Mikrotik IPSec to Cisco PIX firewall

Hello!

I am trying to create IPSec tunnel to Cisco PIX firewall, but it fails at ISAKMP phase 1. Mikrotik router is aa.aaa.aaa.aaa. Cisco PIX is bbb.bb.bb.bbb. Destination address, which is being connected to via IPSec tunnel is ccc.cc.cc.ccc. RouterOS version is 2.9.39. Everything from local network is NATed to bbb.bb.bb.bbb.

17:28:13 ipsec,ike,info queuing SA request, phase 1 with peer bbb.bb.bb.bbb will be established first 17:28:13 ipsec,ike,info initiating phase 1, starting mode Identity Protection (local aa.aaa.aaa.aaa:500) (remote unknown) 17:28:13 ipsec,info ipsec packet discarded: src=aa.aaa.aaa.aaa dst=ccc.cc.cc.ccc 17:28:13 ipsec,ike,info received ISAKMP packet from bbb.bb.bb.bbb:500, phase 1, Identity Protection 17:28:14 ipsec,ike,info received ISAKMP packet from bbb.bb.bb.bbb:500, phase 1, Identity Protection 17:28:14 ipsec,ike,info received ISAKMP packet from bbb.bb.bb.bbb:500, phase 1, Identity Protection 17:28:14 ipsec,ike,info packet has invalid ID payload (remote unknown)  Šis ir interesants. Nav gluži skaidrs, ko jams grib ar to teikt. 17:28:16 ipsec,info ipsec packet discarded: src=aa.aaa.aaa.aaa dst=ccc.cc.cc.ccc 17:28:22 ipsec,info ipsec packet discarded: src=aa.aaa.aaa.aaa dst=ccc.cc.cc.ccc 17:28:24 ipsec,ike,info received ISAKMP packet from bbb.bb.bb.bbb:500, phase 1, Identity Protection 17:28:34 ipsec,ike,info received ISAKMP packet from bbb.bb.bb.bbb:500, phase 1, Identity Protection 17:28:44 ipsec,ike,info received ISAKMP packet from bbb.bb.bb.bbb:500, phase 1, Identity Protection 17:28:45 ipsec,ike,info dequeuing SA request to bbb.bb.bb.bbb, phase 1 wait timed out 17:28:54 ipsec,ike,info received ISAKMP packet from bbb.bb.bb.bbb:500, phase 2, Informational 17:28:55 ipsec,ike,info phase 1 deleted (local aa.aaa.aaa.aaa:500) (remote bbb.bb.bb.bbb:500)

IPSec configuration:

[code]/ip ipsec proposal
add name=“my-proposal” auth-algorithms=md5,sha1 enc-algorithms=3des,aes-256 lifetime=1h lifebytes=0 pfs-group=modp1024 disabled=no

/ip ipsec peer
add address=bbb.bb.bb.bbb/32:500 secret=“xxxx” generate-policy=no exchange-mode=main send-initial-contact=yes proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 disabled=no

/ip ipsec policy
add src-address=ccc.cc.cc.ccc/32:any dst-address=aa.aaa.aaa.aaa/32:3389 protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=aa.aaa.aaa.aaa sa-dst-address=bbb.bb.bb.bbb proposal=my-proposal manual-sa=none dont-fragment=clear disabled=yes
[/code]

laacz,
Did you ever figure this out?
I am getting the same error between MikroTik and a CISCO ASA.

Hello MT Community,

i ran into the same problem with a Cisco ASA.
We double- and triple-checked our settings on both sides, also with 2 or more pairs of eyes .

Also we tried several combinations of settings in the ASA and in MT.
No luck

Phase 1 does not complete, i get the same error messages as the Thread-Starter.
The pre-shared key is definitely not different (currently it’s “123”, so no spelling mistake possible)

/ ip ipsec policy
     src-address=xx.xx.xx.xx/xx:any dst-address=yy.yy.yy.yy/yy:any protocol=all action=encrypt
     level=require ipsec-protocols=esp tunnel=yes sa-src-address=aa.aa.aa.aa
     sa-dst-address=bb.bb.bb.bb proposal=cc manual-sa=none dont-fragment=clear

/ ip ipsec proposal
     name="cc" auth-algorithms=sha1 enc-algorithms=3des lifetime=1h lifebytes=0 pfs-group=modp1024

/ ip ipsec peer
     address=bb.bb.bb.bb/32:500 secret="123" generate-policy=no exchange-mode=main
     send-initial-contact=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des
     dh-group=modp1024 lifetime=1h lifebytes=100000

MT is a 2.9.50,
ASA is a Cisco ASA 5500.

My log goes like this (i try to ping from this side):

16:15:13 ipsec,info ipsec packet discarded: src=xx.xx.xx.xx dst=yy.yy.yy.yy
16:15:14 ipsec,info ipsec packet discarded: src=xx.xx.xx.xx dst=yy.yy.yy.yy
16:15:16 ipsec,info ipsec packet discarded: src=xx.xx.xx.xx dst=yy.yy.yy.yy
16:15:17 ipsec,ike,info dequeuing SA request to bb.bb.bb.bb, phase 1 wait timed out
16:15:17 ipsec,ike,info queuing SA request, phase 1 with peer bb.bb.bb.bb will be established first
16:15:17 ipsec,ike,info initiating phase 1, starting mode Identity Protection (local aa.aa.aa.aa:500) (remote unknown)
16:15:17 ipsec,info ipsec packet discarded: src=xx.xx.xx.xx dst=yy.yy.yy.yy
16:15:17 ipsec,ike,info received ISAKMP packet from bb.bb.bb.bb:500, phase 1, Identity Protection
16:15:17 ipsec,ike,info received ISAKMP packet from bb.bb.bb.bb:500, phase 1, Identity Protection
16:15:17 ipsec,ike,info received ISAKMP packet from bb.bb.bb.bb:500, phase 1, Identity Protection
16:15:17 ipsec,ike,info packet has invalid ID payload (remote unknown)
16:15:17 ipsec,ike,info received ISAKMP packet from bb.bb.bb.bb:500, phase 2, Informational
16:15:18 ipsec,ike,info phase 1 deleted (local aa.aa.aa.aa:500) (remote bb.bb.bb.bb:500)
16:15:19 ipsec,info ipsec packet discarded: src=xx.xx.xx.xx dst=yy.yy.yy.yy
16:15:20 ipsec,info ipsec packet discarded: src=xx.xx.xx.xx dst=yy.yy.yy.yy
16:15:22 ipsec,info ipsec packet discarded: src=xx.xx.xx.xx dst=yy.yy.yy.yy
16:15:23 ipsec,info ipsec packet discarded: src=xx.xx.xx.xx dst=yy.yy.yy.yy
16:15:25 ipsec,info ipsec packet discarded: src=xx.xx.xx.xx dst=yy.yy.yy.yy
16:15:26 ipsec,info ipsec packet discarded: src=xx.xx.xx.xx dst=yy.yy.yy.yy
16:15:28 ipsec,info ipsec packet discarded: src=xx.xx.xx.xx dst=yy.yy.yy.yy
16:15:29 ipsec,info ipsec packet discarded: src=xx.xx.xx.xx dst=yy.yy.yy.yy
16:15:31 ipsec,info ipsec packet discarded: src=xx.xx.xx.xx dst=yy.yy.yy.yy
16:15:32 ipsec,info ipsec packet discarded: src=xx.xx.xx.xx dst=yy.yy.yy.yy
16:15:34 ipsec,info ipsec packet discarded: src=xx.xx.xx.xx dst=yy.yy.yy.yy
16:15:35 ipsec,info ipsec packet discarded: src=xx.xx.xx.xx dst=yy.yy.yy.yy
16:15:37 ipsec,info ipsec packet discarded: src=xx.xx.xx.xx dst=yy.yy.yy.yy
16:15:38 ipsec,info ipsec packet discarded: src=xx.xx.xx.xx dst=yy.yy.yy.yy
16:15:40 ipsec,info ipsec packet discarded: src=xx.xx.xx.xx dst=yy.yy.yy.yy
16:15:41 ipsec,info ipsec packet discarded: src=xx.xx.xx.xx dst=yy.yy.yy.yy
16:15:43 ipsec,info ipsec packet discarded: src=xx.xx.xx.xx dst=yy.yy.yy.yy
16:15:44 ipsec,info ipsec packet discarded: src=xx.xx.xx.xx dst=yy.yy.yy.yy
16:15:46 ipsec,info ipsec packet discarded: src=xx.xx.xx.xx dst=yy.yy.yy.yy
16:15:47 ipsec,info ipsec packet discarded: src=xx.xx.xx.xx dst=yy.yy.yy.yy
16:15:49 ipsec,ike,info dequeuing SA request to bb.bb.bb.bb, phase 1 wait timed out
16:15:49 ipsec,ike,info queuing SA request, phase 1 with peer bb.bb.bb.bb will be established first
16:15:49 ipsec,ike,info initiating phase 1, starting mode Identity Protection (local aa.aa.aa.aa:500) (remote unknown)
16:15:49 ipsec,info ipsec packet discarded: src=xx.xx.xx.xx dst=yy.yy.yy.yy
16:15:49 ipsec,ike,info received ISAKMP packet from bb.bb.bb.bb:500, phase 1, Identity Protection
16:15:49 ipsec,ike,info received ISAKMP packet from bb.bb.bb.bb:500, phase 1, Identity Protection
16:15:49 ipsec,ike,info received ISAKMP packet from bb.bb.bb.bb:500, phase 1, Identity Protection
16:15:49 ipsec,ike,info packet has invalid ID payload (remote unknown)
16:15:49 ipsec,ike,info received ISAKMP packet from bb.bb.bb.bb:500, phase 2, Informational
16:15:50 ipsec,ike,info phase 1 deleted (local aa.aa.aa.aa:500) (remote bb.bb.bb.bb:500)
16:15:50 ipsec,info ipsec packet discarded: src=xx.xx.xx.xx dst=yy.yy.yy.yy
16:15:52 ipsec,info ipsec packet discarded: src=xx.xx.xx.xx dst=yy.yy.yy.yy

a debug crypto isakmp & debug crypto ipsec do not reveal any useful infomations or abvious errors.
Any other VPNs with IPSec, to Cisco PIX or other MTs do just fine.

Any comments would by appreciated

Greetings glocke

I too am having this issue between a RB (tried RB150 and 192) both running RouterOS3.7 connecting to a Cisco ASA5510. The Cisco is NOTORIUS for not playing well with others (WatchGuard for one).

Anyway, I happen to have SmartNet on the Cisco and I am currently working with Cisco TAC. Once we get this running, I will share my knowledge. For I understand how frustrating this can be!

Delmar

Hi again,

at least we solved the problem, it helped to issue the command

isakmp identity address

on the ASA (as I was told, without any parameters).
Since I’m no cisco guy, I don’t understands what this command does, but it helped.
Another issue was, that “lifebytes” for the proposal and phase 1 are in reality kilobytes (I checked with a tcp dump - maybe it is stated somewhere in the documentation). After that, the phase 1 still did not got established, but with the cisco setting, it now works like a charm (finally).

Hope this helpes someone.

greetings

OKay,
back to start

All other VPNs did not work anymore on remote side with the above setting.
Be warned.
So we switched it back.

Now its time for hardware, solftware did not solve this.

I had the same problem when connecting Mikrotik 2.9.50 to PIX.

Solution, as strange as it is, is to add new peer with IP of mikrotik router it self without any Secret

Glocke as per your conf just add new peer with ip of aa.aa.aa.aa without any Secret and everything should work.

At least this helped me and I have tried all kinds of things and got same debug as you did, then at the end I added this and it just started working

Sounds crazy man, but I will give it a try

[edit]
OK, does not work for me, I’m afraid
I added “myself” as a peer, one time with standard settings (just entered the IP and clicked OK) and also with the exact same settings as the real peer, but with the “my” IP and not secret, no luck.

Thanks for your help ddelic, i appreciate.
Hopefully thsi help someone else with a PIX, maybe it does not work with an ASA? (said before, me no cisco guy).
But additional hardware is already ordered


greetings glocke

Can you post part of PIX code regarding this ipsec connection also do you have SRC-NAT on xx.xx.xx.xx address or any kind of NAT on this device
Also are you sure you are not blocking UDP port 500 packets in inside chain

I’m afraid I cant, i have no access and besides, it still would be confidential ($customers policy)

Definitely, as you can see in the logs from the original poster, there are isakmp packets recieved from the peer, but they have an “invalid ID payload”.
When I let me list the remote peers on the MT, I can see my remote peer with an status of “message 3 sent” for a short period, then there happens an timeout:
“dequeuing SA request to bb.bb.bb.bb, phase 1 wait timed out”
I also receive phase 2 packets from the peer, but MT is still in phase 1 and (I assume) discards them.
There is no NAT on xx.xx.xx.xx or on the remote per side (I was told; I ask explicitly about that, b/c it was stated in this forum that it could make problems).

Regards glocke