Mikrotik To CISCO ASA IPSec Site to Site VPN Tunnel Configuration


 FIG:Mikrotik To CISCO ASA IPSec Site to Site VPN Tunnel
ASA1 Configuration:
CISCOASA>enable
ASA#conf t
ASA(conf)#hostname CISCOASA
CISCOASA(config)#crypto isakmp enable outside
CISCOASA(config)#object network local
CISCOASA(config-network-object)#subnet 192.168.2.0 255.255.255.0
CISCOASA(config-network-object)# object network remote
CISCOASA(config-network-object)#subnet 192.168.1.0 255.255.255.0
CISCOASA(config-network-object)#exit
CISCOASA(config)#crypto isakmp enable
CISCOASA(config)#access-list outside_crypto permit ip object local object remote
CISCOASA(config)#tunnel-group 20.2.2.2 type ipsec-l2l
CISCOASA(config)#tunnel-group 20.2.2.2 ipsec-attributes
CISCOASA(config-tunnel-ipsec)#pre-shared key  sitetosite
CISCOASA(config-tunnel-ipsec)#isakmp keepalive threshold 10 retry 2
CISCOASA(config-tunnel-ipsec)#exit

IKE called Internet Association and key management protocol. I KE that used for two host agree to hoe build an IPSec security association. There are two part of IKE negotiation that are phase1 and phase2.
 

CISCOASA(config)#crypto isakmp policy 10 authentication pre-share
CISCOASA(config)#crypto isakmp policy 10  3des
CISCOASA(config)#crypto isakmp policy 10 hash sha
CISCOASA(config)#crypto isakmp policy 10 group 2
CISCOASA(config)#crypto isakmp policy 10 lifetime 66400
CISCOASA(config)#crypto isakmp transform-set ESP-3DES esp-sha-hmac
CISCOASA(config)#crypto map outside-map 1 set match address outside_crypto
CISCOASA(config)#crypto map outside-map 1 set pfs group1
CISCOASA(config)#crypto map outside-map 1 set peer 20.2.2.2
CISCOASA(config)#crypto map outside-map 1 set transform-set ESP-3DES-SHA
CISCOASA(config)#crypto map outside-map interface outside
CISCOASA(config)#nat (inside,outside) 1 source static local local destination remote remote
CISCOASA(config)#route 0 0 (Gateway Address)
CISCOASA(config)#wr
CISCO ASA Verification:
#show crypto map
#show


Mikrotik Router Peer Configuration:
[admin@MikroTik] /ip ipsec peer>add address=10.1.1.2/32:500 auth-method=pre-shared-key secret="sitetosite"
     generate-policy=no exchange-mode=main send-initial-contact=yes
     nat-traversal=no proposal-check=obey hash-algorithm=sha1
     enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0
     dpd-interval=disable-dpd dpd-maximum-failures=1
[admin@MikroTik] /ip ipsec policy>add src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any
     protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
     sa-src-address=20.2.2.2 sa-dst-address=10.1.1.2 proposal=default
     priority=0
[admin@MikroTik] /ip ipsec proposal>add name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
     pfs-group=modp1024

[admin@MikroTik] /ip firewall nat>add chain=srcnat action=accept src-address=192.168.1.0/24      dst-address=192.168.2.0/24
[admin@MikroTik] /ip firewall nat>chain=srcnat action=masquerade src-address=192.168.1.0/24     out-interface=ether1