Site to Site VPN: Mikrotik - Cisco

mschc · January 11, 2017, 2:24pm

Hi all,

I am new to MK so forgive me for my silly questions.

I need to set up a IPSec VPN between my Mikrotik RB201 with my client's cisco router. I'm having troubles trying to make it run but no luck so far. Please some help appreciated!

For my side the configuration is as follows (fake ip's):

Phase 1

[admin@MikroTik] > ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=44.222.222.222/32 local-address=:: passive=no port=500
auth-method=pre-shared-key secret="mysecret" generate-policy=no
policy-template-group=default exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=obey
hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5
[admin@MikroTik] >

Phase 2

[admin@MikroTik] > ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=1d
pfs-group=modp1024

1 name="proposal" auth-algorithms=sha1 enc-algorithms=3des lifetime=12h
pfs-group=modp1024
[admin@MikroTik] >

[admin@MikroTik] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 TX* group=default src-address=::/0 dst-address=::/0 protocol=all
proposal=default template=yes

1 src-address=192.168.11.0/24 src-port=any dst-address=192.168.22.0/24
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=ah-esp tunnel=yes sa-src-address=199.222.222.222
sa-dst-address=44.222.222.222 proposal=proposal priority=0
[admin@MikroTik] >

######### Firewall Filter #############

1 chain=input action=accept protocol=udp in-interface=ether1 dst-port=500
log=no log-prefix=""

2 chain=input action=accept protocol=ipsec-esp in-interface=ether1 log=no
log-prefix="

16 chain=input action=accept protocol=tcp dst-port=1701 log=no log-prefix=">

17 chain=input action=accept protocol=tcp dst-port=1701 log=no log-prefix=">

[admin@MikroTik] >

########## Firewall Nat ###############

[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.11.0/24
dst-address=192.168.22.0/24 log=no log-prefix=""

1 chain=srcnat action=accept src-address=192.168.22.0/24
dst-address=192.168.11.0/24 log=no log-prefix=""

mschc · January 11, 2017, 2:53pm

The “/ip ipsec policy print stats” says:

[admin@MikroTik] > /ip ipsec policy print stats
0

1 ph2-state=no-phase2

mschc · January 13, 2017, 7:31am

Any brave soul?

emils · January 13, 2017, 9:29am

Any errors in the Log? Make sure you have set everything up as in this example.

http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Site_to_Site_IpSec_Tunnel

mschc · January 23, 2017, 8:46am

Hi Emils,

Thanks for your reply. I have done the exact same configuration as explained in the link you sent, but still no success. Phase 1 no problem, but there is issues with phase2:

/ip ipsec policy print

src-address=192.168.11.0/24 src-port=any dst-address=192.168.22.0/24 dst-port=any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=199.222.222.222 sa-dst-address=44.222.222.222
proposal=proposal1 priority=0

In the policy, when I change the src-address from 192.168.11.0/24 to 0.0.0.0/0, the “/ip ipsec policy print stats” returns:

[admin@MikroTik] > /ip ipsec policy print stats
0

1 ph2-state=msg1-sent
[admin@MikroTik] >

But still can’t ping the remote host 192.168.22.0/24.

Please advise on getting ph2-state=established

Best,

–
MSCHC

emils · January 23, 2017, 8:52am

Your policies dst-address is 10.1.28.32/28 and you are trying to ping 192.168.22.0/24?

Please enable IPSec debug logs and see if any errors come up.

mschc · January 23, 2017, 3:08pm

Hello Emils,

Thanks for replying. about the IP I wanted to hide my real IP, so I use 192.168.11.xx and 22.xx for source and dest lans.

The IPSec debug is on but does not show error when scr-address is 192.168.11.0/24 but ph2-state=no-phase2, and when scr-address is 0.0.0.0/0 ph2-state=msg1-sent.

Obrigado

tippenring · February 9, 2020, 4:06pm

As someone else mentioned, debug the IPSEC topic. My default config adds this logging rule. I enable it whenever I want to troubleshoot a tunnel, then disable it when I’m done.

/system logging
add disabled=yes prefix="IPSEC: " topics=ipsec,!packet

Here is a sanitized config I just pulled from a Mikrotik router with an active VPN tunnel to a Cisco router. I didn’t include it here, but your firewall filter rules need to allow your intersite traffic.

/ip firewall nat
add action=accept chain=srcnat dst-address-list=<bogons> src-address=<local subnet>

/ip ipsec profile
add dh-group=modp1536 dpd-interval=10s dpd-maximum-failures=3 enc-algorithm=aes-256 lifetime=8h name=<ipsec profile>

/ip ipsec peer
add address=<remote peer IP>/32 comment="<remote site>" local-address=<local peer IP> name="<remote site>" profile=<ipsec profile>

/ip ipsec proposal
add enc-algorithms=aes-256-cbc lifetime=1d name=a256/s1/dh5 pfs-group=modp1536

/ip ipsec identity
add peer="<remote peer IP>" secret=<PSK>

/ip ipsec policy
add comment=<remote site> dst-address=<remote subnet> level=unique peer="<remote site>" proposal=a256/s1/dh5 sa-dst-address=<remote peer IP> sa-src-address=<local peer IP> src-address=<local subnet> tunnel=yes