Hi guys! Few weeks ago I tried to setup VPN tunnel between Mikrotik RB951Ui-2HnD and Cisco ASA 5515. I spend a lot of time to find best way to do this. And what I can tell at this moment:
If we have one LAN network behind Mikrotik and one LAN network behind Cisco all works fine.
But If you have more then one network behind the LAN interfaces of devices - you have a trouble.
First of all I will show you test scheme:
mk+asa ipsec site-to-site.jpg
We have two network to encrypt behind the Mikrotik: 10.7.0.0/24 and 172.18.0.0/24
And one network behind Cisco ASA: 172.19.0.0/24.
You can see config of both devices below.
MK RB951Ui-2HnD config:
[admin@MK] > ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=Y.Y.Y.Y/32 local-address=X.X.X.X passive=no port=500 auth-method=pre-shared-key
secret="test" generate-policy=no policy-template-group=group1 exchange-mode=main send-initial-contact=yes
nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024
lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=2
[admin@MK] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 src-address=10.7.0.0/24 src-port=any dst-address=10.8.0.0/24 dst-port=any protocol=all action=encrypt
level=require ipsec-protocols=esp tunnel=yes sa-src-address=X.X.X.X sa-dst-address=81.25.44.167
proposal=mikrotik/mikrotik priority=0
1 TX* group=group1 src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
2 src-address=10.7.0.0/24 src-port=any dst-address=172.19.0.0/24 dst-port=any protocol=all action=encrypt
level=require ipsec-protocols=esp tunnel=yes sa-src-address=X.X.X.X sa-dst-address=Y.Y.Y.Y
proposal=test priority=1
3 src-address=172.18.0.0/24 src-port=any dst-address=172.19.0.0/24 dst-port=any protocol=all action=encrypt
level=require ipsec-protocols=esp tunnel=yes sa-src-address=X.X.X.X sa-dst-address=Y.Y.Y.Y
proposal=test priority=2
[admin@MK] > ip ipsec proposal print
Flags: X - disabled, * - default
1 name="test" auth-algorithms=md5 enc-algorithms=3des lifetime=1d pfs-group=none
[admin@MK] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=accept src-address=172.17.0.0/24 in-interface=Byfly-PPPoE log=no log-prefix=""
1 chain=input action=accept src-address=172.19.0.0/24 in-interface=Byfly-PPPoE log=no log-prefix=""
2 chain=input action=accept src-address=10.8.0.0/24 in-interface=Byfly-PPPoE log=no log-prefix=""
3 ;;; Allow ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""
[admin@MK] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=10.7.0.0/24 dst-address=10.8.0.0/24 log=no log-prefix=""
1 chain=srcnat action=accept src-address=172.18.0.0/24 dst-address=172.17.0.0/24 log=no log-prefix=""
2 chain=srcnat action=accept src-address=10.7.0.0/24 dst-address=172.19.0.0/24 log=no log-prefix=""
3 chain=srcnat action=accept src-address=172.18.0.0/24 dst-address=172.19.0.0/24 log=no log-prefix=""
4 ;;; masquerade lan network
chain=srcnat action=masquerade src-address=10.5.0.0/24 out-interface=Byfly-PPPoE log=no log-prefix=""
5 ;;; masquerade guest network
chain=srcnat action=masquerade src-address=172.18.0.0/24 out-interface=Byfly-PPPoE log=no log-prefix=""
Cisco ASA config:
ASA(config)# show running-config
ASA5515, 8192 MB RAM, CPU Clarkdale 3059 MHz, 1 CPU (4 cores)
interface GigabitEthernet0/1
description Internet
nameif WAN
security-level 0
ip address Y.Y.Y.Y 255.255.255.224
interface GigabitEthernet0/2
nameif TEST
security-level 100
ip address 172.19.0.1 255.255.255.0
same-security-traffic permit intra-interface
object network NETWORK_OBJ_10.7.0.0_24
subnet 10.7.0.0 255.255.255.0
description Test for MK netwok
object network NETWORK_OBJ_172.18.0.0_24
subnet 172.18.0.0 255.255.255.0
object network NETWORK_OBJ_172.19.0.0_24
subnet 172.19.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_4
network-object object NETWORK_OBJ_10.7.0.0_24
network-object object NETWORK_OBJ_172.18.0.0_24
access-list WAN_cryptomap extended permit ip 172.19.0.0 255.255.255.0 10.7.0.0 255.255.255.0
access-list WAN_cryptomap extended permit ip 172.19.0.0 255.255.255.0 172.18.0.0 255.255.255.0
nat (TEST,WAN) source static NETWORK_OBJ_172.19.0.0_24 NETWORK_OBJ_172.19.0.0_24 destination static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 no-proxy-arp route-lookup
nat (TEST,WAN) source dynamic any interface
nat (LAN,WAN) source dynamic any interface
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association pmtu-aging infinite
crypto map WAN_map 1 match address WAN_cryptomap
crypto map WAN_map 1 set peer X.X.X.X
crypto map WAN_map 1 set ikev1 transform-set ESP-3DES-MD5
crypto map WAN_map 1 set security-association lifetime seconds 86400
crypto map WAN_map 1 set security-association lifetime kilobytes unlimited
crypto map WAN_map 1 set nat-t-disable
crypto map WAN_map interface WAN
crypto isakmp identity address
crypto ikev1 enable WAN
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
group-policy GroupPolicy_X.X.X.X internal
group-policy GroupPolicy_X.X.X.X attributes
vpn-tunnel-protocol ikev1
dynamic-access-policy-record DfltAccessPolicy
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X general-attributes
default-group-policy GroupPolicy_X.X.X.X
tunnel-group X.X.X.X ipsec-attributes
ikev1 pre-shared-key *****
Mikrotik RB2011UiAS used as end device in this topology.
Phase 1 of Ikev1 is up
[admin@MK] > ip ipsec remote-peers print
0 local-address=X.X.X.X remote-address=Y.Y.Y.Y state=established side=initiator established=10m41s
Now it is time to create “interesting traffic” for encryption and phase 2 will be installed:
Run command from MK1 (RB2011UiAS)
[admin@MK1] > ping 10.7.0.1
SEQ HOST SIZE TTL TIME STATUS
0 10.7.0.1 timeout
1 10.7.0.1 56 64 23ms
2 10.7.0.1 56 64 21ms
sent=3 received=2 packet-loss=33% min-rtt=21ms avg-rtt=22ms max-rtt=23ms
Phase 2 was installed. On MK router we can see it:
[admin@MK] > ip ipsec installed-sa print
Flags: A - AH, E - ESP
0 E spi=0x3D0D74D src-address=Y.Y.Y.Y dst-address=X.X.X.X state=mature auth-algorithm=md5
enc-algorithm=3des auth-key="e1057545538b3c6219babf2e30abab09"
enc-key="50c315f81539bdf644b9cc1a1e838d5994409857b3e23b33" addtime=dec/29/2015 11:10:24 expires-in=23h59m18s
add-lifetime=19h12m/1d current-bytes=112 replay=128
1 E spi=0x1A38C2E0 src-address=X.X.X.X dst-address=Y.Y.Y.Y state=mature auth-algorithm=md5
enc-algorithm=3des auth-key="094392dd18899bf4853b10e51008be16"
enc-key="906912f2ed0f85332de3a011134ae846844c2aad8ce2aabf" addtime=dec/29/2015 11:10:24 expires-in=23h59m18s
add-lifetime=19h12m/1d current-bytes=112 replay=128
Then we try to create “interesting traffic” from 172.19.0.0/24 network to the second network (172.18.0.0/24):
[admin@MK1] > ping 172.18.0.1
SEQ HOST SIZE TTL TIME STATUS
0 172.18.0.1 timeout
1 172.18.0.1 56 64 21ms
2 172.18.0.1 56 64 23ms
sent=3 received=2 packet-loss=33% min-rtt=21ms avg-rtt=22ms max-rtt=23ms
After that, we can see four security associations on MK (RB951Ui-2HnD) router:
[admin@MK] > ip ipsec installed-sa print
Flags: A - AH, E - ESP
0 E spi=0x3D0D74D src-address=Y.Y.Y.Y dst-address=X.X.X.X state=mature auth-algorithm=md5
enc-algorithm=3des auth-key="e1057545538b3c6219babf2e30abab09"
enc-key="50c315f81539bdf644b9cc1a1e838d5994409857b3e23b33" addtime=dec/29/2015 11:10:24 expires-in=23h56m3s
add-lifetime=19h12m/1d current-bytes=112 replay=128
1 E spi=0x1A38C2E0 src-address=X.X.X.X dst-address=Y.Y.Y.Y state=mature auth-algorithm=md5
enc-algorithm=3des auth-key="094392dd18899bf4853b10e51008be16"
enc-key="906912f2ed0f85332de3a011134ae846844c2aad8ce2aabf" addtime=dec/29/2015 11:10:24 expires-in=23h56m3s
add-lifetime=19h12m/1d current-bytes=112 replay=128
2 E spi=0x2C87CFB src-address=Y.Y.Y.Y dst-address=X.X.X.X state=mature auth-algorithm=md5
enc-algorithm=3des auth-key="4d4d9bc38a4822ed41a0d072e5e94f74"
enc-key="70793e4a601e42dc2e02d16dcffcb0c7630f02f0ce06c8d8" addtime=dec/29/2015 11:13:49 expires-in=23h59m28s
add-lifetime=19h12m/1d current-bytes=112 replay=128
3 E spi=0x8699DDE8 src-address=X.X.X.X dst-address=Y.Y.Y.Y state=mature auth-algorithm=md5
enc-algorithm=3des auth-key="fb13d096b5a1128286f2c2f734d0a7a4"
enc-key="76346bd6ee82626afcc7c94ac5ce92eb104676b453bb5087" addtime=dec/29/2015 11:13:49 expires-in=23h59m28s
add-lifetime=19h12m/1d current-bytes=112 replay=128
But if want to generate traffic to the 10.7.0.0/24 network again it will not work:
[admin@Newland-R] > ping 10.7.0.1
SEQ HOST SIZE TTL TIME STATUS
0 10.7.0.1 timeout
I have the same situation if I want generate traffic from the other side of tunnel. And as a result I have such problem. Negotiation of phase 1 is ok and negotiation of phase 2 also is ok, but I have working traffic only from last “installed” policy. If I start ping to the 172.18.0.0/24 as first and to the 10.7.0.0/24 network as the second - working policy would be only the last (from 172.19.0.0/24 to the 10.7.0.0/24 if we look from Cisco ASA side or from 10.7.0.0/24 to the 172.19.0.0/24 from the side MK router).
And I almost find why I have this problem:
In normall situation, when I send traffic from network (for example 172.19.0.0/24) to other (10.7.0.0/24 for example) network I have one security association and two records in installed-sa print with similar values of current-bytes=
[admin@MK] > ip ipsec installed-sa print
Flags: A - AH, E - ESP
0 E spi=0x3D0D74D src-address=Y.Y.Y.Y dst-address=X.X.X.X state=mature auth-algorithm=md5
enc-algorithm=3des auth-key="e1057545538b3c6219babf2e30abab09"
enc-key="50c315f81539bdf644b9cc1a1e838d5994409857b3e23b33" addtime=dec/29/2015 11:10:24 expires-in=23h59m18s
add-lifetime=19h12m/1d current-bytes=112 replay=128
1 E spi=0x1A38C2E0 src-address=X.X.X.X dst-address=Y.Y.Y.Y state=mature auth-algorithm=md5
enc-algorithm=3des auth-key="094392dd18899bf4853b10e51008be16"
enc-key="906912f2ed0f85332de3a011134ae846844c2aad8ce2aabf" addtime=dec/29/2015 11:10:24 expires-in=23h59m18s
add-lifetime=19h12m/1d current-bytes=112 replay=128
When I generate traffic from 172.19.0.0/24 (again) but to the other (172.18.0.0/24) network. I will have two new records in installed sa with similar values of current-bytes=
[admin@MK] > ip ipsec installed-sa print
Flags: A - AH, E - ESP
0 E spi=0x6ED7965 src-address=Y.Y.Y.Y dst-address=X.X.X.X state=mature auth-algorithm=md5
enc-algorithm=3des auth-key="b71a298cf03ffaed4b3fe204b491bb9d"
enc-key="b7cdafb9441514f5272c98c7f60a396795f3139ff5278697" addtime=dec/29/2015 11:40:22 expires-in=23h59m44s
add-lifetime=19h12m/1d current-bytes=112 replay=128
1 E spi=0x88C4D2A src-address=X.X.X.X dst-address=Y.Y.Y.Y state=mature auth-algorithm=md5
enc-algorithm=3des auth-key="5f6d9e57b4b1e1227c144cc0fcc593e0"
enc-key="c3f8f3abcb11345c738d5aaa7deb9ee0c80fd5f1faa0f5cf" addtime=dec/29/2015 11:40:22 expires-in=23h59m44s
add-lifetime=19h12m/1d current-bytes=112 replay=128
2 E spi=0xBDB4CFA src-address=Y.Y.Y.Y dst-address=X.X.X.X state=mature auth-algorithm=md5
enc-algorithm=3des auth-key="34666cc4d7534e6fce30136870621889"
enc-key="1acdf10054c6271eacc7eafc52ea58bbf49073d42c9ebb35" addtime=dec/29/2015 11:40:28 expires-in=23h59m50s
add-lifetime=19h12m/1d current-bytes=224 replay=128
3 E spi=0x2EFDF749 src-address=X.X.X.X dst-address=Y.Y.Y.Y state=mature auth-algorithm=md5
enc-algorithm=3des auth-key="fab58d430eb3c268926493ffcb25df3e"
enc-key="ee65c2d44c09bd66337845d17c2333bc33264965890b3f53" addtime=dec/29/2015 11:40:28 expires-in=23h59m50s
add-lifetime=19h12m/1d current-bytes=224 replay=128
And finally when I want to generate traffic from 172.19.0.0/24 to the 10.7.0.0/24 again I see that traffic fall in to the wrong security association (look at current-bytes=):
[admin@MK] > ip ipsec installed-sa print
Flags: A - AH, E - ESP
0 E spi=0x6ED7965 src-address=Y.Y.Y.Y dst-address=X.X.X.X state=mature auth-algorithm=md5
enc-algorithm=3des auth-key="b71a298cf03ffaed4b3fe204b491bb9d"
enc-key="b7cdafb9441514f5272c98c7f60a396795f3139ff5278697" addtime=dec/29/2015 11:40:22 expires-in=23h55m25s
add-lifetime=19h12m/1d current-bytes=504 replay=128
1 E spi=0x88C4D2A src-address=X.X.X.X dst-address=Y.Y.Y.Y state=mature auth-algorithm=md5
enc-algorithm=3des auth-key="5f6d9e57b4b1e1227c144cc0fcc593e0"
enc-key="c3f8f3abcb11345c738d5aaa7deb9ee0c80fd5f1faa0f5cf" addtime=dec/29/2015 11:40:22 expires-in=23h55m25s
add-lifetime=19h12m/1d current-bytes=112 replay=128
2 E spi=0xBDB4CFA src-address=Y.Y.Y.Y dst-address=X.X.X.X state=mature auth-algorithm=md5
enc-algorithm=3des auth-key="34666cc4d7534e6fce30136870621889"
enc-key="1acdf10054c6271eacc7eafc52ea58bbf49073d42c9ebb35" addtime=dec/29/2015 11:40:28 expires-in=23h55m31s
add-lifetime=19h12m/1d current-bytes=224 replay=128
3 E spi=0x2EFDF749 src-address=X.X.X.X dst-address=Y.Y.Y.Y state=mature auth-algorithm=md5
enc-algorithm=3des auth-key="fab58d430eb3c268926493ffcb25df3e"
enc-key="ee65c2d44c09bd66337845d17c2333bc33264965890b3f53" addtime=dec/29/2015 11:40:28 expires-in=23h55m31s
add-lifetime=19h12m/1d current-bytes=616 replay=128
Current ROS version 6.33.2 but this problem was on different versions. Cisco IOS Version 9.5(1)
As I think this is bug of mikrotik. Can anybody help ?