Problems with IPSEC between Mikrotik and Cisco ASA

RouterOS General
1

Hello
I need make ipsec tunnel between mikrotik RB2011 with RouterOS 6.26 and Cisco ASA. ( before I have this tunnel working between Debian with openswan and cisco )
The shematic of this task :
ipsec1.jpg
On the cisco side I have such parameters: ( Cisco is not my side, I have not access there )

Authentication Method Pre-Shared Key
Encryption Scheme IKE
Diffie-Hellman Group Group 2
Encryption Algorithm AES 256
Hashing Algorithm sha-1
Main or Aggressive Mode Main mode
Encapsulation (ESP or AH) ESP
Perfect Forward Secrecy Group 2
Lifetime (for renegotiation) 3600 seconds

On the mikrotik :

proposal print
0 * name=“default” auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-256-ctr lifetime=30m pfs-group=modp1024

By the way , what enc-algoritm I need use ? aes-256-cbc or aes-256-ctr ? In the task I have info only about AES 256 .

policy print
1 T group=default src-address=192.168.181.1/32 dst-address=172.17.0.6/32 protocol=all proposal=default template=yes

peer print
0 address=B.B.B.B/32 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key secret=“XXXXXXXXXXX” generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 lifetime=1h lifebytes=0 dpd-interval=2m dpd-maximum-failures=5

Ip Ip tunnel and routing

ipip print
Flags: X - disabled, R - running, D - dynamic
0 R ipip-tunnel1 auto 1480 A.A.A.A B.B.B.B inherit

ip route print

1 A S 172.17.0.6/32 ipip-tunnel1 1

According log, ipsec tunnel succesfully up

20:59:49 ipsec,debug,packet ===
20:59:49 ipsec,debug ISAKMP-SA established A.A.A.A[500]-B.B.B.B[500] spi:42e017e17b6261c5:36418c3f9cce2656
20:59:49 ipsec,debug,packet ===

But I cannot ping remote 172.17.0.6 that behind Cisco.

ping 172.17.0.6
SEQ HOST SIZE TTL TIME STATUS
0 172.17.0.6 timeout
1 172.17.0.6 timeout
sent=2 received=0 packet-loss=100%

I see very strange ICMP packet in the sniffer, ICMP packet into tunnel came from the real IP A.A.A.A , not private 192.168.181.1

10.117 ipip-tun A.A.A.A 172.17.0.6 icmp 56

But I need that packet came from 192.168.181.1
p.s. , just tried

ping 172.17.0.6 src-address=192.168.181.1

tunnel not work :frowning:

What wrong in the my settings ?
Can anybody help me ?

2

The only thing that I can see immediately that might be wrong is if you have a NAT rule, especially since you showed the log from the Cisco.

/ip firewall nat add action=accept src-address=192.168.181.1 dst-address=172.17.0.6

This should get the Mikrotik to stop doing NAT as the traffic leaves the public interface.