Mikrotik To CISCO ASA IPSec Site to Site VPN Tunnel Configuration


 FIG:Mikrotik To CISCO ASA IPSec Site to Site VPN Tunnel
ASA1 Configuration:
CISCOASA>enable
ASA#conf t
ASA(conf)#hostname CISCOASA
CISCOASA(config)#crypto isakmp enable outside
CISCOASA(config)#object network local
CISCOASA(config-network-object)#subnet 192.168.2.0 255.255.255.0
CISCOASA(config-network-object)# object network remote
CISCOASA(config-network-object)#subnet 192.168.1.0 255.255.255.0
CISCOASA(config-network-object)#exit
CISCOASA(config)#crypto isakmp enable
CISCOASA(config)#access-list outside_crypto permit ip object local object remote
CISCOASA(config)#tunnel-group 20.2.2.2 type ipsec-l2l
CISCOASA(config)#tunnel-group 20.2.2.2 ipsec-attributes
CISCOASA(config-tunnel-ipsec)#pre-shared key  sitetosite
CISCOASA(config-tunnel-ipsec)#isakmp keepalive threshold 10 retry 2
CISCOASA(config-tunnel-ipsec)#exit

IKE called Internet Association and key management protocol. I KE that used for two host agree to hoe build an IPSec security association. There are two part of IKE negotiation that are phase1 and phase2.
 

CISCOASA(config)#crypto isakmp policy 10 authentication pre-share
CISCOASA(config)#crypto isakmp policy 10  3des
CISCOASA(config)#crypto isakmp policy 10 hash sha
CISCOASA(config)#crypto isakmp policy 10 group 2
CISCOASA(config)#crypto isakmp policy 10 lifetime 66400
CISCOASA(config)#crypto isakmp transform-set ESP-3DES esp-sha-hmac
CISCOASA(config)#crypto map outside-map 1 set match address outside_crypto
CISCOASA(config)#crypto map outside-map 1 set pfs group1
CISCOASA(config)#crypto map outside-map 1 set peer 20.2.2.2
CISCOASA(config)#crypto map outside-map 1 set transform-set ESP-3DES-SHA
CISCOASA(config)#crypto map outside-map interface outside
CISCOASA(config)#nat (inside,outside) 1 source static local local destination remote remote
CISCOASA(config)#route 0 0 (Gateway Address)
CISCOASA(config)#wr
CISCO ASA Verification:
#show crypto map
#show


Mikrotik Router Peer Configuration:
[admin@MikroTik] /ip ipsec peer>add address=10.1.1.2/32:500 auth-method=pre-shared-key secret="sitetosite"
     generate-policy=no exchange-mode=main send-initial-contact=yes
     nat-traversal=no proposal-check=obey hash-algorithm=sha1
     enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0
     dpd-interval=disable-dpd dpd-maximum-failures=1
[admin@MikroTik] /ip ipsec policy>add src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any
     protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
     sa-src-address=20.2.2.2 sa-dst-address=10.1.1.2 proposal=default
     priority=0
[admin@MikroTik] /ip ipsec proposal>add name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
     pfs-group=modp1024

[admin@MikroTik] /ip firewall nat>add chain=srcnat action=accept src-address=192.168.1.0/24      dst-address=192.168.2.0/24
[admin@MikroTik] /ip firewall nat>chain=srcnat action=masquerade src-address=192.168.1.0/24     out-interface=ether1


3 comments:

  1. Hi

    I hope someone can shed some light on this! I brought a CCR1036-8G-2S+ a few weeks ago expecting to use the SFP+ ports in the future. But since this we have had some other connections added in the datacentre which means the router needs a fiber connection to the remote peer.

    So i went out and brought 2 x S-31DLC20D 1.25G Singlemode SFP modules.

    one was to go in the existing CCR1036-12G-4S and other for the new router.

    This is where to problem occurred the CCR1036-12G-4s worked 1st time no problems at all but the CCR1036-8G-2S+ would show link OK on the status but no link on the switch at the other end of the fibre it also shows tx Power as blank and rx power at -9dBm. I have purchased this meter from Mikrotik router price in pakistan

    ReplyDelete
  2. In the kaleidoscope of life, every twist and turn unveils a new pattern waiting to be discovered.123movie

    ReplyDelete