Hi,
I'm triying to set up vpn tunnel between Cisco 800 Series and Mikrotik 3.0rc10 following this Howto:
http://wiki.mikrotik.com/wiki/IPSec_VPN ... _and_Cisco but they can't connect.
I log to Winbox and try to ping to remote wan ip address and I receive this error message "timeout: ping reply not recieved after 1000mss"
I check many times all configuration, is the same as the tutorial.
Any help?
Thanks in advance.
Pablo
Re: IPSec VPN with Dynamic Routing / Mikrotik and Cisco
Can you post your configuration here, in order to give you some assistance.
Regards
Faton
Regards
Faton
-
-
plucchetti
newbie
- Posts: 33
- Joined:
Re: IPSec VPN with Dynamic Routing / Mikrotik and Cisco
Configuration of both routers
On Mikrotik
/interface ipip
add comment="" disabled=no local-address=10.118.1.2 mtu=1480 name="Tunel1" remote-address=10.118.1.1
/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=WAN max-mru=1480 max-mtu=1480 \
mrru=disabled name="pppoe-out1" password="xxxxx" profile=default service-name="xx" use-peer-dns=no user="xxxx"
add address=10.118.1.2/29 broadcast=10.118.1.7 comment="" disabled=no interface=WAN network=10.118.1.0
add address=192.168.15.1/24 broadcast=192.168.15.255 comment="" disabled=no interface=LAN network=192.168.15.0
add address=10.135.1.2/30 broadcast=10.135.1.3 comment="" disabled=no interface=Tunel1 network=10.135.1.0
/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no \
redistribute-connected=no redistribute-ospf=no redistribute-static=no timeout-timer=3m update-timer=30s
/routing rip interface
add authentication=none authentication-key="" disabled=no in-prefix-list="" interface=Tunel1 key-chain="" out-prefix-list="" passive=no receive=v2 send=v2
/routing rip neighbor
add address=10.135.1.1 disabled=no
/routing rip network
add disabled=no network=192.168.15.0/24
add disabled=no network=10.135.1.0/30
/ip ipsec policy
add action=encrypt disabled=no dst-address=10.118.1.1/32:any ipsec-protocols=esp level=require manual-sa=none priority=0 proposal=ipsec protocol=all \
sa-dst-address=10.118.1.1 sa-src-address=10.118.1.2 src-address=10.118.1.2/32:any tunnel=no
/ip ipsec peer
add address=10.118.1.1/32:500 auth-method=pre-shared-key dh-group=modp1024 disabled=no enc-algorithm=3des exchange-mode=main generate-policy=no \
hash-algorithm=md5 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret="ipsec" send-initial-contact=yes
/ip ipsec proposal
add auth-algorithms=sha1 disabled=yes enc-algorithms=3des lifetime=30m name="default" pfs-group=modp1024
add auth-algorithms=md5 disabled=no enc-algorithms=3des lifetime=30m name="ipsec" pfs-group=modp1024
On Cisco
interface Tunnel1
description Tunel1
ip address 10.135.1.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1480
ip tcp adjust-mss 1400
load-interval 30
tunnel source 10.118.1.1
tunnel destination 10.118.1.2
tunnel mode ipip
tunnel protection ipsec profile encrypt
hold-queue 1024 in
hold-queue 1024 out
interface FastEthernet4
description $ES_WAN$$ETH-WAN$
ip address 10.118.1.1 255.255.255.248
ip virtual-reassembly
speed auto
full-duplex
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.97.254.1 255.255.0.0
ip virtual-reassembly
ip tcp adjust-mss 1452
router rip
version 2
timers basic 30 60 90 90
redistribute connected metric 1 route-map connected-to-rip
redistribute static metric 5 route-map static-to-rip
network 192.168.15.0
distribute-list prefix LAN out
no auto-summary
!
ip prefix-list LAN seq 10 permit 10.97.0.0/16
route-map connected-to-rip permit 10
match interface FastEthernet4
!
route-map static-to-rip permit 10
match ip address prefix-list LAN
crypto isakmp key ipsec address 0.0.0.0 0.0.0.0
crypto ipsec security-association idle-time 600
crypto ipsec transform-set vpn esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile encrypt
set transform-set vpn
!
!
crypto map vpn 1 ipsec-isakmp
description *expo*
set peer 10.118.1.2
set transform-set vpn
set pfs group2
match address mikrotik_peer
ip access-list extended mikrotik_peer
permit ipinip host 10.118.1.1 host 10.118.1.2
!
On Mikrotik
/interface ipip
add comment="" disabled=no local-address=10.118.1.2 mtu=1480 name="Tunel1" remote-address=10.118.1.1
/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment="" dial-on-demand=no disabled=no interface=WAN max-mru=1480 max-mtu=1480 \
mrru=disabled name="pppoe-out1" password="xxxxx" profile=default service-name="xx" use-peer-dns=no user="xxxx"
add address=10.118.1.2/29 broadcast=10.118.1.7 comment="" disabled=no interface=WAN network=10.118.1.0
add address=192.168.15.1/24 broadcast=192.168.15.255 comment="" disabled=no interface=LAN network=192.168.15.0
add address=10.135.1.2/30 broadcast=10.135.1.3 comment="" disabled=no interface=Tunel1 network=10.135.1.0
/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no \
redistribute-connected=no redistribute-ospf=no redistribute-static=no timeout-timer=3m update-timer=30s
/routing rip interface
add authentication=none authentication-key="" disabled=no in-prefix-list="" interface=Tunel1 key-chain="" out-prefix-list="" passive=no receive=v2 send=v2
/routing rip neighbor
add address=10.135.1.1 disabled=no
/routing rip network
add disabled=no network=192.168.15.0/24
add disabled=no network=10.135.1.0/30
/ip ipsec policy
add action=encrypt disabled=no dst-address=10.118.1.1/32:any ipsec-protocols=esp level=require manual-sa=none priority=0 proposal=ipsec protocol=all \
sa-dst-address=10.118.1.1 sa-src-address=10.118.1.2 src-address=10.118.1.2/32:any tunnel=no
/ip ipsec peer
add address=10.118.1.1/32:500 auth-method=pre-shared-key dh-group=modp1024 disabled=no enc-algorithm=3des exchange-mode=main generate-policy=no \
hash-algorithm=md5 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret="ipsec" send-initial-contact=yes
/ip ipsec proposal
add auth-algorithms=sha1 disabled=yes enc-algorithms=3des lifetime=30m name="default" pfs-group=modp1024
add auth-algorithms=md5 disabled=no enc-algorithms=3des lifetime=30m name="ipsec" pfs-group=modp1024
On Cisco
interface Tunnel1
description Tunel1
ip address 10.135.1.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1480
ip tcp adjust-mss 1400
load-interval 30
tunnel source 10.118.1.1
tunnel destination 10.118.1.2
tunnel mode ipip
tunnel protection ipsec profile encrypt
hold-queue 1024 in
hold-queue 1024 out
interface FastEthernet4
description $ES_WAN$$ETH-WAN$
ip address 10.118.1.1 255.255.255.248
ip virtual-reassembly
speed auto
full-duplex
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.97.254.1 255.255.0.0
ip virtual-reassembly
ip tcp adjust-mss 1452
router rip
version 2
timers basic 30 60 90 90
redistribute connected metric 1 route-map connected-to-rip
redistribute static metric 5 route-map static-to-rip
network 192.168.15.0
distribute-list prefix LAN out
no auto-summary
!
ip prefix-list LAN seq 10 permit 10.97.0.0/16
route-map connected-to-rip permit 10
match interface FastEthernet4
!
route-map static-to-rip permit 10
match ip address prefix-list LAN
crypto isakmp key ipsec address 0.0.0.0 0.0.0.0
crypto ipsec security-association idle-time 600
crypto ipsec transform-set vpn esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile encrypt
set transform-set vpn
!
!
crypto map vpn 1 ipsec-isakmp
description *expo*
set peer 10.118.1.2
set transform-set vpn
set pfs group2
match address mikrotik_peer
ip access-list extended mikrotik_peer
permit ipinip host 10.118.1.1 host 10.118.1.2
!
-
-
plucchetti
newbie
- Posts: 33
- Joined:
Re: IPSec VPN with Dynamic Routing / Mikrotik and Cisco
Sorry double post.
Last edited by plucchetti on Fri Nov 16, 2007 8:32 pm, edited 1 time in total.
Re: IPSec VPN with Dynamic Routing / Mikrotik and Cisco
For the time being I don not see any problem with your configuration. But, can you debug a bit this connection and see if you are authenticating.
Regards.
Faton
Regards.
Faton
-
-
plucchetti
newbie
- Posts: 33
- Joined:
Re: IPSec VPN with Dynamic Routing / Mikrotik and Cisco
You mean ipsec authentication, right?
Re: IPSec VPN with Dynamic Routing / Mikrotik and Cisco
Yes, I meant for IPSec.
Regards
Regards
-
-
plucchetti
newbie
- Posts: 33
- Joined:
Re: IPSec VPN with Dynamic Routing / Mikrotik and Cisco
Both keys are the same, I don't know what's in wrong.
Regards,
Pablo
Regards,
Pablo
Re: IPSec VPN with Dynamic Routing / Mikrotik and Cisco
Just try without encryption to reach side to side connection, I have a dozen of connections in this setup and have no problem. One thing to stress here , do not copy paiste configuration but just write all, I had an issue with cisco 831 in copy paiste method of configuration.
Regards
Faton
Regards
Faton
Re: IPSec VPN with Dynamic Routing / Mikrotik and Cisco
Just check the latest update of the wiki regarding this issue, and there you will find the solution.
Regards.
Faton
Regards.
Faton