VPN with Cisco router

Malbert · October 14, 2007, 1:17pm

Having a few issues attempting to establish an ipsec VPN between RouterOS and a Cisco 2600XM.

VPN is running across the internet with the MT and the Cisco router both running NAT for their respective LANs.

Aside from unreliable establishment of phase 2, I can’t seem to get it to pass traffic from the MT to the Cisco.

I’ve mucked around for a few hours trying different config combinations with the firewall/nat as well as reading the manual with no joy.

NAT Settings

0   ;;; No NAT for VPN
chain=srcnat action=accept src-address=192.168.2.0/24 
dst-address=10.1.1.0/24 

1   ;;; Global NAT 
chain=srcnat action=masquerade src-address=192.168.2.0/24

Policy

 0   src-address=192.168.2.0/24:any dst-address=10.1.1.0/24:any protocol=all 
     action=encrypt level=(unknown) ipsec-protocols=esp tunnel=yes 
     sa-src-address=203.x.x.x sa-dst-address=124.x.x.x 
     proposal=default manual-sa=none priority=0

Peer

 0   address=124.x.x.x/32:500 auth-method=pre-shared-key 
     secret="xxxxxxx" generate-policy=no exchange-mode=main 
     send-initial-contact=yes nat-traversal=no proposal-check=obey 
     hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d 
     lifebytes=0

Proposal

 0   name="default" auth-algorithms=sha1 enc-algorithms=aes-128 lifetime=1h 
     pfs-group=none

Installed SA’s

 0 E  spi=0x59F9791D src-address=203.x.x.x dst-address=124.x.x.x 
      auth-algorithm=sha1 enc-algorithm=aes replay=4 state=mature 
      auth-key="xxx" 
      enc-key="xxx" add-lifetime=48m/1h 
      use-lifetime=0s/0s lifebytes=0/0 

 1 E  spi=0x60ECC79 src-address=124.x.x.x dst-address=203.x.x.x
      auth-algorithm=sha1 enc-algorithm=aes replay=4 state=mature 
      auth-key="xxx" 
      enc-key="xxx" 
      addtime=oct/14/2007 19:36:11 add-lifetime=48m/1h 
      usetime=oct/14/2007 19:36:14 use-lifetime=0s/0s current-bytes=21720 
      lifebytes=0/0

Cisco Router

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key 6 xxx address 203.x.x.x
!
!
crypto ipsec transform-set VPN esp-aes esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
 set peer 203.x.x.x
 set transform-set VPN
 match address VPN
!
ip access-list extended NAT
 deny   ip 10.1.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 permit ip 10.1.1.0 0.0.0.255 any
ip access-list extended VPN
 permit ip 10.1.1.0 0.0.0.255 192.168.2.0 0.0.0.255

As shown in the Installed SA’s, traffic is passing one way but not the other. There’s a constant ping running from both sides.

I wasn’t even getting one way traffic into the MT before I added a filter rule to allow the source IP of the cisco router.

What am I missing?