IPSec VPN with Dynamic Routing / Mikrotik and Cisco

February 9, 2008

Mikrotik RouterOS

If you are using ROS v3.0 or above, be sure to check the end of this list to see a list of necessary mod.

First should configure a Tunnel Interface:

   / interface ipip
  add name="Tunnel1" mtu=1480 local-address=10.10.1.100 remote-address=10.10.1.200 comment="" disabled=no

After that all interfaces are configured, than should asign IP addresses for interfaces:

   / ip address
  add address=10.10.1.100/24 network=10.10.1.0 broadcast=10.10.1.255 interface=WAN comment="" disabled=no
  add address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255 interface=LAN comment="" disabled=no
  add address=172.16.0.1/30 network=172.16.0.0 broadcast=192.168.0.3 interface=Tunnel1 comment="" disabled=no

Enable Routing in Mikrotik Router, in this case RIP:

  / routing rip
 set redistribute-static=no redistribute-connected=no redistribute-ospf=no redistribute-bgp=no metric-static=1 \
 metric-connected=1  metric-ospf=1 metric-bgp=1 update-timer=30s timeout-timer=3m garbage-timer=2m
 / routing rip interface
 add interface=Tunnel1 receive=v2 send=v2 authentication=none authentication-key="" prefix-list-in="" prefix-list-out=""
 / routing rip neighbor
 add address=172.16.0.2
 / routing rip network
 add address=192.168.1.0/24
 add address=172.16.0.0/30

IPSec setup, here should be defined the ipsec policy, peer and proposal. Make sure that policy should not have enabled option tunnel, in this case tunel should be set to NO, because it will be used the transport mode of IPSec not the tunnel mode:

  / ip ipsec proposal
 add name="IPSec" auth-algorithms=md5 enc-algorithms=3des lifetime=30m lifebytes=0 pfs-group=modp1024 disabled=no
 / ip ipsec peer
 add address=10.10.1.200 secret="ipsec" generate-policy=no exchange-mode=main send-initial-contact=yes \
 proposal-check=obey   hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 disabled=no
 / ip ipsec policy
 add src-address=10.10.1.100/32:any dst-address=10.10.1.200/32:any protocol=all action=encrypt level=require \
 ipsec-protocols=esp  tunnel=no sa-src-address=10.10.1.100 sa-dst-address=10.10.1.200 \
 proposal=IPSec manual-sa=none dont-fragment=clear disabled=no

In V3.0 the bolded line will change on:

  / routing rip interface
 add interface=Tunnel1 receive=v2 send=v2 authentication=none authentication-key="" in-prefix-list="" out-prefix-list=""
 / ip ipsec proposal
 add name="IPSec" auth-algorithms=md5 enc-algorithms=3des lifetime=30m pfs-group=modp1024 disabled=no
 / ip ipsec peer
 add address=10.10.1.200/32:500 secret="ipsec" generate-policy=no exchange-mode=main send-initial-contact=yes \
 proposal-check=obey   hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 disabled=no

Cisco IOS

Cisco Interfaces and addresses:

  FastEthernet 0/0
  description *** WAN ***
  ip address 10.10.1.200 255.255.255.0
  crypto map vpn
  FastEthernet 0/1
  description *** LAN ***
  ip address 192.168.2.1 255.255.255.0

Cisco Tunnel Interface:

  interface Tunnel1
 description **Cisco Peer**
 ip address 172.16.0.2 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1480
 ip rip v2-broadcast
 ip tcp adjust-mss 1400
 load-interval 30
 tunnel source 10.10.1.200
 tunnel destination 10.10.1.100
 tunnel mode ipip
 hold-queue 1024 in
 hold-queue 1024 out

Routing in Cisco:

  router rip
  version 2
  timers basic 30 60 90 90
  redistribute connected metric 1 route-map connected-to-rip
  redistribute static metric 5 route-map static-to-rip
  network 172.16.0.2
  network 192.168.2.0
  distribute-list prefix LAN out
  no auto-summary

Setup the prefix-list to match the Local subnet:

  ip prefix-list LAN seq 10 permit 192.168.2.0/24

Setup route-maps to match interfaces to be advertised by RIP:

  route-map connected-to-rip permit 10
 match interface FastEthernet0/0
 !
 route-map static-to-rip permit 10
 match ip address prefix-list LAN

IPSec and Crypto setup in Cisco, also here trasnport mode of IPSec should be setup:

 !
 crypto isakmp policy 1
  encr 3des
  hash md5
  authentication pre-share
  group 2
 !
 crypto isakmp key ipsec address 0.0.0.0 0.0.0.0
 !
 crypto ipsec security-association idle-time 600
 !
 crypto ipsec transform-set vpn esp-3des esp-md5-hmac
  mode transport
 !
 crypto map vpn 1 ipsec-isakmp
  description **To Mikrotik Peer**
  set peer 10.10.1.100
  set transform-set vpn
  set pfs group2
  match address mikrotik_peer
 !

Setup access-list to match the IPSec peer:

  ip access-list extended mikrotik_peer
  permit ipinip host 10.10.1.200 host 10.10.1.100

Type this in “enable” mode to view your routing table (after succesfull RIP update):

  sh ip route

or

  sh ip rip database

This example can be implemented also with another routing protocol like OSPF, and also very simply we can setup here a failover connection. Regarding the failover, the setup is very easy, all that we need is to create another set of tunnels via another ISP or gateway, but again the remote peer is the same router. Instead of the routing protocol for the second set of tunnels, it needs static routes to be configured, only that the static routes should have higher distance than the dynamic protocol. The idea is that, when the primary link will go down (dynamic routing distance=120) than the backup link becomes active (static routes distance=200), as soon as the primary link will come up, it will put the failover link in inactive mode.Titolo del collegamento

 

 

from http://wiki.mikrotik.com/wiki/IPSec_VPN_with_Dynamic_Routing_/_Mikrotik_and_Cisco

Posted in VPN | Leave a Comment »

Hello world!

February 8, 2008

Welcome to WordPress.com. This is your first post. Edit or delete it and start blogging!

Posted in Uncategorized | 1 Comment »