IPSec tunnel within a Mikrotik behind a Firewall and a Cisco ASA 5510
NETWORK MAP
MIKROTIK CONFIG
Note: Take attention to your encryption algorithms, lifetimes and other things, because this config should be exactly the same on the Cisco.
IP / IPSec / Peer (aka IPSec Phase 1)address=80.0.0.1/32 local-address=0.0.0.0 passive=no port=500
auth-method=pre-shared-key secret=" IPSEC_password "
generate-policy=no exchange-mode=main send-initial-contact=yes
nat-traversal=yes my-id-user-fqdn=“70.0.0.1” proposal-check=obey
hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=4608000 dpd-interval=disable-dpd dpd-maximum-failures=5IP / IPSec / Policy (aka IPSec Phase 2)src-address=172.16.0.1/32 src-port=any dst-address=10.0.0.0/24
dst-port=any protocol=all action=encrypt level=unique
ipsec-protocols=esp tunnel=yes sa-src-address=172.16.0.1
sa-dst-address=80.0.0.1 proposal=Phase2 priority=0IP / IPSec / Proposal (part of Phase 2)name=“Phase2” auth-algorithms=md5 enc-algorithms=3des lifetime=1h
pfs-group=modp1024IP / Firewall / NAT
This it’s needed because we will connect more than one subnet within the other side of the tunnel. If the Mikrotik only had one network we need to change the action to accept, and change on the Policy the src-address to the only inside network.
chain=srcnat action=src-nat to-addresses=172.16.0.1
dst-address=10.0.0.0/24
NOTES
If the MKT has lots of ips, it will send to the Cisco the IP it will use to go out to the Internet. That’s the IP on the same LAN as the internet gateway. And you should do the SNAT with this IP Address.
Remember to config on the Cisco part the IKE Parameters the Identity: Address to avoid connection problems.