Please Need help to establish Ipsec connection between Cisco & Mikrotik.

Cisco

crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key ******** address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery

crypto ipsec transform-set test esp-3des esp-md5-hmac

crypto map try_bd 9999 ipsec-isakmp
set peer 10.30.2.71
set transform-set test
match address acl_test_9999




Mikrotik

[admin@MikroTik]/ip ipsec policy> print
src-address=0.0.0.0/32 src-port=any dst-address=0.0.0.0/32 dst-port=any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=no
sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=IPSec priority=0

[admin@MikroTik]/ip ipsec> peer print
address=10.30.1.4/32 local-address=10.30.2.71 passive=no port=500
auth-method=pre-shared-key secret="**********" generate-policy=no
policy-group=default exchange-mode=main send-initial-contact=yes
nat-traversal=no proposal-check=obey hash-algorithm=md5 enc-algorithm=3des
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m
dpd-maximum-failures=5

[admin@MikroTik] /ip ipsec proposal> print
name="IPSec" auth-algorithms=md5 enc-algorithms=3des lifetime=30m pfs-group=modp1024


[admin@MikroTik]/ip ipsec remote-peers print
0 local-address=10.30.2.71 remote-address=10.30.1.4 state=message-1-sent
side=initiator

In your proposal, try to set pfs-group to none or mopd768, if the peer is a PIX firewall.

In your proposal, try to set pfs-group to none or mopd768, if the peer is a PIX firewall.

Thanks "cdiedrich", i have changed pfs-group but it's not working. It is Cisco ASR1002.

Hmmm...

Are you sure your Cisco is using 3des for IKE encryption?
Try setting enc-algorithms to aes-128-cbc instead of 3des. Leave PFS-group on modp1024.

Good luck,
-Chris

Hmmm...

Are you sure your Cisco is using 3des for IKE encryption?
Try setting enc-algorithms to aes-128-cbc instead of 3des. Leave PFS-group on modp1024.

Good luck,
-Chris

Thanks, but Bad Luck it's not working, i have tried & selected all possible parameters, Ipsec error shows on Mikrotik "failed to get valid proposal"

You might probably want to add topics=ipsec to /system logging and see what's going wrong in more detail.
Also a deep look into the Cisco logs can help. From my experience the Cisco logs are easier to understand with IKE problems.
Additionally, a debug crypto isakmp or debug crypto ipsec command on the cisco can reveal a full set hints where to look at.

Good luck, again
-Chris

You might probably want to add topics=ipsec to /system logging and see what's going wrong in more detail.
Also a deep look into the Cisco logs can help. From my experience the Cisco logs are easier to understand with IKE problems.
Additionally, a debug crypto isakmp or debug crypto ipsec command on the cisco can reveal a full set hints where to look at.

Good luck, again
-Chris

Again Thanks for helping me.

Problem has not solved yet.


Cisco debug log shows::
entry number 47755 : CRYPTO-4-RECVD_PKT_NOT_IPSEC
Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /10.30.1.4, src_addr= 10.30.2.71, prot= 47
timestamp: 777181959



Mikrotik Ipsec error Shows::
03:38:41 ipsec,debug rejected enctype: DB(prop#1:trns#1)
> Peer(prop#1:trns#2) = 3DES-CBC:DES-CBC
> 03:38:41 ipsec,debug rejected authmethod: DB(prop#1:trns#1)
> Peer(prop#1:trns#2) = pre-shared key:RSA signatures
> 03:38:41 ipsec,debug rejected hashtype: DB(prop#1:trns#1)
> Peer(prop#1:trns#2) = MD5:SHA

Please help me.........

A. IMHO log shows problem with DH_GROUP: 1024 vs 768 bit
B. Could you make time be more accurate on Mikrotik. We are in 2015 not in 2002.

A. IMHO log shows problem with DH_GROUP: 1024 vs 768 bit
B. Could you make time be more accurate on Mikrotik. We are in 2015 not in 2002.

i have already tried with this (DH Group & PFS Group) parameter. but not working....

"cdiedrich" was right, it should be DES When i change ipsec enc-algorithm=3des to DES now log shows "failed to pre-process ph2 packet."
Any one can help me please......

As said before, have a look at your time settings.
The world of IPsec is very picky.
Best choice would be to sync the Cisco and your MikroTik against the very same NTP server.

Cheers
-Chris

Ah, I guess I found your problem
Reading your first post again makes me think that you don't have a policy defined for your IPsec tunnel - hence the system does not know which packets should go through that tunnel.

You need to add a policy for the remote subnet.

Let's consider the local (MikroTik) Network being 192.168.88.0/24 and the remote (Cisco) Network 192.168.10.0/24.
I assume the Cisco's public address is 10.30.1.4

add this policy:
Additionally, don't forget to add a NAT exception rule for the target subnet: -Chris