I have a RB2011UiAS and I need to create a secure link to a Cisco router. The Cisco tech suggested a route-based link which is apparently not supported by RouterOS, and I would like to propose an alternative.
The link will never transmit more than 60MB in a day, and while it is running across a 100mb.s line, does not have to be all that fast itself.
Can anyone propose a solution that will:
Place as little load as possible on the Routerboard
Obviously be supported by the Cisco
Be secure enough to transmit significantly confidential information without going overboard.
Be secure enough to transmit significantly confidential information without going overboard.
You could use a GRE/IPsec tunnel when you want to connect two networks, or you could use L2TP/IPsec when you
just require a single address on your side that connects to the network at the other side (and then use NAT).
What data do you need to transfer, I mean between what addresses? If it would be only specific subnet(s) on each side, standard policy-based IPSec would work.
My understanding is that we will be connecting to a web based service inside their network a few times a day. I suspect that policy based IPSec will be a problem dues to the service being on a private IP range and them not wanting to nat in.
That is what I’ve been working on for the past week or so. I have deferred to the tech on the other side because I believed that he was more experienced in this than I was, but now I just want this to be resolved and over.
This is what I have: Policy
src-address=x.x.x.x/32 src-port=any dst-address=y.y.y.y/32 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=no proposal=IPSec ph2-count=1
Other Info
The IPIP link is configured and should run (encrypted) over this link. The IPIP link is dead simple, so I have not included info, but I have NOT configured IPsec on the IPIP link, relying on the policy to deal with it.
Can anyone suggest what the config on the Cisco side should look like? As much detail as possible would be great. I really appreciate the effort so far, and am grateful for any help that can be provided further.
IPIP over IPsec should work, also with the default way of setting a PSK on the IPIP interface and not setting any IPsec explicitly in RouterOS.
However, Cisco people often are more comfortable with GRE/IPsec that is why I recommended that.
(it is explained in many example configs for IOS)
Of course, besides the tunnel setup you also have to arrange for the proper firewall rules and routing of networks.
For that, the starting point is to add addresses (e.g. from a /30 network) on the IPIP interface at either side (e.g. 10.0.0.1/30 and 10.0.0.2/30)
and the addition of manual subnet routes or configuration of an autorouting protocol and advertisement of the desired subets.
It was the Cisco guy who suggested IPIP over IPSec, strangely enough.
The firewall rules are no problem, neither is natting. I have that all covered. I just need the IPSec part to complete properly so that the IPIP tun can come up. As soon as I can ping the other side of the tunnel I can do anything else. I just need a config that will work on the RouterOS side and a compatible config for the Cisco side. If anyone can provide that.
You need only IPIP traffic encrypted, so use protocol=ipencap for policy. I can’t help you with Cisco, but you need the same simple thing, IPSec for IPIP traffic between two public addresses, so I’d assume that Cisco guy knows how to do it.
)