Mikrotik RB433 IPsec tunnel to Cisco ASA 5510

fillthycat · December 15, 2009, 9:49pm

Hi, has anyone been able to accomplish this? I’ve tried a few examples without success. If anyone can shed any light, point to a web example or paste their code example it would be much appreciated. Running v3.30
Cheers

fillthycat · December 16, 2009, 4:46pm

If anyone is interested I was able to figure this out on my own:

a.a.a.a = private network A (Cisco ASA 5510)
b.b.b.b = private network B (Mikrotik)
p.p.p.p = public IP of Mikrotik
q.q.q.q = public IP od Cisco ASA

Cisco ASA Code:

access-list outside_1_cryptomap extended permit ip a.a.a.a 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip a.a.a.a 255.255.255.0 host p.p.p.p

access-list 101 extended permit icmp any any echo
access-list 101 extended permit icmp any any echo-reply

access-list inside_nat0_outbound_1 extended permit ip a.a.a.a 255.255.255.0 b.b.b.b 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip a.a.a.a 255.255.255.0 b.b.b.b 255.255.255.0

global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 101 0.0.0.0 0.0.0.0

access-group 101 in interface outside

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap_1
crypto map outside_map 1 set peer p.p.p.p 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 21

tunnel-group p.p.p.p type ipsec-l2l
tunnel-group p.p.p.p ipsec-attributes
 pre-shared-key !@#$%^&PH
 isakmp keepalive disable

Mikrotik Code:

/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m \
    name=default pfs-group=modp1024
/ip ipsec peer
add address=q.q.q.q/32:500 auth-method=pre-shared-key dh-group=\
    modp1024 disabled=no dpd-interval=12s dpd-maximum-failures=1 \
    enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=\
    sha1 lifebytes=0 lifetime=1d nat-traversal=yes proposal-check=obey \
    secret="!@#\$%^&PH" send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=a.a.a.a/24:any \
    ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
    all sa-dst-address=q.q.q.q sa-src-address=p.p.p.p src-address=\
    b.b.b.b/24:any tunnel=yes
/ip firewall nat
add action=accept chain=srcnat comment="IPSEC" disabled=no \
    dst-address=a.a.a.a/24 src-address=b.b.b.b/24