01 October 2010

IPSec between Cisco and Mikrotik

Although IPSec is an industry standard, there are a few gotchas that crop up when dealing with inter-vendor set ups. Especially involving Cisco.

A couple of well known snags include the use of DPD -Cisco does not support this so turn it off.

Dynamic policies - I personally like to specify my ipsec policies, but if you want to be able to initiate the tunnel, then this must be done. All you need to specify is the source and destination pairs, and 'untick' or disable Generate Policy.

/ip ipsec peer
 add address=172.16.2.2/32:500 secret=shhhh send-initial-contact=yes nat-traversal=no hash-algorithm=md5 enc-algorithm=3des auth-method=pre-shared-key dh-group=modp1024 generate-policy=no exchange-mode=main

/ip ipsec policy
add src-address=10.10.10.0/24:any dst-address=10.20.20.0/24:any sa-src-address=172.16.1.1 sa-dst-address=172.16.2.1 proposal=default disabled=no tunnel=yes


src-address=10.10.10.0/24:any dst-address=10.30.30.0/24:any sa-src-address=172.16.1.1 sa-dst-address=172.16.2.1 proposal=default disabled=no tunnel=yes




When dealling with multiple remote subnets, Cisco handles them differently (a separate SA per subnet pair) and other vendors are required to accomodate. With Mikrotik you need to change the level under /ip ipsec policy to 'unique'.


/ip ipsec policy
set 0,1 level=unique

No comments:

Post a Comment