IPSec-Tunnel to Cisco

lucatz · March 10, 2022, 3:50am

Hi all,

I am stumped. No matter what I do no traffic is routed to IPsec tunnel which shows as established. Traceroute shows traffic to remotenet just going to internet, seems to completely disregard my config in Firewall.

If anyone spots what may be wrong…I’m sure its something I missed

Farend Net is RemoteNet in config…
WAN is Wireless interface to router with Internet access(192.168.50.0)
Local net is 192.168.5.0

Thank You
Luca

# mar/09/2022 22:33:03 by RouterOS 6.49.4
# software id = FPDY-U4AF
#
# model = 2011UiAS-2HnD
# serial number = 
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] country=canada disabled=no ssid=MySSID
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=\
    tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
    unicast-ciphers=tkip,aes-ccm
/ip ipsec peer
add address=xx.xx.xx.xx/32 exchange-mode=ike2 local-address=192.168.50.254 \
    name=Lab
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des \
    nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 pfs-group=none
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.100
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add interface=wlan1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.5.1/24 interface=bridge1 network=192.168.5.0
add address=192.168.50.254/24 interface=wlan1 network=192.168.50.0
/ip firewall filter
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input port=1701,500,4500 protocol=udp
add action=accept chain=input dst-address=0.0.0.0 log=yes src-address=0.0.0.0
/ip firewall nat
add action=accept chain=srcnat dst-address=RemoteNet/24 log=yes \
    src-address=192.168.5.0/24
add action=masquerade chain=srcnat
/ip firewall raw
add action=notrack chain=prerouting disabled=yes dst-address=RemoteNet/24 \
    src-address=192.168.5.0/24
/ip ipsec identity
add peer=Lab
/ip ipsec policy
set 0 disabled=yes
add disabled=yes dst-address=RemoteNet/31 peer=Lab src-address=\
    192.168.5.0/24 tunnel=yes
add disabled=yes dst-address=RemoteNet/31 peer=Lab src-address=\
    192.168.5.0/24 tunnel=yes
add dst-address=RemoteNet/24 peer=Lab src-address=192.168.5.0/24 tunnel=\
    yes
/ip route
add distance=1 gateway=192.168.50.1
/lcd interface pages
set 0 interfaces="sfp1,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8\
    ,ether9,ether10"
/system clock
set time-zone-name=America/Toronto

Zacharias · March 11, 2022, 8:47pm

Did you try nat-traversal=yes ?

lucatz · March 11, 2022, 8:54pm

Hi

Got it to work by removing, all IPSEC Policies but one. I have a few in there ie one for DST 192.168.1.0/24 and one for 192.168.2.0/24. They both establish and SA shows up as well but that breaks routing to both of them. Meanwhile if I disable all but 1 Policy it works fine.

Any pointers on that?

Thank You
Luca

Zacharias · March 11, 2022, 9:02pm

I 've seen cases where when using multiple polices for the same peer some might not show as Active, but as soon as traffic is initiated they do become active…
But that is something different…

It does work when you disable a specific policy ?

lucatz · March 11, 2022, 9:09pm

At this point I have one that works and required. The others are future subnets that are presently not needed. So it works but why the fact of having just one more subnet breaks both. And yes it is one peer. Although I may just fix but fudging the subnet mask. Like 192.168.0.0/16 or something like that

Zacharias · March 11, 2022, 9:18pm

I guess there might be a problem with the SAs…
What if you set /ip ipsec policy level to unique for each policy ?

lucatz · March 11, 2022, 10:21pm

Looks like it works. I now have 2 set and all good

Thanks!!!

lfoerster · March 12, 2022, 4:12pm

An IKEv2 site-to-site config between Cisco and Mikrotik could be seen here:
https://administrator.pro/contentid/2145635754
As an example find a complete Cisco IPsec IKEv1 config here:

service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime show-timezone year
no service password-encryption
!
hostname cisco926
!
security authentication failure rate 3 log
enable algorithm-type scrypt secret <password>
!
aaa new-model
!
aaa authentication login default local
aaa authentication login clientauth local
aaa authentication login CONSOLE local
aaa authentication ppp L2TP_AUTH local
aaa authorization console
aaa authorization exec default local
aaa authorization exec CONSOLE local
aaa authorization network groupauth local
!
!
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
no ip source-route
no ip gratuitous-arps
!
ip dhcp excluded-address 192.168.25.1 192.168.25.149
ip dhcp excluded-address 192.168.25.170 192.168.25.254
!
ip dhcp pool c926
 network 192.168.25.0 255.255.255.0
 default-router 192.168.25.1
 domain-name test.home.arpa
 dns-server 192.168.25.1
!
!
!
ip domain lookup source-interface GigabitEthernet 4
ip domain name test.home.arpa
ip name-server 9.9.9.9
login block-for 120 attempts 3 within 15
login delay 3
login quiet-mode access-class 23
login on-failure log
login on-success log
!
vpdn enable
!
vpdn-group L2TP
 ! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
!
!
archive
 path flash:config
 maximum 3
!
username <user> privilege 15 algorithm-type scrypt secret <password>
username <noadminuser> privilege 3 algorithm-type scrypt secret <password>
!
username l2tp password 0 l2tp
!
lldp run
no cdp run
!
ip tcp path-mtu-discovery
!
!
class-map type inspect match-all ALLOW_IN
 match access-group name ALLOWv4
class-map type inspect match-any ROUTER
 match protocol tcp
 match protocol udp
 match protocol icmp
class-map type inspect match-all VPN
 match access-group name VPN_NET
class-map type inspect match-any LOCAL
 match protocol dns
 match protocol http
 match protocol https
 match protocol pop3s
 match protocol pop3
 match protocol imaps
 match protocol imap3
 match protocol imap
 match protocol smtp
 match protocol sip
 match protocol sip-tls
 match protocol rtsp
 match protocol ftp
 match protocol ftps
 match protocol ssh
 match protocol ntp
 match protocol tftp
 match protocol tcp
 match protocol udp
 match protocol icmp
!
policy-map type inspect InternetToLocal
 class type inspect VPN
  inspect
 class class-default
  drop
policy-map type inspect RouterToInternet
 description Traffic Router to Internet
 class type inspect ROUTER
  inspect
 class class-default
  drop
policy-map type inspect LocalToInternet
 description Traffic LAN to Internet
 class type inspect LOCAL
  inspect
 class type inspect VPN
  inspect
 class class-default
  drop
policy-map type inspect InternetToRouter
 description Permitted traffic Internet to router
 class type inspect ALLOW_IN
  pass
 class type inspect VPN
  inspect
 class class-default
  drop
!
zone security Internet
zone security Local
zone-pair security HomeToInternet source Local destination Internet
 service-policy type inspect LocalToInternet
zone-pair security InternetToRouter source Internet destination self
 service-policy type inspect InternetToRouter
zone-pair security InternetToLocal source Internet destination Local
 service-policy type inspect InternetToLocal
zone-pair security RouterToInternet source self destination Internet
 service-policy type inspect RouterToInternet
!
crypto keyring vpntest
  pre-shared-key address 10.99.1.99 key <password>
  pre-shared-key address 0.0.0.0 0.0.0.0 <password>
!
crypto isakmp policy 10
 encr aes 256
 hash sha256
 authentication pre-share
 group 14
!
crypto isakmp policy 11
 encr aes 256
 authentication pre-share
 group 14
!
crypto isakmp policy 12
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp policy 14
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp keepalive 10
crypto isakmp profile mikrotik
   description IPsec VPN Mikrotik
   keyring vpntest
   match identity address 10.99.1.99 255.255.255.255
crypto isakmp profile dynip
   description VPNs mit dyn. IP
   keyring vpntest
   match identity address 0.0.0.0
!
crypto ipsec transform-set testset256 esp-aes 256 esp-sha256-hmac
 mode tunnel
crypto ipsec transform-set testset256-fritzbox esp-aes 256 esp-sha-hmac
 mode tunnel
crypto ipsec transform-set testset128 esp-aes esp-sha-hmac
 mode tunnel
crypto ipsec transform-set L2TP-1 esp-aes 256 esp-sha-hmac
 mode transport
crypto ipsec transform-set L2TP-2 esp-aes esp-sha-hmac
 mode transport
!
!
!
crypto dynamic-map dynmap 10
 description Tunnel dyn.IP FritzBox
 set transform-set testset256-fritz
 set pfs group2
 set isakmp-profile dynip
 match address FRITZ
crypto dynamic-map dynmap 12
 description Tunnel dyn.IP Mikrotik
 set transform-set testset256
 set pfs group14
 set isakmp-profile dynip
 match address MIKROTIK
crypto dynamic-map dynmap 14
 description Tunnel dyn.IP Strongswan
 set transform-set testset256
 set pfs group14
 set isakmp-profile dynip
 match address SWAN
crypto dynamic-map dynmap 16
 set nat demux
 set transform-set L2TP-1 L2TP-2
 set isakmp-profile dynip
!
!
crypto map vpntest 10 ipsec-isakmp
 description Tunnel Mikrotik
 set peer 10.99.1.99
 set transform-set testset256
 set pfs group14
 set isakmp-profile mikrotik
 match address MIKROTIK2
!
crypto map vpntest 20 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface Loopback1
 description Looback L2TP Pool
 ip address 192.168.26.1 255.255.255.255
!
!
interface GigabitEthernet0
 description Local LAN
 no ip address
!
interface GigabitEthernet1
 description Local LAN
 no ip address
 shutdown
!
interface GigabitEthernet2
 no ip address
 shutdown
!
interface GigabitEthernet3
 no ip address
 shutdown
!
interface GigabitEthernet4
 description Internet Port
 ip address 10.1.1.22 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 zone-member security Internet
 crypto map vpntest
 no lldp transmit
!
interface Virtual-Template1
 description L2TP Dialin
 ip unnumbered Loopback1
 zone-member security Local
 peer default ip address pool l2tp-pool
 ppp authentication ms-chap-v2 L2TP_AUTH
!
interface Vlan1
 description Local LAN
 ip address 192.168.25.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security Local
!
ip local pool l2tp-pool 192.168.26.200 192.168.26.210
no ip http server
no ip http secure-server
ip http authentication local
!
!
ip tftp source-interface Vlan1
ip dns server
ip nat inside source route-map NONAT interface GigabitEthernet4 overload
ip route 0.0.0.0 0.0.0.0 10.1.1.254
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface Vlan1
ip ssh version 2
!
ip access-list extended ALLOWv4
 permit udp any any eq 1701
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 permit esp any any
!
ip access-list extended FRITZ
 remark IPsec FritzBox
 permit ip 192.168.25.0 0.0.0.255 192.168.188.0 0.0.0.255
ip access-list extended MIKROTIK
 remark IPsec Mikrotik
 permit ip 192.168.25.0 0.0.0.255 192.168.88.0 0.0.0.255
ip access-list extended SWAN
 remark IPsec Strongswan
 permit ip 192.168.25.0 0.0.0.255 172.30.10.0 0.0.0.255
ip access-list extended MIKROTIK2
 remark IPsec Mikrotik S-2-S
 permit ip 192.168.25.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended NAT
 remark No NAT in Tunnel
 deny   ip 192.168.25.0 0.0.0.255 172.16.0.0 0.15.255.255
 deny   ip 192.168.25.0 0.0.0.255 192.168.0.0 0.0.255.255
 permit ip 192.168.25.0 0.0.0.255 any
ip access-list extended VPN_NET
 remark ZBF pass VPN Tunnel
 permit ip 172.30.10.0 0.0.0.255 192.168.25.0 0.0.0.255
 permit ip 192.168.88.0 0.0.0.255 192.168.25.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 192.168.25.0 0.0.0.255
 permit ip 192.168.188.0 0.0.0.255 192.168.25.0 0.0.0.255
 permit ip 192.168.26.0 0.0.0.255 any
!
route-map NONAT permit 10
 match ip address NAT
!
access-list 23 remark CLI Access ACL
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 23 permit 172.16.0.0 0.15.255.255
!
privilege exec level 3 show startup-config
privilege exec level 3 show
!
banner exec #
You are connected to line $(line) at router $(hostname)
#
banner motd #
 ____                                       __       ___      ____    
/\  _`\    __                             /'_ `\   /'___`\   /'___\   
\ \ \/\_\ /\_\    ____    ___    ___     /\ \L\ \ /\_\ /\ \ /\ \__/   
 \ \ \/_/_\/\ \  /',__\  /'___\ / __`\   \ \___, \\/_/// /__\ \  _``\ 
  \ \ \L\ \\ \ \/\__, `\/\ \__//\ \L\ \   \/__,/\ \  // /_\ \\ \ \L\ \
   \ \____/ \ \_\/\____/\ \____\ \____/        \ \_\/\______/ \ \____/
    \/___/   \/_/\/___/  \/____/\/___/          \/_/\/_____/   \/___/ 

(WAN IP Address (Gigabit 4): 10.1.1.22 /24)
#
!
line con 0
 exec-timeout 30 0
 authorization exec CONSOLE
 login authentication CONSOLE
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 transport input telnet ssh
!
ntp source GigabitEthernet4
ntp server de.pool.ntp.org
!
end

The dynip profiles are profiles for external site-to-site VPN using dynamic provider IP addresses (PPPoE) supporting different hardware like German FritzBoxes as well as pfSense/OPNsense firewalls and Mikrotik. The second Mikrotik peer is a peer with fixed IP addresses.
The above config provides an additional L2TP VPN client dialin with Windows, Apple MacOS, Apple IOS and Android onboard L2TP VPN clients wthout the need to install additional 3rd party client software.

Zacharias · March 13, 2022, 10:23am

Great…
You can mark the post as solved…

What unique actually does, is it creates a unique SA for each particular policy…
https://help.mikrotik.com/docs/display/ROS/IPsec