Migrating Cisco config to MikroTik, Problems with ipsec and switch virtual interface (SVI)

RouterOS Beginner Basics
1

Hi,

I am new to the field and new with MikroTik.

I have a configuration from a cisco router, which I shall migrate to a MikroTik router.
In line with the migration there are also some changes on the ipsec tunnel security configurations.

old cisco configuration:
crypto isakmp policy 9
encr aes 256
hash sha512
authentication pre-share
group 16
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 14
!
crypto isakmp policy 50
encr 3des
hash md5
authentication pre-share
crypto isakmp key address 10.0.0.56
crypto isakmp invalid-spi-recovery
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set AES-SHA esp-aes 256 esp-sha512-hmac
mode tunnel
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description tunnel to other server
set peer 10.0.0.56
set transform-set AES-SHA
match address 100
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address 192.168.55.156 255.255.255.0
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description subnet test.server
ip address 172.16.75.1 255.255.255.0
no ip redirects
ip tcp adjust-mss 1452
!
no ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.55.10
ip route 172.16.75.0 255.255.192.0 172.16.75.10
!

new MikroTik confugration:
model = RB750Gr3
/interface bridge
add name=bridge1
/interface vlan
add interface=bridge1 name=SVI-vlan vlan-id=1
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] add-default-route=no ip-type=ipv4 use-network-apn=no \use-peer-dns=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=test_group
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
add dh-group=ecp384,ecp521 enc-algorithm=aes-256 hash-algorithm=sha512 lifetime=8h
name=ipsec_test prf-algorithm=sha512
/ip ipsec peer
add address=10.0.0.56/32 comment="ipsec_tunnel" exchange-mode=
ike2 name=ipsec_other_server profile=ipsec_test
/ip ipsec proposal
add auth-algorithms="" enc-algorithms=aes-256-gcm lifetime=1h name=
IKEv2-proposal pfs-group=ecp521
/ip smb users
set [ find default=yes ] disabled=yes
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/snmp community
set [ find default=yes ] encryption-protocol=AES name=mikrotik_snmp
/interface bridge port
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether4,ether5 vlan-ids=1
/interface l2tp-server server
set default-profile=default enabled=yes use-ipsec=required
/interface list member
add interface=ether4 list=LAN
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether5 list=LAN
/ip address
add address=192.168.55.156/24 interface=ether4 network=192.168.55.0
add address=172.16.75.1/24 interface=interface=SVI-vlan network=172.16.75.0
/ip dns
set servers=1.1.1.1,8.8.8.8
/ip firewall filter
add action=accept chain=input port=500,4500 protocol=udp
add action=accept chain=forward connection-state=established,related dst-address=
172.16.30.0/24 src-address=172.16.75.0/24
add action=accept chain=input protocol=ipsec-esp
/ip firewall nat
add action=accept chain=srcnat dst-address=172.16.30.0/24 src-address=172.16.75.0/24
/ip ipsec identity
add peer=ipsec_other_server policy-template-group=test_group
/ip ipsec policy
add dst-address=172.16.30.0/24 peer=ipsec_other_server proposal=IKEv2-proposal
src-address=172.16.75.0/24 tunnel=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.55.10 routing-table=main
add disabled=no distance=1 dst-address=172.16.75.0/18 gateway=172.16.75.10
routing-table=main scope=30 target-scope=10
/ip service
set www disabled=yes
/ipv6 nd
set [ find default=yes ] advertise-mac-address=no disabled=yes
/routing bfd configuration
add disabled=yes interfaces=all min-rx=200ms min-tx=200ms multiplier=5

To test my new MikroTik configuration I used three MikroTik routers (one for each ipsec tunnel endpoint and one between them). The ipsec tunnel forms and is stable, but I have issues with the communication through the tunnel. I have a client on each side of the tunnel, but I cannot reach anything.
Nothing worked so far. Could someone give me a hint or some advice on how I can implement this.

Thanks!

2

It seems that you've configured an IKEv1 tunnel between the routers, which means that the policy group doesn't need to be set and should be removed from the identity settings. Also, the ether4 address seems to be misconfigured, so could you create a simple network diagram to explain what roles each port has and what the role of the VLAN is?

1 Like
3

@TheCat12 has already identified two issues: the address misconfiguration and that policy-template-group=test_group should be removed from the identity object when using static policies.

The forward chain rules only match connection-state=established,related so the first packet from the remote side will likely be dropped. You probably need plain accept rules for both directions between the subnets, and the same applies to NAT since the srcnat exemption only covers one direction.

There also seems to be a syntax error on the VLAN address line, interface=interface=SVI-vlan looks like a doubled keyword which would explain the address misconfiguration TheCat12 mentioned.

The route for 172.16.75.0/18 via gateway also looks suspicious since you already have that subnet directly connected as a /24. Safe to remove unless there's a specific reason for it.

When ready to test again, run /ip ipsec policy print and check if the packet counters are moving to quickly confirm whether traffic is actually passing through the tunnel.

4

I didn't even see that :smiley:
The address misconfiguration suspicion I had was that an address was put on a physical interface that is a member of a VLAN-aware bridge: a recipe for chaos. That's why I asked for a network diagram - to see its purpose

5

Do you really want tagged vlan 1? That's likely to cause problems, especially if you don't understand how mikrotik works.

If you just want untagged traffic, then just use the bridge1 interface instead of SVI-vlan

But there are many misconfigurations

/interface bridge port
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether4,ether5 vlan-ids=1
/interface l2tp-server server
set default-profile=default enabled=yes use-ipsec=required
/interface list member
add interface=ether4 list=LAN
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether5 list=LAN
/ip address
add address=192.168.55.156/24 interface=ether4 network=192.168.55.0
add address=172.16.75.1/24 interface=interface=SVI-vlan network=172.16.75.0

Bridge contains ports 4 and 5, you shouldn't be assigning an ip address to ether4

What is the purpose of adding ether4 and ether5 to the LAN list. You should have bridge1 and SVI-vlan (if you really want tagged vlan 1, which I don't really think you do want).

If you want the switch in the RB750Gr3 to be vlan-aware, you need to turn on vlan-filtering on the bridge.

How did you arrive at the config you have, it seems you haven't actually tried it on the RB750Gr3 or it would have rejected the syntax errors.

6

Thank you for your help!

ipsec_Testserver
ipsec_Testserver685×251 25.6 KB

This is the simple diagramm you asked for.
As seen in the Cisco configuration the IP of the peer and the interface VLAN1 are located on the interface FastEthernet4.
For that reason I did the same on the MikroTik router....

7

Thank you for your help! I will look into it

Sorry about that it is just a copy-paste mistake in my post.

You are right the route for 172.16.75.0/18 has to be a /24. Originally it has been a /18 subnet, but it will be changed now to /24 subnet.

8

Thank you for your help I will take a look at the points.

9

Something fishy is going on here. An Ethernet port cannot act as a WAN and a LAN port simultaneously, so either a) ether4 is purely a WAN port and, say ether5, is the VLAN-aware port; or b) you've left a device out of the diagram that separates WAN and LAN (VLAN) traffic. Would you please elaborate on this discrepancy, @bacofisi01 ?