IPSec tunnel from mikrotik behind NAT with Cisco

omidi · December 5, 2020, 11:29am

Hi

I try to setup a site to site tunnel between a Cisco router and a Mikrotik Router behind NAT.
could anyone share experience or some example about that?

HQ LAN (192.168.5.0/24) ------------(192.168.5.1) [Cisco 1841 Router] (192.168.114.226) ------ some infrastructure -------- (172.16.177.36) [Modem (NAT)] (192.168.24.1) --------------- (192.168.24.2) [Mikrotik Router] (192.168.100.1) ------ Branch LAN Clinets (192.168.100.0/24)

The modem also have a DMZ setup forward all incoming traffic to mikrotik

erkexzcx · December 5, 2020, 1:57pm

Maybe this could help? Not really what you are asking, but you might get some hints.

omidi · December 6, 2020, 8:08am

Thank you erkexzcx. I find several resource about mikrotik to mikrotik IPSec behind NAT and also ipsec between mikrotik and cisco. but I cant merge this two to make a working config for my problem.

erkexzcx · December 6, 2020, 11:01am

Since you’ve tried already (I assume), which part do you think is failing/not working?

When I started learning about IPSEC the only way to move forward was to enable ipsec logs in both Mikrotik routers and see what is actually failing or happening.

Can you show us some logs/configuration exports?

omidi · December 7, 2020, 1:41pm

Hi
the IPsec peer finally established. I use this doc for base config.
https://mum.mikrotik.com/presentations/US15/godinichconsulting_mum.pdf

this is my config so far. now I want to go next step. let say we have a server VLan in HQ. this config only route to the remote LAN specified in config (192.168.5.0). how could I route traffic to Server VLAN from remote branch?
I should connect about 10 mikrotik to one Cisco router. how could I config cisco router for that?
Also I appreciate any improvement to this config.

HQ Servers(192.168.1.0/24) -----some firewall--------HQ LAN (192.168.5.0/24) ------------(192.168.5.1) [Cisco 1841 Router] (192.168.114.226) ------ some infrastructure -------- (172.16.177.36) [Modem (NAT)] (192.168.24.1) --------------- (192.168.24.2) [Mikrotik Router] (192.168.100.1) ------ Branch LAN Clinets (192.168.100.0/24)

Mikrotik:

/ip address
add address=192.168.24.2/24 interface=ether5 network=192.168.24.0
add address=192.168.100.1/24 interface=ether4 network=192.168.100.0

/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-128 name=My-IPsec-Profile

/ip ipsec peer
add address=192.168.114.226/32 local-address=192.168.24.2 name=My-Peer \
    profile=My-IPsec-Profile
	
/ip ipsec proposal
add enc-algorithms=aes-128-cbc,aes-128-ctr lifetime=1h name=My-proposal

/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.5.0/24 src-address=\
    192.168.100.0/24
	
/ip ipsec identity
add peer=My-Peer secret="My$ecreT"

/ip ipsec policy
add dst-address=192.168.5.0/24 peer=My-Peer proposal=My-proposal \
    sa-dst-address=192.168.114.226 sa-src-address=192.168.24.2 src-address=\
    192.168.100.0/24 tunnel=yes

/ip route
add comment="over IPSEC" distance=1 dst-address=192.168.5.0/24 gateway=\
    192.168.24.1

Cisco router:

crypto isakmp policy 2
 encr aes
 authentication pre-share
 group 2
 
crypto isakmp key My$ecreT address 172.16.177.36 no-xauth
crypto ipsec transform-set TS-MyNet esp-aes esp-sha-hmac

crypto map CM-MyNet 5 ipsec-isakmp
 set peer 172.16.177.36
 set transform-set TS-MyNet
 set pfs group2
 match address ACL-MyNet
 
interface FastEthernet0/0
 ip address 192.168.114.226 255.255.255.248
 crypto map CM-MyNet

ip route 192.168.100.0 255.255.255.0 192.168.114.225

ip access-list extended ACL-MyNet
 permit ip 192.168.5.0 0.0.0.255 192.168.100.0 0.0.0.255