IPSec VPN with Dynamic Routing / Mikrotik and Cisco

plucchetti · November 15, 2007, 9:53pm

Hi,

I’m triying to set up vpn tunnel between Cisco 800 Series and Mikrotik 3.0rc10 following this Howto:
http://wiki.mikrotik.com/wiki/IPSec_VPN_with_Dynamic_Routing_/_Mikrotik_and_Cisco but they can’t connect.
I log to Winbox and try to ping to remote wan ip address and I receive this error message “timeout: ping reply not recieved after 1000mss”
I check many times all configuration, is the same as the tutorial.

Any help?

Thanks in advance.

Pablo

fatonk · November 16, 2007, 8:13am

Can you post your configuration here, in order to give you some assistance.

Regards

Faton

plucchetti · November 16, 2007, 12:11pm

Configuration of both routers

On Mikrotik

/interface ipip
add comment=“” disabled=no local-address=10.118.1.2 mtu=1480 name=“Tunel1” remote-address=10.118.1.1

/interface pppoe-client
add ac-name=“” add-default-route=yes allow=pap,chap,mschap1,mschap2 comment=“” dial-on-demand=no disabled=no interface=WAN max-mru=1480 max-mtu=1480
mrru=disabled name=“pppoe-out1” password=“xxxxx” profile=default service-name=“xx” use-peer-dns=no user=“xxxx”

add address=10.118.1.2/29 broadcast=10.118.1.7 comment=“” disabled=no interface=WAN network=10.118.1.0
add address=192.168.15.1/24 broadcast=192.168.15.255 comment=“” disabled=no interface=LAN network=192.168.15.0
add address=10.135.1.2/30 broadcast=10.135.1.3 comment=“” disabled=no interface=Tunel1 network=10.135.1.0

/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no
redistribute-connected=no redistribute-ospf=no redistribute-static=no timeout-timer=3m update-timer=30s
/routing rip interface
add authentication=none authentication-key=“” disabled=no in-prefix-list=“” interface=Tunel1 key-chain=“” out-prefix-list=“” passive=no receive=v2 send=v2
/routing rip neighbor
add address=10.135.1.1 disabled=no
/routing rip network
add disabled=no network=192.168.15.0/24
add disabled=no network=10.135.1.0/30

/ip ipsec policy
add action=encrypt disabled=no dst-address=10.118.1.1/32:any ipsec-protocols=esp level=require manual-sa=none priority=0 proposal=ipsec protocol=all
sa-dst-address=10.118.1.1 sa-src-address=10.118.1.2 src-address=10.118.1.2/32:any tunnel=no
/ip ipsec peer
add address=10.118.1.1/32:500 auth-method=pre-shared-key dh-group=modp1024 disabled=no enc-algorithm=3des exchange-mode=main generate-policy=no
hash-algorithm=md5 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=“ipsec” send-initial-contact=yes

/ip ipsec proposal
add auth-algorithms=sha1 disabled=yes enc-algorithms=3des lifetime=30m name=“default” pfs-group=modp1024
add auth-algorithms=md5 disabled=no enc-algorithms=3des lifetime=30m name=“ipsec” pfs-group=modp1024

On Cisco

interface Tunnel1
description Tunel1
ip address 10.135.1.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1480
ip tcp adjust-mss 1400
load-interval 30
tunnel source 10.118.1.1
tunnel destination 10.118.1.2
tunnel mode ipip
tunnel protection ipsec profile encrypt
hold-queue 1024 in
hold-queue 1024 out

interface FastEthernet4
description $ES_WAN$$ETH-WAN$
ip address 10.118.1.1 255.255.255.248
ip virtual-reassembly
speed auto
full-duplex

interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.97.254.1 255.255.0.0
ip virtual-reassembly
ip tcp adjust-mss 1452

router rip
version 2
timers basic 30 60 90 90
redistribute connected metric 1 route-map connected-to-rip
redistribute static metric 5 route-map static-to-rip
network 192.168.15.0
distribute-list prefix LAN out
no auto-summary
!

ip prefix-list LAN seq 10 permit 10.97.0.0/16

route-map connected-to-rip permit 10
match interface FastEthernet4
!
route-map static-to-rip permit 10
match ip address prefix-list LAN

crypto isakmp key ipsec address 0.0.0.0 0.0.0.0

crypto ipsec security-association idle-time 600

crypto ipsec transform-set vpn esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile encrypt
set transform-set vpn
!
!
crypto map vpn 1 ipsec-isakmp
description expo
set peer 10.118.1.2
set transform-set vpn
set pfs group2
match address mikrotik_peer

ip access-list extended mikrotik_peer
permit ipinip host 10.118.1.1 host 10.118.1.2
!

plucchetti · November 16, 2007, 12:36pm

Sorry double post.

fatonk · November 16, 2007, 4:52pm

For the time being I don not see any problem with your configuration. But, can you debug a bit this connection and see if you are authenticating.

Regards.

Faton

plucchetti · November 16, 2007, 6:35pm

You mean ipsec authentication, right?

fatonk · November 17, 2007, 10:54am

Yes, I meant for IPSec.

Regards

plucchetti · November 19, 2007, 2:11pm

Both keys are the same, I don’t know what’s in wrong.

Regards,
Pablo

fatonk · November 19, 2007, 2:38pm

Just try without encryption to reach side to side connection, I have a dozen of connections in this setup and have no problem. One thing to stress here , do not copy paiste configuration but just write all, I had an issue with cisco 831 in copy paiste method of configuration.

Regards

Faton

fatonk · November 20, 2007, 10:28am

Just check the latest update of the wiki regarding this issue, and there you will find the solution.

Regards.

Faton