Community discussions

MikroTik App
 
pooliip
just joined
Topic Author
Posts: 7
Joined: Wed Nov 19, 2014 10:21 pm

Cisco IPsec To Mikrotik

Mon May 22, 2023 3:45 pm

Hi Guys
I have config on cisco router and ip want to transfer it to mikrotik
any one can help me how to config this on mikroitk please:
Crypto isakmp enable
crypto siakmp policy 10
encr 3des
hash md5
authenticatio pre-share

crypto isakmp key ix979738686 address 10.10.10.1
crypto ipsec transform-set tets-ipsec esp-3des esp-sh-hmac
mode transport
crypto ipsec profile test-ipsec
 
pooliip
just joined
Topic Author
Posts: 7
Joined: Wed Nov 19, 2014 10:21 pm

Re: Cisco IPsec To Mikrotik

Wed May 24, 2023 10:05 am

no one can help me ?
 
onnoossendrijver
Member
Member
Posts: 486
Joined: Mon Jul 14, 2008 11:10 am
Location: The Netherlands

Re: Cisco IPsec To Mikrotik

Wed May 24, 2023 10:45 am

no one can help me ?
It is probably not that difficult... Here is a good example:
https://help.mikrotik.com/docs/display/ ... Ev1)tunnel

And please.. upgrade your security to IKEv2, AES(preferably AES-GCM), etcetera...
3DES / MD5 is a joke.
 
pooliip
just joined
Topic Author
Posts: 7
Joined: Wed Nov 19, 2014 10:21 pm

Re: Cisco IPsec To Mikrotik

Wed May 24, 2023 4:01 pm

I do this but not work
can you help me please:

/ip ipsec profile
add dh-group=modp1024 enc-algorithm=3des hash-algorithm=md5 name=Profile-Test

/ip ipsec peer
add address=78.39.x.x/32 local-address=185.x.x.x name=Profile-Test \
passive=yes profile=Profile-Test

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
add auth-algorithms=md5 enc-algorithms=3des name=Profile-Test

/ip ipsec identity
add peer=Profile-Test secret=secret

/ip ipsec policy
add dst-address=78.39.x.x/32 level=unique peer=Profile-Test proposal=\
Profile-Test src-address=185.x.x.x/32
 
onnoossendrijver
Member
Member
Posts: 486
Joined: Mon Jul 14, 2008 11:10 am
Location: The Netherlands

Re: Cisco IPsec To Mikrotik

Wed May 24, 2023 4:24 pm

Are you sure about the source and destination addresses in the ipsec policy?
You should configure here the subnets being routed through the ipsec tunnel.
 
pooliip
just joined
Topic Author
Posts: 7
Joined: Wed Nov 19, 2014 10:21 pm

Re: Cisco IPsec To Mikrotik

Thu May 25, 2023 10:56 am

I have Gre tunnel and i want to work on gre:

Gre tunnel:

source address:185.x.x.x /32
Dst address :78.39.x.x/32
Tunnel IP: 192.168.1.2/30


/ip ipsec profile
add dh-group=modp1024 enc-algorithm=3des hash-algorithm=md5 name=Profile-Test

/ip ipsec peer
add address=78.39.x.x/32 local-address=185.x.x.x name=Profile-Test \
passive=yes profile=Profile-Test

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
add auth-algorithms=md5 enc-algorithms=3des name=Profile-Test

/ip ipsec identity
add peer=Profile-Test secret=secret

/ip ipsec policy
add dst-address=78.39.x.x/32 level=unique peer=Profile-Test proposal=\
Profile-Test src-address=185.x.x.x/32
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Cisco IPsec To Mikrotik

Thu May 25, 2023 2:18 pm

try this

/ip ipsec peer
add address=78.39.x.x/32 name=Profile-Test profile=Profile-Test send-initial-contact=yes

/ip ipsec policy
add dst-address=78.39.x.x/32 src-address=185.x.x.x/32 protocol=47 level=require peer=Profile-Test proposal=Profile-Test
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Cisco IPsec To Mikrotik

Thu May 25, 2023 3:13 pm

... or do not bother about IPsec config on the MikroTik and just create the IPsec tunnel with an IPsec password. That will auto-generate the settings.

However, getting IPsec to work between different manufacturers is not so simple. You need experience and persistence.
"can nobody help me" usually brings you nothing because it is not possible to verify these things from the outside, especially when you make so many typing mistakes (rather than using cut/paste).

Also of course you (should) know that IPsec in transport mode cannot work over NAT. So when your MikroTik is not directly connected but behind some ISP-provided NAT router, it is never going to work!
 
User avatar
Kentzo
Long time Member
Long time Member
Posts: 516
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: Cisco IPsec To Mikrotik

Fri May 26, 2023 9:35 pm

"can nobody help me" usually brings you nothing because it is not possible to verify these things from the outside
Well one could try a network simulator…

But some low-effort posts do seem like a waste of someone's time. It's not clear what's even broken here. Is there no association or no routing?

Who is online

Users browsing this forum: Ahrefs [Bot], almdandi, marekm, pants6000 and 84 guests