Mikrotik to Cisco VPN Issues

VitoCorleone · September 17, 2011, 4:26pm

Pulling my hair out here. I’m using an RB750 to Cisco ASA 5505 with 8.4. I have little experience with RouterOS, but I’m trying to figure it out. I’m following (or trying to follow, at least) this guide:

http://wiki.mikrotik.com/wiki/MikroTik_router_to_CISCO_PIX_Firewall_IPSEC

I’m using 192.168.0.0/16 on the Cisco side (Outside:2.2.2.2) and 192.168.100.0/24 on the Mikrotik side.

I’m not seeing an phase 1 trying to come up on the ASA. Here’s my Mikrotik config:

/interface ethernet
set 0 arp=enabled auto-negotiation=yes comment="" disabled=no full-duplex=yes l2mtu=1526 mac-address=00:0C:42:7E:A9:60 mtu=1500 name=Outside speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment="" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:7E:A9:61 master-port=none \
    mtu=1500 name=ether2-local-master speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment="" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:7E:A9:62 master-port=\
    ether2-local-master mtu=1500 name=ether3-local-slave speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment="" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:7E:A9:63 master-port=\
    ether2-local-master mtu=1500 name=ether4-local-slave speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment="" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:7E:A9:64 master-port=\
    ether2-local-master mtu=1500 name=ether5-local-slave speed=100Mbps

/interface ethernet switch
set Inside mirror-source=none mirror-target=none name=Inside
/ip dhcp-server option
add code=150 name=150 value=192.168.25.35
add code=43 name=43 value=f104.c0a8.0f02
/ip ipsec proposal
set default auth-algorithms=sha1 comment="" disabled=no enc-algorithms=aes-256 lifetime=30m name=default pfs-group=modp1024
/ip pool
add name=DHCP-Pool ranges=192.168.100.100-192.168.100.254
/ip dhcp-server
add address-pool=DHCP-Pool authoritative=after-2sec-delay bootp-support=static disabled=no interface=ether2-local-master lease-time=3d name=DHCP
/queue type
set default kind=pfifo name=default pfifo-limit=50
set ethernet-default kind=pfifo name=ethernet-default pfifo-limit=50
set wireless-default kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set synchronous-default kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set hotspot-default kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set default-small kind=pfifo name=default-small pfifo-limit=10

/user group
add comment="" name=read policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,!ftp,!write,!policy
add comment="" name=write policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,sensitive,!ftp,!policy
add comment="" name=full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/interface ethernet switch port
set (unknown) vlan-header=leave-as-is vlan-mode=fallback
set (unknown) vlan-header=leave-as-is vlan-mode=fallback
set (unknown) vlan-header=leave-as-is vlan-mode=fallback
set (unknown) vlan-header=leave-as-is vlan-mode=fallback
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=192.168.100.1/24 broadcast=192.168.100.255 comment="default configuration" disabled=no interface=ether2-local-master network=192.168.100.0

/ip dhcp-client
add add-default-route=yes comment="" default-route-distance=0 disabled=no interface=Outside use-peer-dns=yes use-peer-ntp=yes
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=192.168.100.0/24 comment="" dns-server=192.168.100.1 gateway=192.168.100.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=512 servers=65.32.5.111,65.32.5.112
/ip dns static
add address=192.168.88.1 comment="" disabled=no name=router ttl=1d
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
    tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="" disabled=no protocol=ipencap
add action=accept chain=input comment="" disabled=no dst-port=2222 protocol=tcp
add action=accept chain=input comment="" disabled=no dst-port=8291 protocol=tcp
add action=accept chain=input comment="" disabled=no dst-port=80 protocol=tcp
add action=accept chain=input comment="" disabled=no dst-port=500 protocol=udp
add action=accept chain=input comment="Added by webbox" connection-state=established disabled=no in-interface=Outside
add action=accept chain=input comment="Added by webbox" connection-state=related disabled=no in-interface=Outside
add action=drop chain=input comment="Added by webbox" disabled=no in-interface=Outside
/ip firewall nat
add action=redirect chain=dstnat comment="" disabled=yes dst-address-type=local dst-port=2222 protocol=tcp to-ports=22
add action=accept chain=dstnat comment="" disabled=no dst-address=192.168.88.25 dst-port=25 in-interface=Outside protocol=tcp src-port=25
add action=masquerade chain=srcnat comment="Added by webbox" disabled=no out-interface=Outside
add action=accept chain=srcnat comment="" disabled=no dst-address=192.168.0.0/16 src-address=192.168.100.0/24
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
/ip ipsec peer
add address=2.2.2.2/32:500 auth-method=pre-shared-key comment="" dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 enc-algorithm=\
    aes-256 exchange-mode=main generate-policy=yes hash-algorithm=sha1 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=<snipped> \
    send-initial-contact=yes
/ip ipsec policy
add action=encrypt comment="" disabled=no dst-address=192.168.25.0/24:any ipsec-protocols=esp level=require priority=0 proposal=default protocol=all sa-dst-address=\
    2.2.2.2 sa-src-address=0.0.0.0 src-address=192.168.100.0/24:any tunnel=yes
add action=encrypt comment="" disabled=no dst-address=192.168.15.0/24:any ipsec-protocols=esp level=require priority=0 proposal=default protocol=all sa-dst-address=\
    2.2.2.2 sa-src-address=0.0.0.0 src-address=192.168.100.0/24:any tunnel=yes

/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no enabled=no max-cache-size=none max-client-connections=600 max-fresh-time=3d \
    max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=no src-address=0.0.0.0
/ip service
set telnet address=0.0.0.0/0 disabled=no port=23
set ftp address=0.0.0.0/0 disabled=no port=2121
set www address=0.0.0.0/0 disabled=no port=80
set ssh address=0.0.0.0/0 disabled=no port=2222
set www-ssl address=0.0.0.0/0 certificate=none disabled=yes port=443
set api address=0.0.0.0/0 disabled=yes port=8728
set winbox address=0.0.0.0/0 disabled=no port=8291
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=no enabled=yes show-dummy-rule=yes
/ip upnp interfaces
add disabled=no interface=Outside type=external
add disabled=no interface=ether2-local-master type=internal
add disabled=no interface=ether3-local-slave type=internal
add disabled=no interface=ether4-local-slave type=internal
add disabled=no interface=ether5-local-slave type=internal

/queue interface
set Outside queue=ethernet-default
set ether2-local-master queue=ethernet-default
set ether3-local-slave queue=ethernet-default
set ether4-local-slave queue=ethernet-default
set ether5-local-slave queue=ethernet-default

/system identity
set name=MikroTik
/system logging
add action=memory disabled=no prefix="" topics=info
add action=memory disabled=no prefix="" topics=error
add action=memory disabled=no prefix="" topics=warning
add action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=no mode=broadcast primary-ntp=192.168.13.2 secondary-ntp=0.0.0.0
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes no-ping-delay=5m watch-address=none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=100
/tool e-mail
set from=<> password="" server=0.0.0.0:25 username=""
/tool graphing
set page-refresh=300 store-every=5min
/tool graphing interface
add allow-address=0.0.0.0/0 disabled=no interface=all store-on-disk=yes
/tool mac-server
add disabled=no interface=ether2-local-master
add disabled=no interface=ether3-local-slave
add disabled=no interface=ether4-local-slave
add disabled=no interface=ether5-local-slave
/tool mac-server ping
set enabled=yes
/tool sms
set allowed-number="" channel=0 keep-max-sms=0 receive-enabled=no secret=""
/tool sniffer
set file-limit=10 file-name="" filter-address1=0.0.0.0/0:0-65535 filter-address2=0.0.0.0/0:0-65535 filter-protocol=ip-only filter-stream=yes interface=all \
    memory-limit=10 memory-scroll=no only-headers=no streaming-enabled=no streaming-server=0.0.0.0
/user aaa
set accounting=yes default-group=read interim-update=0s use-radius=no

Hopefully something will jump out at you guys. I’m completely lost.

Edit: Okay, had some NAT issues on the ASA side. The tunnel is now up, but I’m not getting any return traffic:

Home-ASA# sh crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 1, local addr: 67.8.234.141

      access-list outside_cryptomap extended permit ip 192.168.15.0 255.255.255.0 192.168.100.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.15.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
      current_peer: 72.185.75.167

      #pkts encaps: 43, #pkts encrypt: 43, #pkts digest: 43
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 43, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 0C1DA3B9
      current inbound spi : 27DE7F78

fewi · September 17, 2011, 5:09pm

/ip firewall nat
add action=redirect chain=dstnat comment="" disabled=yes dst-address-type=local dst-port=2222 protocol=tcp to-ports=22
add action=accept chain=dstnat comment="" disabled=no dst-address=192.168.88.25 dst-port=25 in-interface=Outside protocol=tcp src-port=25
add action=masquerade chain=srcnat comment="Added by webbox" disabled=no out-interface=Outside
add action=accept chain=srcnat comment="" disabled=no dst-address=192.168.0.0/16 src-address=192.168.100.0/24

You need to move that last ‘accept’ rule (the RouterOS equivalent to NAT zero/identity NAT on an ASA for 192.168.100.0/24 to 192.168.0.0/16) above the ‘masquerade’ rule. Chains are processed in sequence, so that NAT bypass isn’t working because you have a generic NAT rule first that matches the traffic.

RouterOS processes IPsec as the very last step, AFTER source NAT. The tunnel can now come up, but you’re not seeing any return traffic because NAT changed the source address to your WAN public IP, so the IPsec policy doesn’t match anymore as the source address isn’t what is specified in the policy.

VitoCorleone · September 17, 2011, 5:13pm

Thanks! I didn’t know that. I’ve changed it. Not fixed yet, but here’s the verification:

/ip firewall nat
add action=accept chain=srcnat comment="" disabled=no dst-address=192.168.0.0/16 src-address=192.168.100.0/24
add action=redirect chain=dstnat comment="" disabled=no dst-address-type=local dst-port=2222 protocol=tcp to-ports=22
add action=masquerade chain=srcnat comment="Added by webbox" disabled=no out-interface=Outside

fewi · September 17, 2011, 5:18pm

Your IPsec policy lists an sa-src-address of 0.0.0.0 - did you edit it to be that to mask out a public IP, or is that actual configuration? It should be the public IP address of your Mikrotik router, just like the sa-dst-address is set to the public IP address of your ASA (which it appears to be)

Should have caught that before, but stopped reading when I saw the NAT issue.

That should hopefully get you going, I don’t see anything else wrong.

VitoCorleone · September 17, 2011, 5:24pm

I’m using 0/0 since the Mikrotik is DHCP. I can try the real IP, but it seems like P1 and P2 wouldn’t come up if that were the issue, no? Can’t hurt to try though.

It feels like there’s an issue with the encryption domain (“crytpo acl” on the Cisco side). I wish I could find some good print/show commands on the Mikrotik to troubleshoot this.

fewi · September 17, 2011, 5:36pm

Unfortunately you need to set the sa-src-address. From http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Policy

Note: All packets are IPIP encapsulated in tunnel mode, and their new IP header’s src-address and dst-address are set to sa-src-address and sa-dst-address values of this policy. If you do not use tunnel mode (id est you use transport mode), then only packets whose source and destination addresses are the same as sa-src-address and sa-dst-address can be processed by this policy. Transport mode can only work with packets that originate at and are destined for IPsec peers (hosts that established security associations). To encrypt traffic between networks (or a network and a host) you have to use tunnel mode.

So right now return packets are being sent with a source address of quad zeroes, which is of course getting dropped. This has nothing to do with phase 1 and phase 2 - those negotiate just fine.

Try the public IP, it should work.

Yes, that makes it a pain (and potentially impossible) to use IPsec with DHCP routers.

VitoCorleone · September 17, 2011, 5:45pm

Holy sh*t. So it turns out I was pinging a dead IP. I was going by the DHCP lease table like a moron. Everything is up and working. I think the ultimate fix was the NAT issue you pointed out off the bat.

Thanks again!

fewi · September 17, 2011, 5:48pm

Quick question: leaving the sa-src-address at quad zeroes is working?

When I last played with IPsec on RouterOS it wouldn’t work. It’d be nice if it did.

VitoCorleone · September 17, 2011, 6:44pm

Yep, it appears to be working fine. I can see the P2 SAs come up correctly for each encrypted subnet. And, most importantly, I can ping across the tunnel.

fewi · September 17, 2011, 6:59pm

Cool, good to know.

VitoCorleone · September 18, 2011, 12:07am

Thanks again for your help!