We have a IPSEC Tunnel with Cisco Router and it works fine.
I have one Question.
We have about 250 networks por example:
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.4.0/24
192.168.5.0/24
192.168.X.0/24
192.168.X.0/24
…
…
192.168.249.0/24
192.168.250.0/24
And we make a Summarization ACL like that:
192.0.0.0 0.0.0.255 — (/8 MASK)
But in Mikrotik i cannot ping the Local Gateway in a Local Lan.
For example i have a PC: 192.168.250.10/24 and cannot ping 192.168.250.1 (Mikrotik router default gateway LAN).
We can see another remote network through IPSEC Tunnel.
We does a trace, but i can see that it goes to IPSEC TUNNEL. Not go Locally.
perhaps only a thinking false on your side, because you were setting the Cisco in the same subnet class
as the other networks behind the Cisco but there is a enabled NAT WAN interface?
192.168.0.255 — (/8 MASK)
Never it will running and mostly also even earlier or later you will be in trouble, please trust my words sensitive.
192.0.168.0.254/24 because
xxx.xxx.xxx.255 is the broadcast address!!! and
xxx.xxx.xx.0 is the network itself
if I see it right, at the left side of your network. You were setting up also routers and those router are using
SPI + NAT + FW rules at their WAN interface, am I right with this? This is a so called “router cascade”
or plain also called double SPI/NAT and the IPSec connection is only from the MikroTik on the right side to the
Cisco on the left but not to the endpoint the WAN interface of the routers at the left side.
So you will have some way to come out of this and closer to a real solution.
On the Left side the Cisco device is doing SPI + NAT + Firewall rules and VPN
but the routers behind the Cisco are only doing plain routing and not more!
Activating at the Cisco VPN Passthrough mode and let the VPN connections ending at the WAN interfaces of the
routers in the second range on the left side, then you will be able to reach them or plain pinging their gateway!
Go old school, but also more expensive and there fore not even well comes in the often so beloved cheap world.
Cisco to MikroTik IPSec VPN and behind them Switches with VLANs and each VLAN will get his own subnet!
I prefer this way even owed to the following points told below this line;
broadcast problems
fast and secure network scaling
Switches are stackable
Switches are able to uplink in 10 GBit/s throughput
VLANs would do better job for those network constructions
many broadcast domains are are better then one big fat /8 for trouble shooting and prevention
Quick question
Short answer.
Is your mk to cisco ipsec connection stable?
Why not? Should it be not so?
Pending on the device you will acting with the RB1100AHx2 is sorted with hardware support for VPN connections.
And with 2 GB of RAM all should be fine, if not;
in many cases the lease time is to high
the routers are not proper synced
the ISP in this country is really breaking one times a day the connection for a small time frame
likes here in Germany where I am living!
Does it quit responding for no reason in the middle of the day?
Does your provider also giving you a break at one day, perhaps at the middle of the day?
Thank’s for take yout time to Answer that. (Sorry for my bad English)
Why Mikrotik, because it more cheaper than Cisco and i feel that Mikrotik can do more things that cisco router. VLAN, Tunneling, QoS etc.
Well with Cisco i don’t have problems with ACL with /8 Mask, after that i put every subnet in every ACL and sometimes this work is so carefull and difficult to read in CLI. (About 250 Subnets), it is the only reason.
I cannot apply NAT in CISCO WAN. (172.2.8.1)
The routers behind the Cisco are only doing plain routing, in the left side. Internet and other connections passthough another Firewalls.
Dobby Your real solutions is so High, nice tips, thank’s for the link y read it.
The real mask is similar to 192.0.0.0 0.0.0.255 — (/8 MASK).
This Week i need to test a Mikortik Router with Cisco 2900 Router and I will tell you as I was with the settings with IPSEC.
