Mikrotik RB750 (RouterOS 6.0)
Application is quite simple:
(LAN1)--[rb750]--(ip cloud)--[cisco2821]--(LAN2)
and in this case everything works just fine. Problems begin when I have another subnet on cisco side:
(LAN1)--[rb750]--(ip cloud)--[cisco2821]--(LAN2)(LAN3)
When configuring cisco I add another string to ACL which selects "interesting traffic", and on mikrotik side i try to add another ipsec policy for new ip subnet, but it doesn't work. Seems like in mikrotik only one ipsec policy may work at the same time for one peer. Any ideas how to make mikrotik to encypt traffic for both sudnets?
LAN1 - 10.128.11.0/24
LAN2 - 10.129.0.0/16
LAN3 - 172.22.0.0/16
Here are configs of cisco and mikrotik:
Mikrotik RB750:
[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
ADDRESS NETWORK INTERFACE
0 10.128.11.1/24 10.128.11.0 ether2
1 D 10.169.0.81/14 10.168.0.0 ether1
[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 10.168.0.1 0
1 ADC 10.128.11.0/24 10.128.11.1 ether2 0
2 ADC 10.168.0.0/14 10.169.0.81 ether1 0
[admin@MikroTik] > ip ipsec peer print
Flags: X - disabled
0 address=10.59.0.10/32 passive=no port=500 auth-method=pre-shared-key secret="test" generate-policy=no exchange-mode=main send-initial-contact=yes
nat-traversal=no proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m
dpd-maximum-failures=5
[admin@MikroTik] > ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1024
[admin@MikroTik] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive
0 src-address=10.128.11.0/24 src-port=any dst-address=10.129.0.0/16 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=10.169.0.81 sa-dst-address=10.59.0.10 proposal=default priority=0
1 src-address=10.128.11.0/24 src-port=any dst-address=172.22.0.0/16 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=10.169.0.81 sa-dst-address=10.59.0.10 proposal=default priority=0
Cisco2821:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key test address 10.169.0.81
!
!
crypto ipsec transform-set test-ts esp-3des esp-sha-hmac
!
crypto map test-cm 10 ipsec-isakmp
set peer 10.169.0.81
set security-association lifetime seconds 1800
set transform-set test-ts
set pfs group2
match address test-acl
interface GigabitEthernet0/0.2672
encapsulation dot1Q 2672
ip address 10.59.0.10 255.255.255.252
crypto map test-cm
interface GigabitEthernet0/1.1016
encapsulation dot1Q 1016
ip address 172.18.0.46 255.255.255.252
ip route 10.128.11.0 255.255.255.0 10.59.0.9
ip route 10.129.0.0 255.255.0.0 172.18.0.45
ip route 10.169.0.0 255.255.255.0 10.59.0.9
ip route 172.22.0.0 255.255.0.0 172.18.0.45
ip access-list extended test-acl
permit ip 10.129.0.0 0.0.255.255 10.128.11.0 0.0.0.255
permit ip 172.22.0.0 0.0.255.255 10.128.11.0 0.0.0.255
thanks in advance
Tima.