Mikrotik to Cisco IPSEC tunnel

jack1921 · Fri Nov 12, 2021 1:06 pm

Hello All.

I have a problem with IPSEC connection from CCR1009 to Cisco.

I got IPSEC parameters from the other side and I have to follow them in CCR.

Cisco configuration

interfaces {
    vti vti0 {
        address 172.16.0.78/30
    }
}
protocols {
    static {
        interface-route 172.30.8.0/24 {
            next-hop-interface vti0 {
            }
        }
    }
}
vpn {
    ipsec {
        esp-group ESP_to_Cisco {
            compression disable
            lifetime 3600
            mode tunnel
            pfs dh-group2
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ike-group IKE_to_Cisco {
            ikev2-reauth no
            key-exchange ikev1
            lifetime 86400
            proposal 1 {
                dh-group 2
                encryption aes128
                hash sha1
            }
        }
        site-to-site {
            peer 78.11.x.x {
                authentication {
                    id 185.36.169.170
                    mode pre-shared-secret
.                    pre-shared-secret 
                    remote-id 78.11.x.x
                }
                connection-type respond
                default-esp-group ESP_to_Cisco
                description "Radom <> ATM"
                ike-group IKE_to_Cisco
                ikev2-reauth inherit
                vti {
                    bind vti0
                    esp-group ESP_to_Cisco
                }
            }
        }
    }
}

My CCR configuration:
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128,3des hash-algorithm=sha1 \
lifetime=1d name=default nat-traversal=yes proposal-check=obey
add dh-group=modp1024 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128 hash-algorithm=sha1 lifetime=1d name=OP24-to-KONESER_CATI \
nat-traversal=yes proposal-check=strict
/ip ipsec peer
add address=78.9.x.x disabled=no exchange-mode=main local-address=78.11.x.x name=OP24-to-KONESER_CATI profile=OP24-to-KONESER_CATI \
send-initial-contact=yes
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=default pfs-group=\
modp1024
add auth-algorithms=sha1 disabled=no enc-algorithms=aes-128-cbc lifetime=1h name=proposal1 pfs-group=modp1024
/ip ipsec identity
add auth-method=pre-shared-key disabled=no generate-policy=no peer=OP24-to-KONESER_CATI
/ip ipsec policy
set 0 disabled=yes dst-address=::/0 group=default proposal=default protocol=all src-address=::/0 template=yes
add action=encrypt disabled=no dst-address=172.16.0.78/32 dst-port=any ipsec-protocols=esp level=require peer=OP24-to-KONESER_CATI proposal=\
proposal1 protocol=all src-address=172.16.0.77/32 src-port=any tunnel=no
/ip ipsec settings
set accounting=yes interim-update=0s xauth-use-radius=no

Logs:

Nov/11/2021 12:40:17 ipsec,info ISAKMP-SA deleted 78.11.x.x[500]-78.9.x.x[500] spi:20ba390ef75e154f:1ecaebf4b0b62497 rekey:1
Nov/11/2021 12:40:19 ipsec,info initiate new phase 1 (Identity Protection): 78.11.x.x[500]<=>78.9.x.x[500]
Nov/11/2021 12:40:19 ipsec sent phase1 packet 78.11.x.x[500]<=>78.9.x.x[500] 175e44bf1fcb54e3:0000000000000000
Nov/11/2021 12:40:19 ipsec sent phase1 packet 78.11.x.x[500]<=>78.9.x.x[500] 175e44bf1fcb54e3:1ecaebf49fc2030d
Nov/11/2021 12:40:19 ipsec received Vendor ID: CISCO-UNITY
Nov/11/2021 12:40:19 ipsec received Vendor ID: DPD
Nov/11/2021 12:40:19 ipsec received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Nov/11/2021 12:40:20 ipsec sent phase1 packet 78.11.x.x[500]<=>78.9.x.x[500] 175e44bf1fcb54e3:1ecaebf49fc2030d
Nov/11/2021 12:40:20 ipsec 78.9.x.x ignore RESPONDER-LIFETIME notification.
Nov/11/2021 12:40:20 ipsec ph2 possible after ph1 creation
Nov/11/2021 12:40:20 ipsec initiate new phase 2 negotiation: 78.11.x.x[500]<=>78.9.x.x[500]
Nov/11/2021 12:40:20 ipsec,info ISAKMP-SA established 78.11.x.x[500]-78.9.x.x[500] spi:175e44bf1fcb54e3:1ecaebf49fc2030d
Nov/11/2021 12:40:20 ipsec sent phase2 packet 78.11.x.x[500]<=>78.9.x.x[500] 175e44bf1fcb54e3:1ecaebf49fc2030d:00008ab8
Nov/11/2021 12:40:20 ipsec 78.9.x.x ignore RESPONDER-LIFETIME notification.
Nov/11/2021 12:40:20 ipsec attribute has been modified.
Nov/11/2021 12:40:20 ipsec IPsec-SA established: ESP/Tunnel 78.9.x.x[500]->78.11.x.x[500] spi=0x79c39d5
Nov/11/2021 12:40:20 ipsec IPsec-SA established: ESP/Tunnel 78.11.x.x[500]->78.9.x.x[500] spi=0xa3d5d3e
Nov/11/2021 12:40:47 ipsec respond new phase 2 negotiation: 78.11.x.x[500]<=>78.9.x.x[500]
Nov/11/2021 12:40:47 ipsec searching for policy for selector: 0.0.0.0/0 <=> 0.0.0.0/0
Nov/11/2021 12:40:47 ipsec policy not found
Nov/11/2021 12:40:47 ipsec failed to get proposal for responder.
Nov/11/2021 12:40:47 ipsec,error 78.9.x.x failed to pre-process ph2 packet.
Nov/11/2021 12:40:47 ipsec,info purging ISAKMP-SA 78.11.x.x[500]<=>78.9.x.x[500] spi=175e44bf1fcb54e3:1ecaebf49fc2030d.
Nov/11/2021 12:40:47 ipsec purged IPsec-SA proto_id=ESP spi=0xa3d5d3e
Nov/11/2021 12:40:47 ipsec purged IPsec-SA proto_id=ESP spi=0x79c39d5
Nov/11/2021 12:40:47 ipsec purged ISAKMP-SA 78.11.x.x[500]<=>78.9.x.x[500]

Can anybody help me please?

lfoerster · Mon Mar 14, 2022 6:05 pm

Here you'll find a perfectly running solution:
https://administrator.pro/contentid/2145635754

Mikrotik to Cisco IPSEC tunnel

Mikrotik to Cisco IPSEC tunnel

Re: Mikrotik to Cisco IPSEC tunnel

Who is online