I have group login and password
also have user login and password
Can Mikrotik as cisco VPN client ??????
Re: Mikrotik as cisco VPN client
Remote peer is not pptp server ---------------------is cisco ASA
on my Ubuntu I use vpnc - client for Cisco VPN3000 Concentrator, IOS and PIX
sudo vpnc
Enter IPSec gateway address: 1.1.1.1
Enter IPSec ID for 1.1.1.1: xxxxxxxxxx
Enter IPSec secret for xxxxxxx@1.1.1.1:yyyyyyy
Enter username for 1.1.1.1: test
Enter password for test@1.1.1.1:zzzzzzzzzzzzzz
on my Ubuntu I use vpnc - client for Cisco VPN3000 Concentrator, IOS and PIX
sudo vpnc
Enter IPSec gateway address: 1.1.1.1
Enter IPSec ID for 1.1.1.1: xxxxxxxxxx
Enter IPSec secret for xxxxxxx@1.1.1.1:yyyyyyy
Enter username for 1.1.1.1: test
Enter password for test@1.1.1.1:zzzzzzzzzzzzzz
Re: Mikrotik as cisco VPN client
ok, so then it's IPSec:
http://www.mikrotik.com/testdocs/ros/3.0/vpn/ipsec.php
http://wiki.mikrotik.com/wiki/MikroTik_ ... wall_IPSEC
(in other words - it's all in the manual)
http://www.mikrotik.com/testdocs/ros/3.0/vpn/ipsec.php
http://wiki.mikrotik.com/wiki/MikroTik_ ... wall_IPSEC
(in other words - it's all in the manual)
Re: Mikrotik as cisco VPN client
It's actually not Normis.
The Cisco VPN and associated VPN Client, uses propriatory extensions. I'd also be very interested in this. Tried a while ago, but gave up after a few weeks of not getting it to work.
From what I understand, it's a combination of IPSec and L2TP, but afaik - was never able to get it working.
The Cisco VPN and associated VPN Client, uses propriatory extensions. I'd also be very interested in this. Tried a while ago, but gave up after a few weeks of not getting it to work.
From what I understand, it's a combination of IPSec and L2TP, but afaik - was never able to get it working.
Re: Mikrotik as cisco VPN client
you need to post logs from both sides. many people use it and it works
Re: Mikrotik as cisco VPN client
I am also interested in this. However, at the moment, I have no clue on where to start? I would be happy to provide logs, but with all the info I have that I use with vpnc, I am yet to find howto or documentation on where to input all these:
IPSec gateway xx.yy.zz.qq (public ip of cisco box)
IPSec ID tunnel-id
IPSec secret somesecretword
Xauth username myname
Xauth password mypassword
IPSec gateway xx.yy.zz.qq (public ip of cisco box)
IPSec ID tunnel-id
IPSec secret somesecretword
Xauth username myname
Xauth password mypassword
Re: Mikrotik as cisco VPN client
Hey I am also very interested in this one. I have tried several howtos and I am playing with that already some 3weeks and can not get anywhere. I would really appreciate anybody who has this working to show up the light at the end of the VPN tunnel 
Re: Mikrotik as cisco VPN client
a plain cisco-vpn (afaik its called dvpn) cannot be used with a mt-device, otherwise on a linux box you wouldn't need vpnc but could use openswan which does ipsec, but thats not the case. the protocol is ipsec, but modified and with some dirty hacks imho
what you can do is configure a proper ipsec-connection on the asa and use that with mikrotik.
that http://wiki.openswan.org/index.php/Openswan/CiscoPIX should give you an idea.
what you can do is configure a proper ipsec-connection on the asa and use that with mikrotik.
that http://wiki.openswan.org/index.php/Openswan/CiscoPIX should give you an idea.
Re: Mikrotik as cisco VPN client
Hi
About 1 month ago I tried to configure the MKT like VPN Client but I couldn't do because Cisco ASA use other options like (group, user and password) so I couldn't found how to do it?.
When I do only the IPSec connection (MKT to ASA) works fine but the trouble begins when ASA uses (group, user and pass). So if anybody know it,please tell us how did you do it?
Best regard.
About 1 month ago I tried to configure the MKT like VPN Client but I couldn't do because Cisco ASA use other options like (group, user and password) so I couldn't found how to do it?.
When I do only the IPSec connection (MKT to ASA) works fine but the trouble begins when ASA uses (group, user and pass). So if anybody know it,please tell us how did you do it?
Best regard.
Re: Mikrotik as cisco VPN client
i think you are referring to XAUTH, which is afaik not supported on mikrotik ros.
so at least at the moment your only choice is a plain ipsec-connection.
so at least at the moment your only choice is a plain ipsec-connection.
Re: Mikrotik as cisco VPN client
Ok. Actually I have a plain IPSec connection.i think you are referring to XAUTH, which is afaik not supported on mikrotik ros.
so at least at the moment your only choice is a plain ipsec-connection.
Thanks.
Re: Mikrotik as cisco VPN client
Hi EveryOne!
Is there a chance to use this kind of VPN with Mikrotik OS, new version 4.x? I'm also have to create (dvpn) vpn to cisco with Xauth username on a Mikrotik OS.
Thanks in advice.
Josh
Is there a chance to use this kind of VPN with Mikrotik OS, new version 4.x? I'm also have to create (dvpn) vpn to cisco with Xauth username on a Mikrotik OS.
Thanks in advice.
Josh
-
-
gregsowell
Member Candidate
- Posts: 128
- Joined:
- Contact:
Re: Mikrotik as cisco VPN client
Hi guys!
I've got slides and a video tutorial on Mikrotik VPN. It includes MTK to Cisco and even shows you how to configure your ASA for the tunnel.
http://gregsowell.com/?p=1290
I hope this helps
I've got slides and a video tutorial on Mikrotik VPN. It includes MTK to Cisco and even shows you how to configure your ASA for the tunnel.
http://gregsowell.com/?p=1290
I hope this helps
Re: Mikrotik as cisco VPN client
Hi guys!
About http://wiki.mikrotik.com/wiki/MikroTik_ ... wall_IPSEC
- in the ip ipsec policy, I thinlk and are inverted
-in the last firewall rule, must be: or ?
- in the last firewall rule I read: but I have not this rule defined
Thanks for your reply
Franco
About http://wiki.mikrotik.com/wiki/MikroTik_ ... wall_IPSEC
- in the ip ipsec policy, I thinlk
Code: Select all
src-addressCode: Select all
dst-address-in the last firewall rule
Code: Select all
ip firewall addCode: Select all
ip firewall filter addCode: Select all
ip firewall nat add- in the last firewall rule I read:
Code: Select all
chain=customerThanks for your reply
Franco
Re: Mikrotik as cisco VPN client
That article is written by a forum user, it's not a MikroTik article. You have the ability to change it. I can't vouch for it's accuracy.
MikroTik articles are marked with category "manual"
MikroTik articles are marked with category "manual"
Re: Mikrotik as cisco VPN client
I've got a laptop dedicated to running vpnc as that's the only thing I can't do on mikrotik. I can't configure the other end so I'm stuck with running vpnc.
Would it be possible for me to cross compile vpnc and get it running on my RB433?
Would it be possible for me to cross compile vpnc and get it running on my RB433?
Re: Mikrotik as cisco VPN client
No. You cannot put custom code on RouterOS.
Re: Mikrotik as cisco VPN client
Er, doesn't RouterOS have a linux based kernel? If so, why is it not possible to put custom code on it?No. You cannot put custom code on RouterOS.
Re: Mikrotik as cisco VPN client
because it's routeros. if you want custom code, there are many distributions for that.
RouterOS is organized in a certain way, and it's got tech support. When you start modifying it, it becomes just like anything else.
RouterOS is organized in a certain way, and it's got tech support. When you start modifying it, it becomes just like anything else.
Re: Mikrotik as cisco VPN client
Suppose I don't mind losing tech support? Can I download the linux and other GPL sources and modify my build?
If I get vpnc working I'd be happy to contribute the information to the wiki or to MikroTik. From a quick search, there appear to be quite a few people who would like to get vpnc working on RouterOS.
If I get vpnc working I'd be happy to contribute the information to the wiki or to MikroTik. From a quick search, there appear to be quite a few people who would like to get vpnc working on RouterOS.
Re: Mikrotik as cisco VPN client
read the license
I don't see why you would do this, as there are free distributions which are easier to modify, and for which there is large community support. here - nobody will help you
I don't see why you would do this, as there are free distributions which are easier to modify, and for which there is large community support. here - nobody will help you
Re: Mikrotik as cisco VPN client
The reason I bought a RouterBoard was because I was fed up of installing linux distributions and endlessly configuring them, so I've been trying to replace everything with RouterOS. It's about 38C in my office and I'm trying to switch off as many things as I can. If I could know one more laptop off that purely exists to run vpnc then I'd be more than happy in doing the work to get rid of it. I'm not interested in OpenWRT or whatever, if I were, I'd have stuck with my linux gateways.
That's all...
That's all...
Re: Mikrotik as cisco VPN client
Solved! (well sort of).
Thanks to a suggestion from elsewhere, I've just created a metarouter VM within which I can run vpnc.
Thanks to a suggestion from elsewhere, I've just created a metarouter VM within which I can run vpnc.
Re: Mikrotik as cisco VPN client
Finally got round to actually doing this. For anyone else who needs to run vpnc, here's what I did:
Follow the instructions here: http://wiki.mikrotik.com/wiki/Manual:Metarouter importing the openwrt
image into the metarouter. Get a copy of vpnc and the tun.ko kernel module. I compiled
them which was a bit of a hassle, but ended up with these if you want to avoid the effort (and
you trust a complete stranger to compile them for you...):
http://www.sbrk.co.uk/vpnc
http://www.sbrk.co.uk/tun.ko
openwrt has a package system called opkg which allows you to point to various repositories for
new packages, but I couldn't figure out where to point it. I'm sure there is somewhere with
these.
After insmod ./tun.ko, ./vpnc works with my imported configuration leaving the only issue to
set up networking. I bridged the openwrt metarouter and configured a route to the network
used by vpnc, set up nat on the tun0 interface in openwrt and allowed forwarding and all
is working.
There is one issue remaining in that if I reboot my rb, the bridge ports disappear, presumably
because they don't exist until the metarouter vm starts. So, I have to go in and configure them
again after a reboot.
Follow the instructions here: http://wiki.mikrotik.com/wiki/Manual:Metarouter importing the openwrt
image into the metarouter. Get a copy of vpnc and the tun.ko kernel module. I compiled
them which was a bit of a hassle, but ended up with these if you want to avoid the effort (and
you trust a complete stranger to compile them for you...):
http://www.sbrk.co.uk/vpnc
http://www.sbrk.co.uk/tun.ko
openwrt has a package system called opkg which allows you to point to various repositories for
new packages, but I couldn't figure out where to point it. I'm sure there is somewhere with
these.
After insmod ./tun.ko, ./vpnc works with my imported configuration leaving the only issue to
set up networking. I bridged the openwrt metarouter and configured a route to the network
used by vpnc, set up nat on the tun0 interface in openwrt and allowed forwarding and all
is working.
There is one issue remaining in that if I reboot my rb, the bridge ports disappear, presumably
because they don't exist until the metarouter vm starts. So, I have to go in and configure them
again after a reboot.
Re: Mikrotik as cisco VPN client
great! I knew RouterOS would be able to help you in some way sorry for not recommending metarouter any sooner
sorry for not recommending metarouter any soonerRe: Mikrotik as cisco VPN client
Hey Mknos, thanks for the basics for a vpnc solution. I have most of it working, but I'm not sure how to set up NAT on openwrt. Can you supply details on that?
Re: Mikrotik as cisco VPN client
Hi all,
I have successfully got mine working as well.
The metarouter image I used is: http://openwrt.wk.cz/attitude_adjustmen ... tfs.tar.gz
Configure your network interface by using "uci"
Mine looks as follow:
After configuring the network settings you need to commit them and restart the network service.
Run the following commands:
Then you can install vpnc by following the tutorial here: http://wiki.openwrt.org/vpnc.vpn
You can then see that the tunnel is up by using ifconfig
Traceroute from PC going to my gateway ( mikrotik) over to metarouter into the VPN.
Thank you for the tip of using metarouter and vpnc!
I have successfully got mine working as well.
The metarouter image I used is: http://openwrt.wk.cz/attitude_adjustmen ... tfs.tar.gz
Configure your network interface by using "uci"
- Show network configutations: "uci show network"
- Show all configurations: "uci show"
Mine looks as follow:
Where my WAN interface are used to get internet to the image and the lan will be used to access the VPN connection.network.wan.proto=static
network.wan.ipaddr=172.16.2.6
network.wan.netmask=255.255.255.252
network.wan.ifname=eth0
network.wan.gateway=172.16.2.5
network.wan.dns=172.16.2.5
network.lan=interface
network.lan.proto=static
network.lan.ipaddr=172.16.2.2
network.lan.netmask=255.255.255.252
network.lan.ifname=eth1
After configuring the network settings you need to commit them and restart the network service.
Run the following commands:
- uci commit network
- /etc/init.d/network restart
Then you can install vpnc by following the tutorial here: http://wiki.openwrt.org/vpnc.vpn
- In the file created /etc/init.d/vpnc file. remove the spaces in the first few lines between the START=75 and STOP=01. It does not work with the spaces. Unable to find start/stop on line 2 and line 3 error.
- At the steps when you try to run "/etc/init.d/vpnc enable" you get an error, first enable the file to be executable by running "chmod +x /etc/init.d/vpnc" and then you will be able to enable the automatic boot script.
- IP Tables - This one I have not figured out yet. When the metarouter restarts the IPtables are missing and you need to reapply them.
vpnc
or
/etc/init.d/vpnc start
You can then see that the tunnel is up by using ifconfig
On your route make sure that you route the ip ranges you need and masquerade it as required.root@metarouter:/# ifconfig
eth0 Link encap:Ethernet HWaddr 02:0B:3E:55:A6:23
inet addr:172.16.2.6 Bcast:172.16.2.7 Mask:255.255.255.252
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2517 errors:0 dropped:0 overruns:0 frame:0
TX packets:2039 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:888004 (867.1 KiB) TX bytes:364073 (355.5 KiB)
eth1 Link encap:Ethernet HWaddr 02:5B:39:4F:B5:12
inet addr:172.16.2.2 Bcast:172.16.2.3 Mask:255.255.255.252
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4787 errors:0 dropped:0 overruns:0 frame:0
TX packets:2992 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:447771 (437.2 KiB) TX bytes:679876 (663.9 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2748 errors:0 dropped:0 overruns:0 frame:0
TX packets:2748 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:186756 (182.3 KiB) TX bytes:186756 (182.3 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.102.253.87 P-t-P:10.102.253.87 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1412 Metric:1
RX packets:41 errors:0 dropped:0 overruns:0 frame:0
TX packets:432 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:4428 (4.3 KiB) TX bytes:31605 (30.8 KiB)
Traceroute from PC going to my gateway ( mikrotik) over to metarouter into the VPN.
Success.C:\Users\Administrator>tracert -d 10.117.12.117
Tracing route to 10.117.12.117 over a maximum of 30 hops
1 <1 ms <1 ms 1 ms 10.20.0.254
2 2 ms 1 ms 1 ms 172.16.2.2
3 142 ms 36 ms 26 ms 10.102.250.2
4 213 ms 43 ms 37 ms 10.101.255.73
5 137 ms 24 ms 23 ms 10.101.255.206
6 114 ms 27 ms 26 ms 10.103.82.5
7 70 ms 201 ms 215 ms 10.251.201.0
Thank you for the tip of using metarouter and vpnc!
Re: Mikrotik as cisco VPN client
I tried metarouter image http://openwrt.wk.cz/attitude_adjustmen ... tfs.tar.gz as well. And it even works. Several minutes or maybe hours. Then metarouter freezes. The only option you have is to reboot metarouter. While rebooting it makes the host router to reboot as well. Very annoying. And even when it works it loses 20% of bandwidth comparing to Windows Cisco client.
Then I tried the routine http://cases.azoft.com/how-to-connect-m ... cisco-vpn/ with Mikrotik-recommended image http://www.mikrotik.com/download/metaro ... rootfs.tgz and vpnc from http://rnd.rajven.net/openwrt/mikrotik/ ... s/packages repository. This client connects to my corporate Cisco successfully and even makes appropriate routes to my internal networks. But I could not manage to get any traffic through these routes whatsoever. No ping, no telnet, no DNS request. And no errors and no warnings.
I wasted two days trying to make good usage of metarouter vpnc. Eventually I took a cheap spare router and installed DD-WRT there with vpnc. Vpnc works with two different Ciscos on my two remote jobs and provides me with two remote internal networks simultaneously. The only thing Mikrotik has to do with this it routes appropriate requests from my home network to remote networks through internal address of the second router. Works like a charm.
Then I tried the routine http://cases.azoft.com/how-to-connect-m ... cisco-vpn/ with Mikrotik-recommended image http://www.mikrotik.com/download/metaro ... rootfs.tgz and vpnc from http://rnd.rajven.net/openwrt/mikrotik/ ... s/packages repository. This client connects to my corporate Cisco successfully and even makes appropriate routes to my internal networks. But I could not manage to get any traffic through these routes whatsoever. No ping, no telnet, no DNS request. And no errors and no warnings.
I wasted two days trying to make good usage of metarouter vpnc. Eventually I took a cheap spare router and installed DD-WRT there with vpnc. Vpnc works with two different Ciscos on my two remote jobs and provides me with two remote internal networks simultaneously. The only thing Mikrotik has to do with this it routes appropriate requests from my home network to remote networks through internal address of the second router. Works like a charm.