MikroTik <-> Cisco ASA IPSEC

cb900f · December 17, 2015, 3:11am

Howdy!

I purchashed a MikroTik firewall to hopefully start replacing the ASA 5505’s that we have been using. I got the IPSEC vpn up between the two firewalls. I can ping everything in both directions. The issue is that nothing else besides ICMP works. SMB, HTTP, or HTTPS. I’ve got roughly 8 IPSEC VPN’s working on the ASA, so I’m fairly sure my config for this one is good also (Well it works for ASA’s, lol). I added the NAT exempt rule on the MikroTik, but do I need to add any access rules? Seems like something simple I’m missing. I am using this at my house and had it with NAT-T, but even tried it with a direct internet connection and still nothing. Sorry for no config, I’ll get that ASAP but just hoping for the DUH moment.

mrz · December 17, 2015, 9:54am

Either you configured ipsec policy to encrypt only ICMP or you are dropping everything except ICMP in firewall.

cb900f · January 10, 2016, 8:52pm

Hi MrZ. Sorry for the late reply, It’s been hectic. I’ve double checked, triple checked, and just not seeing the issue. :-/

These are my firewall rules (192.168.168.0/24 Is the remote site, rule labeled 1):

This my policy:

I appreciate any suggestions.

mrz · January 11, 2016, 11:05am

You need to accept UDP 500/4500 and AH/ESP protocols in input chain.
You should accept in forward chain traffic in both directions. Currently you allow only incoming traffic and those accept rules must be before default fasttrack rule.
You need to bypass NAT for traffic that should be encrypted
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#NAT_Bypass

ChickenBull · January 12, 2016, 11:04pm

I’m experiencing same problem after replacing a Cisco 1720 with CCR1009.
Running an IPSEC aes-128 tunnel, I’m able to ping hosts in booth directions, but I’m not able to pass other traffic. To me, it looks like a TCP MSS issue and I have tried to change that using mangle to 1350 and 1300 but without success.
I’m not sure for the mangle rule…perhaps should be done in another way?

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
add enc-algorithms=aes-128-cbc name=PM

/ip firewall filter
add chain=input comment=aaa protocol=ipsec-esp
add chain=input comment=aaa protocol=udp src-port=500
add chain=input comment=aaa protocol=ipsec-ah
add chain=ipsec comment=aaa protocol=udp src-port=4500

/ip firewall mangle
add action=change-mss chain=forward disabled=yes dst-address=10.11.1.0/24 new-mss=1300 protocol=tcp src-address=10.0.3.0/24 tcp-flags=syn
add action=change-mss chain=forward disabled=yes dst-address=10.0.3.0/24 new-mss=1300 protocol=tcp src-address=10.11.1.0/24 tcp-flags=syn tcp-mss=!0-1300
/ip firewall nat
add chain=srcnat comment="Do not NAT traffic for VRS" dst-address=10.11.1.0/24 src-address=10.0.3.0/24

/ip ipsec peer
add address=0.0.0.0/0 dpd-interval=disable-dpd enc-algorithm=aes-128 generate-policy=port-strict lifetime=2h local-address=0.0.0.0 nat-traversal=no secret=blazkapetraspela
/ip route

Any help or pointing in the right direction will be much appreciated.

cb900f · January 14, 2016, 1:26am

You are the man MrZ! It was option #2. I guess I never allowed traffic to go out. I appreciate the help!

TomosRider · January 14, 2016, 8:18am

What about NAT bypass? Is that solution worked?

cb900f · January 17, 2016, 12:09am

NAT Bypass is required. I already had that in there.