Sunday, March 24, 2013

IPSec Between Cisco router and Mikrotik router

--------CISCO--------
WAN 10.1.1.2
LAN 10.2.2.0/24
No NAT configured




crypto isakmp policy 20
 hash md5
 authentication pre-share
 group 2 
crypto isakmp key dara address 10.1.1.1
!        
!        
crypto ipsec transform-set myset esp-des esp-sha-hmac
!        
crypto map mymap 21 ipsec-isakmp
 set peer 10.1.1.1
 set transform-set myset
 set pfs group2
 match address 101
!        
!        
!        
!        
interface FastEthernet0/0
 ip address 10.1.1.2 255.255.255.0
 duplex auto
 speed auto
 crypto map mymap
!        
interface FastEthernet0/1
 ip address 10.2.2.1 255.255.255.0
 duplex auto
 speed auto
!        
!        
ip route 192.168.1.0 255.255.255.0 10.1.1.1
!        
!        
ip http server
no ip http secure-server
!        
access-list 101 permit ip 10.2.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!        
!        
!        
!        
control-plane



 


--------MIKROTIK-----------

WAN 10.1.1.2
LAN 192.168.1.0/24
NO NAT Eabled




/ip address
add address=192.168.1.1/24 disabled=no interface=ether1 network=192.168.1.0
add address=192.168.10.1/24 disabled=yes interface=ether2 network=\
    192.168.10.0
add address=10.1.1.1/24 disabled=no interface=ether2 network=10.1.1.0
add address=192.168.10.1/24 disabled=no interface=ether3 network=192.168.10.0
add address=5.5.5.1/24 disabled=no interface=vpls1 network=5.5.5.0
add address=10.255.1.1/32 disabled=no interface=l0 network=10.255.1.1

/ip route
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.57.45 routing-mark=squid-pc scope=30 target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.56.1 scope=\
    30 target-scope=10
add disabled=no distance=1 dst-address=10.2.2.0/24 gateway=10.1.1.2 scope=30 \
    target-scope=10

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=des \
    lifetime=30m name=default pfs-group=modp1024
add auth-algorithms=md5 disabled=no enc-algorithms=3des lifetime=8m20s name=\
    proposal1 pfs-group=none

/ip ipsec peer
add address=10.1.1.2/32 auth-method=pre-shared-key dh-group=modp1024 \
    disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=des \
    exchange-mode=main generate-policy=yes hash-algorithm=md5 lifebytes=0 \
    lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=\
    obey secret=dara send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=yes dst-address=10.1.16.0/28 dst-port=any \
    ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
    all sa-dst-address=10.0.16.10 sa-src-address=10.0.16.9 src-address=\
    10.0.0.0/24 src-port=any tunnel=yes
add action=encrypt disabled=no dst-address=10.2.2.0/24 dst-port=any \
    ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
    all sa-dst-address=10.1.1.2 sa-src-address=10.1.1.1 src-address=\
    192.168.1.0/24 src-port=any tunnel=yes

1 comment: