subject:"\[Mikrotik\] \[IPsec and Cisco ASA\]"

[Mikrotik] [IPsec and Cisco ASA]

2010-05-21 Thread Kurt Plaatjes

Hey Guys

After many sleepless hours  we have managed to get ipsec running smoothly
between Mikrotik 4.9 and CISCO ASA.
I am glad to share configs if anyone is interested.

Kurt
-- next part --
An HTML attachment was scrubbed...
URL: 
http://www.butchevans.com/pipermail/mikrotik/attachments/20100521/130c204e/attachment.html
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] [IPsec and Cisco ASA]

2010-05-21 Thread Kurt Plaatjes

Details:
Local network:

10.10.0.0/16

Remote networks

172.16.70.0/24
172.16.71.0/24

Local Public IP:

195.10.10.20

Remote Public IP:
202.10.10.20



/ip ipsec proposal
set default auth-algorithms=sha1 comment= disabled=no enc-algorithms=\
aes-256 lifetime=1h name=default pfs-group=modp1536
/ip ipsec peer
add address=202.10.10.20/32:500 auth-method=pre-shared-key comment= \
dh-group=modp1536 disabled=no dpd-interval=disable-dpd \
dpd-maximum-failures=2 enc-algorithm=aes-256 exchange-mode=aggressive \
  generate-policy=no hash-algorithm=sha1 lifebytes=0 lifetime=5h \
  nat-traversal=no proposal-check=obey secret=secretskey12345 \
send-initial-contact=no

/ip ipsec policy
add action=encrypt comment= disabled=no dst-address=172.16.70.0/24:any \
ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
all sa-dst-address=202.10.10.20 sa-src-address=195.10.10.20 \
src-address=10.10.0.0/16 :any tunnel=yes
add action=encrypt comment= disabled=no dst-address=172.16.71.0/24:any \
ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
all sa-dst-address=202.10.10.20 sa-src-address=195.10.10.20 \
src-address=10.10.0.0/16 :any tunnel=yes


Firewall:NAT

/ip firewall nat
add action=accept chain=srcnat comment= disabled=yes dst-address=\
172.16.70.0/24 src-address=10.10.0.0/16
add action=accept chain=srcnat comment= disabled=yes dst-address=\
172.16.71.0/24 src-address=10.10.0.0/16

Note: This has to be inserted above all masquerade rules

Routing:

None

Once the tunnels are up Mikrotik does its thing.

I will try and get the cisco config posted aswell.

Kurt
-- next part --
An HTML attachment was scrubbed...
URL: 
http://www.butchevans.com/pipermail/mikrotik/attachments/20100521/a51a7d39/attachment.html
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] [IPsec and Cisco ASA]

2010-05-21 Thread Kurt Plaatjes

oops... My apologies that should be no.

I was doing some other tests and disabled these rules.

Thanks!

PS:  There is a known bug with IPSEC between Mikrotik to Cisco  if you have
multiple Peers.

I managed to duplicate this exact bug...

See: http://forum.mikrotik.com/viewtopic.php?f=2t=39243


On Fri, May 21, 2010 at 7:21 PM, Casey Mills wkm...@gmail.com wrote:

 Why are your Firewall NAT rules disabled?

 Casey




 On Fri, May 21, 2010 at 4:42 AM, Kurt Plaatjes kurtplaat...@gmail.com
 wrote:
  Details:
  Local network:
 
  10.10.0.0/16
 
  Remote networks
 
  172.16.70.0/24
  172.16.71.0/24
 
  Local Public IP:
 
  195.10.10.20
 
  Remote Public IP:
  202.10.10.20
 
 
 
  /ip ipsec proposal
  set default auth-algorithms=sha1 comment= disabled=no enc-algorithms=\
  aes-256 lifetime=1h name=default pfs-group=modp1536
  /ip ipsec peer
  add address=202.10.10.20/32:500 auth-method=pre-shared-key comment= \
  dh-group=modp1536 disabled=no dpd-interval=disable-dpd \
  dpd-maximum-failures=2 enc-algorithm=aes-256 exchange-mode=aggressive \
   generate-policy=no hash-algorithm=sha1 lifebytes=0 lifetime=5h \
   nat-traversal=no proposal-check=obey secret=secretskey12345 \
  send-initial-contact=no
 
  /ip ipsec policy
  add action=encrypt comment= disabled=no dst-address=172.16.70.0/24:any\
  ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
  all sa-dst-address=202.10.10.20 sa-src-address=195.10.10.20 \
  src-address=10.10.0.0/16 :any tunnel=yes
  add action=encrypt comment= disabled=no dst-address=172.16.71.0/24:any\
  ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
  all sa-dst-address=202.10.10.20 sa-src-address=195.10.10.20 \
  src-address=10.10.0.0/16 :any tunnel=yes
 
 
  Firewall:NAT
 
  /ip firewall nat
  add action=accept chain=srcnat comment= disabled=yes dst-address=\
  172.16.70.0/24 src-address=10.10.0.0/16
  add action=accept chain=srcnat comment= disabled=yes dst-address=\
  172.16.71.0/24 src-address=10.10.0.0/16
 
  Note: This has to be inserted above all masquerade rules
 
  Routing:
 
  None
 
  Once the tunnels are up Mikrotik does its thing.
 
  I will try and get the cisco config posted aswell.
 
  Kurt
  -- next part --
  An HTML attachment was scrubbed...
  URL: 
 http://www.butchevans.com/pipermail/mikrotik/attachments/20100521/a51a7d39/attachment.html
 
  ___
  Mikrotik mailing list
  Mikrotik@mail.butchevans.com
  http://www.butchevans.com/mailman/listinfo/mikrotik
 
  Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
 RouterOS
 
 ___
 Mikrotik mailing list
 Mikrotik@mail.butchevans.com
 http://www.butchevans.com/mailman/listinfo/mikrotik

 Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
 RouterOS

-- next part --
An HTML attachment was scrubbed...
URL: 
http://www.butchevans.com/pipermail/mikrotik/attachments/20100521/27757abb/attachment.html
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

[Mikrotik] [IPsec and Cisco ASA]

Re: [Mikrotik] [IPsec and Cisco ASA]

Re: [Mikrotik] [IPsec and Cisco ASA]

3 matches

Site Navigation

Mail list logo

Footer information