Académique Documents
Professionnel Documents
Culture Documents
VPN'sBetweenMikrotik and
3rdPartyDevices
VinceGodinich
experience
TOPICS
PPTPMikrotik ClienttoCiscoServer
IPSECShrewClientToMikrotik
router
IPSECMikrotik routertoCiscoIOS
router
PPTPMikrotik ClienttoCiscoServer
ConfigureaMikrotik routertoactasaPPTP
clientconnectingtoa CiscoPPTPserverto
connectremotelans
AllowsreplacementofaCiscobranchrouter
withaMikroTikrouter without
changingorreplacingexistingCiscomain
router
PPTPMikrotik ClienttoCiscoServer
SiteAPC
192.168.1.79/24
internet
Ether1
10.0.0.1/24
CiscoRouter
Ether2
192.168.0.1/24
SiteBServer
192.168.0.2/24
PPTPMikrotik ClienttoCiscoServer
Ether1
Mikrotik Router 10.0.0.2/24
Ether2
192.168.1.1/24
Ether1
10.0.0.1/24 CiscoRouter
PPTPTUNNEL
PPTPTUNNEL
Ether2
192.168.0.1/24
internet
SiteAPC
192.168.1.79/24
SiteBServer
192.168.0.2/24
PPTPMikrotik ClienttoCiscoServer
Mikrotik Router
Ether2
192.168.1.1/24
pptpout1
192.168.79.2
VirtualTemplate1
192.168.79.1
CiscoRouter
PPTPTUNNEL
PPTPTUNNEL
Ether2
192.168.0.1/24
internet
SiteAPC
192.168.1.79/24
SiteBServer
192.168.0.2/24
PPTPMikrotik ClienttoCiscoServer
PPTPMikrotik ClienttoCiscoServer
PPTPMikrotik ClienttoCiscoServer
PPTPMikrotik ClienttoCiscoServer
PPTPMikrotik ClienttoCiscoServer
PPTPMikrotik ClienttoCiscoServer
PPTPMikrotik ClienttoCiscoServer
PPTPMikrotik ClienttoCiscoServer
PPTPMikrotik ClienttoCiscoServer
aaa newmodel
aaa authenticationppp defaultlocal
vpdn enable
vpdngroup1
acceptdialin
protocolpptp
virtualtemplate1
l2tptunneltimeoutnosession15
usernamepptp_branch password01234
PPTPMikrotik ClienttoCiscoServer
interfaceVirtualTemplate1
ip address192.168.79.1255.255.255.0
peerdefaultip addresspoolPPTP_POOL
nokeepalive
ppp encryptmppe 128required
ppp authenticationmschapv2
ip localpoolPPTP_POOL192.168.79.2
PPTPMikrotik ClienttoCiscoServer
ip nat insidesourcelistnonat interfaceFastEthernet0/0overload
ip route192.168.1.0255.255.255.0192.168.79.2
ip accesslistextendednonat
denyip 192.168.1.00.0.0.255192.168.0.00.0.0.255
permitip 192.168.1.00.0.0.255any
PPTPMikrotik ClienttoCiscoServer
internet
Ether1
10.0.0.1/24
CiscoRouter
Ether2
192.168.0.1/24
Ping
SiteAPC
192.168.1.79/24
SiteBServer
192.168.0.2/24
PPTPMikrotik ClienttoCiscoServer
PPTPMikrotik ClienttoCiscoServer
PPTPMikrotik ClienttoCiscoServer
PPTPMikrotik ClienttoCiscoServer
PPTPMikrotik ClienttoCiscoServer
/interfacepptpclient
addallow=mschap2connectto=10.0.0.1disabled=nomrru=1600
name=pptpout1\
password=1234user=pptp_branch
/ppp profile
set1useencryption=required
/ip firewallnat
addchain=srcnat dstaddress=192.168.0.0/24outinterface=ether2
IPSECShrewClientToMikrotik
ConfigureaShrewclientonremotePCtoconnecttoaMikrotik router
andaccessinternallan network
EliminatesneedforMicrosoftVPNclient
EnablesoneclienttobeusedforremoteaccesstoMikrotik andCisco
deviceseliminatingneedforaCiscoVPNClient
EasytoimportexistingCiscoVPNprofilesintoShrewclient
AllowsforeaseofmigrationfromCiscodevicestoMikrotik routers
IPSECShrewClientToMikrotik
RemotePC
10.0.0.2/24
internet
Ether1
10.0.0.1/24
Mikrotik Router
Ether2
10.10.0.2/22
SiteA Server
10.10.0.2
IPSECShrewClientToMikrotik
www.shrew.net/download/vpn
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
n:version:4
n:networkikeport:500
n:networkmtusize:1380
n:clientaddrauto:1
n:networknattport:4500
n:networknattrate:15
n:networkfragsize:540
n:networkdpdenable:0
n:clientbannerenable:0
n:networknotifyenable:0
n:clientdnsused:0
n:clientdnsauto:0
n:clientdnssuffixauto:0
n:clientsplitdnsused:0
n:clientsplitdnsauto:0n:clientwinsused:0
n:clientwinsauto:1n:phase1dhgroup:2
n:phase1lifesecs:86400
n:phase1lifekbytes:0
n:vendorchkptenable:0
n:phase2lifesecs:3600
n:phase2lifekbytes:0
n:policynailed:0
n:policylistauto:0
n:phase1keylen:128
n:phase2
keylen:128s:network
host:10.10.0.1
s:clientautomode:pull
s:clientiface:virtual
s:networknattmode:disable
s:networkfragmode:disable
s:authmethod:mutualpsk
s:identclienttype:address
s:identservertype:address
b:authmutualpsk:Y3RiNjUx
s:phase1exchange:main
s:phase1cipher:aes
s:phase1hash:sha1
s:phase2transform:espaes
s:phase2hmac:sha1
s:ipcomptransform:disabled
n:phase2pfsgroup:2
s:policylevel:require
s:policylistinclude:10.10.0.0/
255.255.252.0
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
RemotePC
10.0.0.2/24
internet
Ether1
10.0.0.1/24
Mikrotik Router
Ether2
10.10.0.2/22
SiteA Server
10.10.0.2
IPSECShrewClientToMikrotik
RemotePC
10.0.0.2/24
internet
Ether1
10.0.0.1/24
Mikrotik Router
Ether2
10.10.0.2/22
PING
SiteA Server
10.10.0.2
IPSECShrewClientToMikrotik
IPSECCiscoIOSorASAToMikrotik
ConfigureanIPSECVPNbetweenaCisco
IOSrouterorASAandaMikrotik
router
AllowsreplacementofaCiscobranch
routerorASAwithaMikroTikrouter
withoutchangingorreplacingexisting
Ciscomainrouter
IPSECCiscoIOSToMikrotik
Mikrotik router
Ether2
192.168.1.1/24
SiteAPC
192.168.1.2/24
Ether1
10.0.0.1/24
internet
Ether0/0
10.0.0.2/24
Ciscorouter
Ether0/1
192.168.0.1/24
SiteBServer
192.168.0.2/24
IPSECCiscoIOSToMikrotik
IPSEC
IPSECCiscoIOSToMikrotik
Locallan subnet
Remotelan subnet
IPSECCiscoIOSToMikrotik
Localwanaddress
Remotewanaddress
IPSECCiscoIOSToMikrotik
Remotewanaddress
PRESHAREDPASSWORD
IPSECCiscoIOSToMikrotik
IPSECCiscoIOSToMikrotik
Locallan subnet
Remotelan subnet
IPSECCiscoIOSToMikrotik
IPSECCiscoIOSToMikrotik
cryptoisakmp policy1
encr aes
authenticationpreshare
group2
cryptoisakmp key1234address10.0.0.2noxauth
!
!
cryptoipsec transformsetremoteespaes espshahmac
!
cryptomapremote5ipsecisakmp
setpeer10.0.0.2
settransformsetremote
setpfs group2
matchaddressremote
!
interfaceFastEthernet0/0
ip address10.0.0.1255.255.255.0
ip nat outside
duplexauto
speedauto
cryptomapremote
!
ip nat insidesourcelistnonat interfaceFastEthernet0/0
overload
ip accesslistextendednonat
denyip 192.168.0.00.0.0.255192.168.1.00.0.0.255
permitip 192.168.0.00.0.0.255any
!
ip accesslistextendedremote
permitip 192.168.0.00.0.0.255192.168.1.00.0.0.255
!
IPSECCiscoIOSToMikrotik
vince_1841#shcryptoisakmpsa
IPv4CryptoISAKMPSA
dstsrcstateconnidstatus
10.0.0.110.0.0.2QM_IDLE1003ACTIVE
IPSECCiscoIOSToMikrotik
vince_1841#shcryptoipsec sa
interface:FastEthernet0/0
Cryptomaptag:remote,localaddr 10.0.0.1
protectedvrf:(none)
localident (addr/mask/prot/port):(192.168.0.0/255.255.255.0/0/0)
remoteident (addr/mask/prot/port):(192.168.1.0/255.255.255.0/0/0)
current_peer 10.0.0.2port500
PERMIT,flags={origin_is_acl,}
#pkts encaps:121,#pkts encrypt:121,#pkts digest:121
#pkts decaps:124,#pkts decrypt:124,#pkts verify:124
#pkts compressed:0,#pkts decompressed:0
#pkts notcompressed:0,#pkts compr.failed:0
#pkts notdecompressed:0,#pkts decompressfailed:0
#senderrors0,#recv errors0
IPSECCiscoIOSToMikrotik
localcryptoendpt.:10.0.0.1,remotecryptoendpt.:10.0.0.2
pathmtu 1500,ip mtu 1500,ip mtu idb FastEthernet0/0
currentoutboundspi:0x23D508(2348296)
PFS(Y/N):Y,DHgroup:group2
inboundesp sas:
spi:0x89A2A46B(2309137515)
transform:espaes espshahmac ,
inusesettings={Tunnel,}
connid:2003,flow_id:FPGA:3,sibling_flags 80000046,cryptomap:remote
sa timing:remainingkeylifetime(k/sec):(4533419/2928)
IVsize:16bytes
replaydetectionsupport:Y
Status:ACTIVE
IPSECCiscoIOSToMikrotik
vince_1841#shcryptoisakmp sa
IPv4CryptoISAKMPSA
dst
src
stateconnidstatus
10.0.0.110.0.0.2QM_IDLE1003ACTIVE
IPSECCiscoASAToMikrotik
Mikrotik router
Ether2
192.168.0.1/24
SiteAPC
192.168.0.2/24
Ether1
10.0.0.2/24
internet
Outside
10.0.0.1/24
CiscoASA
Inside
192.168.1.1/24
SiteBServer
192.168.1.79/24
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik
Locallan subnet
Remotelan subnet
IPSECCiscoASAToMikrotik
SourceWanAddress
RemoteWanAddress
IPSECCiscoASAToMikrotik
RemoteWanAddress
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik
Locallan subnet
Remotelan subnet
Srcnat
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik