Not long ago I wrote an article on how to configure an IPsec VPN using Mikrotik and Linux devices. For today, I will replace the Linux device with a Cisco. I did test the entire construct in GNS3 integrated with Mikrotik.

The topology looks like this:

IPsec VPN Mikrotik Cisco

The red line represent the IPsec VPN tunnel.
Please note the used IP addresses. In this way the below configuration will be easier to understand.

Mikrotik Configuration

1. Firewal rules

By default, the Mikrotik comes with the INPUT channel that drop the connection incoming on ether1-gateway (which is the WAN interface). You need to be sure that at least the IPsec packets are able to be accepted inbound on the WAN interface, so the below rules needs to be placed before the rule dropping packets (the Firewal rules are checked top-down)

On INPUT channel allow the following on the interface facing Internet
– Port 500/UDP
– Port 4500/UDP
– Proto 50
– Proto 51
It may be that you don’t need all these ports, but you can close them later. You can check logs if you want to troubleshoot.

On NAT channel, SRCNAT you need have the rule involving interesting traffic (local LAN subnets for example) before NAT masquerade.
You need to add a rule with ACCEPT source LOCAL_LAN ( in this example) destination REMOTE_LAN ( in this example).

On Console the configuration looks like this:


2. The IPsec Proposal


IP > IPsec > Proposals


3. The IPsec Policy


IP > IPsec > Policies


4. The IPsec Peer


IP > IPsec > Peers


Cisco configuration

1. Crypto ISAKMP Policy

You can specify also the hash as sha1, but this is the default method on Cisco, so no extra line will appear.

2. Crypto ISAKMP neighbor

3. Crypto IPsec transformation set

4. Crypto map

5. Access-list for interesting traffic

6. Interface config

The settings (like encryption algorithm) can be tuned to fit your requirements.

If you have any questions or something is unclear please let me know in Comments.

IPsec VPN Mikrotik to Cisco

6 thoughts on “IPsec VPN Mikrotik to Cisco

  • Pingback: Mikrotik L2TP with IPsec for mobile clients | FirstDigest

  • April 27, 2015 at 10:11

    hello I created a vpn between a cisco on site 1 and site 2 microtik on the vpn the site works 1 2 browse the site but unfortunately the site 2 does not peel the site1 anyone has had the same problem, configuration, everything seems correct, you any idea on who controls take to resolve the problem


  • October 22, 2015 at 19:11


    I use yuor manual.. TNX…
    But I have problem witth IPSec tunel. Tunel dops connection after some time… Then helps, that I disable Peers and Polices on Mikrotik, and then enable again….
    Do you have some diea?

  • February 29, 2016 at 19:53

    I guess the problem here is that the local LAN on MT site does source NAT if the author used the MT default config on the MT and the peer traffic MUST be excluded from source NAT cause it has to be transported without NAT over the tunnel.
    The above IPsec Config works fine and is established but without excluding /24 to /24 traffic from src NAT it wont work cause this traffic is src NATed to and hence never get to the target net on the Cisco site.

  • April 9, 2017 at 09:40

    My problem is:

    Crypto session current status

    Interface: FastEthernet0/0
    Session status: DOWN-NEGOTIATING
    Peer: port 500
    IKE SA: local remote Inactive
    IKE SA: local remote Inactive
    IPSEC FLOW: permit ip
    Active SAs: 0, origin: crypto map


Leave a Reply

%d bloggers like this: