I’m trying to setup a VPN between a Mikrotik RB493AH router and a Cisco ASA 5505. When a user on the 10.5.1.0 subnet (behind the Mikrotik) pings a remote IP the routers correctly bring up the VPN tunnel and the Security association(phase 1 and phase 2 completed successfully), the traffic is encapsulated, I can see the decap count increment on the ASA end, but instead of the traffic getting through the ASA generates
%ASA-4-402117: IPSEC: Received a non-IPSec packet (protocol= ICMP) from 10.5.1.127 to 192.168.6.102.
(TCP traffic generates “protocol= TCP”)
I’ve also noticed that if I disconnect the VPN (vpn-sessiondb logoff on the ASA) the security associations on the Routerboard system remain, and I need to flush them before it will bring the tunel up again.
I have no troubles connecting other Cisco devices to this ASA endpoint, but I’ve not done an IPSEC VPN with RouterOS before.
The NAT rules on the RouterOS system exclude traffic to the remote subnets, and the Cisco ASA has no NAT at all.
1.1.1.73 == Mikrotik RB493AH, version 4.6
2.2.2.133 == Ciscso ASA 5505 ver 8.2(2)
RouterOS config:
/ip ipsec peer print
address=2.2.2.133/32:500 auth-method=pre-shared-key
secret="TOPSECRET" generate-policy=no exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=obey
hash-algorithm=md5 enc-algorithm=des dh-group=modp768 lifetime=1d
lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1
/ip ipsec proposal print
name="AES-256-SHA" auth-algorithms=sha1 enc-algorithms=aes-256
lifetime=30m pfs-group=none
/ip ipsec policy print
src-address=10.5.1.0/24:any dst-address=192.168.6.96/28:any protocol=al>
action=encrypt level=unique ipsec-protocols=esp tunnel=yes
sa-src-address=203.206.233.73 sa-dst-address=203.221.100.133
proposal=AES-256-SHA priority=0
Cisco config:
object-group network STUFFATTHISEND
network-object 192.168.6.96 255.255.255.240
object-group network STUFFATREMOTEEND
network-object 10.5.1.0 255.255.255.0
access-list outside_cryptomap_17_uberpanda extended permit ip object-group STUFFATTHISEND object-group STUFFATREMOTEEND
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 17 match address outside_cryptomap_17_uberpanda
crypto map outside_map 17 set peer 1.1.1.73
crypto map outside_map 17 set transform-set ESP-AES-256-SHA
crypto isakmp policy 60
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
tunnel-group 1.1.1.73 type ipsec-l2l
tunnel-group 1.1.1.73 ipsec-attributes
pre-shared-key TOPSECRET
isakmp keepalive threshold infinite
Show SA on ASA (after sending 2 ping packets)
DPW-ASA5505(config-if)# sh ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 17, local addr: 2.2.2.133
access-list outside_cryptomap_17_uberpanda extended permit ip 192.168.6.96 255.255.255.240 10.5.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.6.96/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (10.5.1.0/255.255.255.0/0/0)
current_peer: 1.1.1.73
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.133, remote crypto endpt.: 1.1.1.73
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 0BAF4E8D
current inbound spi : D40F5C78
inbound esp sas:
spi: 0xD40F5C78 (3557776504)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 135168, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 1787
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000007
outbound esp sas:
spi: 0x0BAF4E8D (196038285)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 135168, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 1787
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
SA on RouterOS
[myname@MYROUTER] > /ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs
0 E spi=0xBAF4E8D src-address=2.2.2.133 dst-address=1.1.1.73
auth-algorithm=sha1 enc-algorithm=aes replay=4 state=mature
auth-key="8db91ea9dac71ca246008d8c3443eb527ca71662"
enc-key="6b34d04c4504f1d25d72f76e2d712663f7c85001d6e1f1c1d5aaf0ee54f5e6de
"
add-lifetime=24m/30m use-lifetime=0s/0s lifebytes=0/0
1 E spi=0xD40F5C78 src-address=1.1.1.73 dst-address=2.2.2.133
auth-algorithm=sha1 enc-algorithm=aes replay=4 state=mature
auth-key="20db4f8508bd3ad4000133ca0921b7db44872d8f"
enc-key="ae47fe79b112199c6109e73c6576bc830265c55aef4621d3b7bd02413536a774
"
addtime=apr/30/2010 06:02:42 add-lifetime=24m/30m
usetime=apr/30/2010 06:02:46 use-lifetime=0s/0s current-bytes=1920
lifebytes=0/0