Not long ago I wrote an article on how to configure an IPsec VPN using Mikrotik and Linux devices. For today, I will replace the Linux device with a Cisco. I did test the entire construct in GNS3 integrated with Mikrotik.

The topology looks like this:

IPsec VPN Mikrotik Cisco

The red line represent the IPsec VPN tunnel.
Please note the used IP addresses. In this way the below configuration will be easier to understand.

Mikrotik Configuration

1. Firewal rules

By default, the Mikrotik comes with the INPUT channel that drop the connection incoming on ether1-gateway (which is the WAN interface). You need to be sure that at least the IPsec packets are able to be accepted inbound on the WAN interface, so the below rules needs to be placed before the rule dropping packets (the Firewal rules are checked top-down)

On INPUT channel allow the following on the interface facing Internet
– Port 500/UDP
– Port 4500/UDP
– Proto 50
– Proto 51
It may be that you don’t need all these ports, but you can close them later. You can check logs if you want to troubleshoot.

On NAT channel, SRCNAT you need have the rule involving interesting traffic (local LAN subnets for example) before NAT masquerade.
You need to add a rule with ACCEPT source LOCAL_LAN (192.168.88.0/24 in this example) destination REMOTE_LAN (192.168.0.0/24 in this example).

On Console the configuration looks like this:

CLI

2. The IPsec Proposal

GUI

IP > IPsec > Proposals

CLI

3. The IPsec Policy

GUI

IP > IPsec > Policies

CLI

4. The IPsec Peer

GUI

IP > IPsec > Peers

CLI

Cisco configuration

1. Crypto ISAKMP Policy

You can specify also the hash as sha1, but this is the default method on Cisco, so no extra line will appear.

2. Crypto ISAKMP neighbor

3. Crypto IPsec transformation set

4. Crypto map

5. Access-list for interesting traffic

6. Interface config

The settings (like encryption algorithm) can be tuned to fit your requirements.

If you have any questions or something is unclear please let me know in Comments.

IPsec VPN Mikrotik to Cisco

6 thoughts on “IPsec VPN Mikrotik to Cisco

  • Pingback: Mikrotik L2TP with IPsec for mobile clients | FirstDigest

  • April 27, 2015 at 10:11
    Permalink

    hello I created a vpn between a cisco on site 1 and site 2 microtik on the vpn the site works 1 2 browse the site but unfortunately the site 2 does not peel the site1 anyone has had the same problem, configuration, everything seems correct, you any idea on who controls take to resolve the problem

    thanks

    Reply
  • October 22, 2015 at 19:11
    Permalink

    Hello,

    I use yuor manual.. TNX…
    But I have problem witth IPSec tunel. Tunel dops connection after some time… Then helps, that I disable Peers and Polices on Mikrotik, and then enable again….
    Do you have some diea?

    Reply
  • February 29, 2016 at 19:53
    Permalink

    I guess the problem here is that the local LAN on MT site does source NAT if the author used the MT default config on the MT and the peer traffic MUST be excluded from source NAT cause it has to be transported without NAT over the tunnel.
    The above IPsec Config works fine and is established but without excluding 192.168.88.0 /24 to 192.168.0.0 /24 traffic from src NAT it wont work cause this traffic is src NATed to 10.0.0.2 and hence never get to the target net on the Cisco site.

    Reply
  • April 9, 2017 at 09:40
    Permalink

    hello
    My problem is:

    Crypto session current status

    Interface: FastEthernet0/0
    Session status: DOWN-NEGOTIATING
    Peer: 10.0.0.1 port 500
    IKE SA: local 10.0.0.2/500 remote 10.0.0.1/500 Inactive
    IKE SA: local 10.0.0.2/500 remote 10.0.0.1/500 Inactive
    IPSEC FLOW: permit ip 192.168.10.0/255.255.255.0 192.168.1.0/255.255.255.0
    Active SAs: 0, origin: crypto map

    Reply

Leave a Reply

%d bloggers like this: