Re: [Mikrotik] [IPsec and Cisco ASA]

Fri, 21 May 2010 01:42:50 -0700 

Details:
Local network:

10.10.0.0/16

Remote networks

172.16.70.0/24
172.16.71.0/24

Local Public IP:

195.10.10.20

Remote Public IP:
202.10.10.20



/ip ipsec proposal
set default auth-algorithms=sha1 comment="" disabled=no enc-algorithms=\
aes-256 lifetime=1h name=default pfs-group=modp1536
/ip ipsec peer
add address=202.10.10.20/32:500 auth-method=pre-shared-key comment="" \
dh-group=modp1536 disabled=no dpd-interval=disable-dpd \
dpd-maximum-failures=2 enc-algorithm=aes-256 exchange-mode=aggressive \
  generate-policy=no hash-algorithm=sha1 lifebytes=0 lifetime=5h \
  nat-traversal=no proposal-check=obey secret=secretskey12345 \
send-initial-contact=no

/ip ipsec policy
add action=encrypt comment="" disabled=no dst-address=172.16.70.0/24:any \
ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
all sa-dst-address=202.10.10.20 sa-src-address=195.10.10.20 \
src-address=10.10.0.0/16 :any tunnel=yes
add action=encrypt comment="" disabled=no dst-address=172.16.71.0/24:any \
ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
all sa-dst-address=202.10.10.20 sa-src-address=195.10.10.20 \
src-address=10.10.0.0/16 :any tunnel=yes


Firewall:NAT

/ip firewall nat
add action=accept chain=srcnat comment="" disabled=yes dst-address=\
172.16.70.0/24 src-address=10.10.0.0/16
add action=accept chain=srcnat comment="" disabled=yes dst-address=\
172.16.71.0/24 src-address=10.10.0.0/16

Note: This has to be inserted above all masquerade rules

Routing:

None

Once the tunnels are up Mikrotik does its thing.

I will try and get the cisco config posted aswell.

Kurt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
<http://www.butchevans.com/pipermail/mikrotik/attachments/20100521/a51a7d39/attachment.html>
_______________________________________________
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Reply via email to