- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-04-2021 09:33 AM
Hello,
I am wondering if i am able to have VPN Site to Site connection from Firepower 1010 to my home Mikrotik.
The configuration that i have in place A, where FW is placed looks like this:
ISP to cisco router ISR1101 (without security license (so i cannot have IPSec there)). ISR1101 to FTD1010 Port1
I have on FTD configured route 0.0.0.0/0 to 192.168.1.1 (this is routers Vlan1 IP address that is configured on Gi0/1/0). FTD 1 Interface is routed and has 192.168.1.2 IP address.
My home Mikrotik, has DHCP IP address from ISP and also has internal IP address 192.168.1.1
So i am wondering, because i do not have license for router to make IPSec, is it possible to make IPSec to FTD instead? I made this Site to Site config on FTD for the moment, that is not finished:
Connection Name: VPN
VPN Access Interface IP: outside (192.168.1.2) this is FTD Interface 1 IP address, interface connected to router
Network: MGMT(192.168.5.0/24)
Peer IP Address: here is IP of my Home Mikrotik
Peer Network: VPN (my Home ip address range that i receive from ISP)
IKE Version 2
IKE Policy: aes-sha256-sha256-14
IPSec Proposal: aes-256-sha-256
Authentication Type: Pre-shared Manual Key
IKE Version 1: Disabled
OTHER
NAT Exempt: —
Diffie-Hellman Group: Null (not selected)
Router IP: Here is Cisco routers IP address that it receives from ISP.
Router config:
boot-start-marker
boot system bootflash:c1100-universalk9_ias.17.03.03.SPA.bin
boot-end-marker
no logging console
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
clock timezone GMT 2 0
clock summer-time GMT+2 recurring last Sun Mar 2:00 last Sun Oct 2:00
ip options drop
no ip domain lookup
ip domain lookup source-interface GigabitEthernet0/0/0
login block-for 120 attempts 4 within 120
login on-failure log
login on-success log
subscriber templating
multilink bundle-name authenticated
no device-tracking logging theft
license accept end user agreement
license boot level appxk9
archive
log config
logging enable
logging size 500
notify syslog contenttype plaintext
memory free low-watermark processor 71858
diagnostic bootup level minimal
spanning-tree extend system-id
redundancy
mode none
vlan internal allocation policy ascending
interface GigabitEthernet0/0/0
description ISP1
ip address dhcp
ip nat outside
media-type rj45
negotiation auto
no cdp enable
interface GigabitEthernet0/1/0
description TO FW Port 1
switchport mode access
interface GigabitEthernet0/1/1
shutdown
interface GigabitEthernet0/1/2
shutdown
interface GigabitEthernet0/1/3
shutdown
interface Vlan1
description LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
no ip http server
no ip http secure-server
no ip forward-protocol nd
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 192.168.5.0 255.255.255.0 192.168.1.2 name MGMT
ip route 192.168.10.0 255.255.255.0 192.168.1.2 name LAN
ip route 192.168.11.0 255.255.255.0 192.168.1.2 name Kameros
ip route 192.168.200.0 255.255.255.0 192.168.1.2 name Guest
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
ip ssh rsa keypair-name MGMT
ip ssh version 2
logging trap notifications
logging origin-id hostname
logging facility syslog
ip access-list standard 1
10 permit 192.168.1.0 0.0.0.255
20 permit 192.168.10.0 0.0.0.255
30 permit 192.168.5.0 0.0.0.255
40 permit 192.168.11.0 0.0.0.255
50 permit 192.168.200.0 0.0.0.255
Solved! Go to Solution.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-13-2021 10:29 AM
Hello,
the sequences in your access list 101 are in the wrong order. Make sure the access list looks EXACTLY like this:
ip access-list extended 101
10 deny ip 192.168.5.0 0.0.0.255 172.22.10.0 0.0.0.255
20 deny ip 192.168.10.0 0.0.0.255 172.22.10.0 0.0.0.255
30 deny ip 192.168.1.0 0.0.0.255 172.22.10.0 0.0.0.255
40 permit ip 192.168.1.0 0.0.0.255 any
50 permit ip 192.168.10.0 0.0.0.255 any
60 permit ip 192.168.5.0 0.0.0.255 any
70 permit ip 192.168.11.0 0.0.0.255 any
80 permit ip 192.168.200.0 0.0.0.255 any

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-04-2021 01:40 PM
Hello,
good question. I have never tried this...
With the Mikrotik side configured as well, what is the result when you set the Mikrotik's IP address as the remote IP address on the FTD ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-04-2021 10:46 PM
Hi,
i will have time configure Mikrotik today, but access to FTD i will have only on Monday.
Also, from FTD side - there is no option to set this configuration:
Authentication Type: Pre-shared Manual Key
there is no option to enter manual key. So even if i will configure Mikrotik today - there will be no connection as there are no manual key that FTD would accept.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-04-2021 11:26 PM
Hello,
not sure if this is FTD version dependant, but in the screenshot below, you can manually enter the preshared key...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-13-2021 01:33 PM
Hi,
sorry for very late feedback.
I actually was able to make connection. I do not know why, but i was able to make it only then, when in Mikrotik IPSec Polices TAB, under this connection i changed Src Address to 0.0.0.0/0 - Dst Address was MGMT(192.168.5.0/24) as in FW config. Why only this configuration works - i have no idea.
Meanwhile - i am having issues to reach/ping/traceroute, basically anything on remote side. But i suspect it is ASA here or routes in Mikrotik.
And yes - your picture was correct, thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-13-2021 11:39 PM
Hello,
looks like you are making progress. Do you have the ASA config as well ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-14-2021 12:11 AM
It is the same config from my 1 post here. I do suspect that i need to make few allow rules there and some additional configuration on mikrotik side.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-14-2021 06:32 AM
Hello,
it is not really clear from your initial post what you have configured on the FTD. Can you post the output of 'show running-config' from the FTD ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-19-2021 11:31 PM
Hi,
i have this config on FTD:
NGFW Version 6.6.4
!
enable password ***** encrypted
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
names
no mac-address auto
!
interface Vlan1
shutdown
nameif inside
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet1/1
no switchport
nameif outside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet1/2
no switchport
no nameif
no security-level
no ip address
!
interface Ethernet1/2.5
vlan 5
nameif mgmt
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.5.254 255.255.255.0
!
interface Ethernet1/2.10
vlan 10
nameif lan
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.10.254 255.255.255.0
!
interface Ethernet1/2.11
vlan 11
nameif kameros
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.11.254 255.255.255.0
!
interface Ethernet1/2.200
vlan 200
nameif guest
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.200.254 255.255.255.0
!
interface Ethernet1/3
switchport
shutdown
!
interface Ethernet1/4
switchport
shutdown
!
interface Ethernet1/5
switchport
shutdown
!
interface Ethernet1/6
switchport
shutdown
!
interface Ethernet1/7
switchport
power inline auto
shutdown
!
interface Ethernet1/8
switchport
power inline auto
shutdown
!
interface Management1/1
management-only
nameif diagnostic
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
no ip address
!
ftp mode passive
ngips conn-match vlan-id
dns domain-lookup outside
dns domain-lookup mgmt
dns domain-lookup lan
dns domain-lookup kameros
dns domain-lookup guest
dns domain-lookup diagnostic
dns server-group CiscoUmbrellaDNSServerGroup
name-server 208.67.222.222
name-server 208.67.220.220
dns server-group TeliaDNS
name-server 212.59.8.18
name-server 212.59.8.19
dns-group TeliaDNS
object network any-ipv4
subnet 0.0.0.0 0.0.0.0
object network any-ipv6
subnet ::/0
object network MGMT
subnet 192.168.5.0 255.255.255.0
object network LAN
subnet 192.168.10.0 255.255.255.0
object network Guest
subnet 192.168.200.0 255.255.255.0
object network Kameros
subnet 192.168.11.0 255.255.255.0
object network router
host 192.168.1.3
object network VPN
subnet 78.62.135.0 255.255.255.0
object network VPNnetwork
subnet 192.168.1.0 255.255.255.0
object-group service |acSvcg-268435461
service-object ip
object-group service |acSvcg-268435462
service-object ip
object-group service |acSvcg-268435463
service-object ip
object-group service |acSvcg-268435466
service-object ip
object-group network |acSrcNwg-268435466
network-object object Kameros
network-object object LAN
network-object object MGMT
object-group service |acSvcg-268435464
service-object ip
object-group network |acSrcNwg-268435464
network-object object Guest
network-object object Kameros
network-object object LAN
network-object object MGMT
object-group service |acSvcg-268435458
service-object ip
object-group network |acDestNwg-268435458
network-object object Kameros
network-object object MGMT
object-group service |acSvcg-268435467
service-object ip
object-group network |acSrcNwg-268435467
network-object object Guest
network-object object Kameros
network-object object LAN
network-object object MGMT
object-group network |s2sAclSrcNwgV4|0d5ebd67-eddd-11eb-82fb-079b31812f0f
network-object object MGMT
object-group service |acSvcg-268435459
service-object ip
object-group network |acSrcNwg-268435459
network-object object Kameros
network-object object MGMT
object-group network |s2sAclDestNwgV4|0d5ebd67-eddd-11eb-82fb-079b31812f0f
network-object object any-ipv4
object-group service |acSvcg-268435457
service-object ip
access-list NGFW_ONBOX_ACL remark rule-id 268435461: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435461: L5 RULE: Guest - Kameros - Block
access-list NGFW_ONBOX_ACL advanced deny object-group |acSvcg-268435461 ifc guest object Guest ifc kameros object Kameros rule-id 268435461 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435462: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435462: L5 RULE: Guest - LAN - Block
access-list NGFW_ONBOX_ACL advanced deny object-group |acSvcg-268435462 ifc guest object Guest ifc lan object LAN rule-id 268435462 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435463: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435463: L5 RULE: Guest - MGMT - Block
access-list NGFW_ONBOX_ACL advanced deny object-group |acSvcg-268435463 ifc guest object Guest ifc mgmt object MGMT rule-id 268435463 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435466: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435466: L5 RULE: LAN - Guest - Block
access-list NGFW_ONBOX_ACL advanced deny object-group |acSvcg-268435466 ifc kameros object-group |acSrcNwg-268435466 ifc guest object Guest rule-id 268435466 event-log both
access-list NGFW_ONBOX_ACL advanced deny object-group |acSvcg-268435466 ifc lan object-group |acSrcNwg-268435466 ifc guest object Guest rule-id 268435466 event-log both
access-list NGFW_ONBOX_ACL advanced deny object-group |acSvcg-268435466 ifc mgmt object-group |acSrcNwg-268435466 ifc guest object Guest rule-id 268435466 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435464: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435464: L7 RULE: LAN - WAN - Block
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435464 ifc guest object-group |acSrcNwg-268435464 ifc outside any rule-id 268435464 event-log both
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435464 ifc kameros object-group |acSrcNwg-268435464 ifc outside any rule-id 268435464 event-log both
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435464 ifc lan object-group |acSrcNwg-268435464 ifc outside any rule-id 268435464 event-log both
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435464 ifc mgmt object-group |acSrcNwg-268435464 ifc outside any rule-id 268435464 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435458: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435458: L5 RULE: LAN - MGMT - Kameros
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435458 ifc lan object LAN ifc kameros object-group |acDestNwg-268435458 rule-id 268435458 event-log flow-end
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435458 ifc lan object LAN ifc mgmt object-group |acDestNwg-268435458 rule-id 268435458 event-log flow-end
access-list NGFW_ONBOX_ACL remark rule-id 268435459: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435459: L5 RULE: Kameros - MGMT - LAN
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435459 ifc kameros object-group |acSrcNwg-268435459 ifc lan object LAN rule-id 268435459
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435459 ifc mgmt object-group |acSrcNwg-268435459 ifc lan object LAN rule-id 268435459
access-list NGFW_ONBOX_ACL remark rule-id 268435467: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435467: L7 RULE: WAN - Allow
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435467 ifc guest object-group |acSrcNwg-268435467 ifc outside any rule-id 268435467 event-log flow-end
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435467 ifc kameros object-group |acSrcNwg-268435467 ifc outside any rule-id 268435467 event-log flow-end
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435467 ifc lan object-group |acSrcNwg-268435467 ifc outside any rule-id 268435467 event-log flow-end
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435467 ifc mgmt object-group |acSrcNwg-268435467 ifc outside any rule-id 268435467 event-log flow-end
access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: vpn
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 object VPNnetwork ifc guest any rule-id 268435457 event-log flow-end
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 object VPNnetwork ifc kameros any rule-id 268435457 event-log flow-end
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 object VPNnetwork ifc lan any rule-id 268435457 event-log flow-end
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 object VPNnetwork ifc mgmt any rule-id 268435457 event-log flow-end
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 object VPNnetwork ifc outside any rule-id 268435457 event-log flow-end
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1 event-log both
access-list |s2sAcl|0d5ebd67-eddd-11eb-82fb-079b31812f0f extended permit ip object-group |s2sAclSrcNwgV4|0d5ebd67-eddd-11eb-82fb-079b31812f0f object-group |s2sAclDestNwgV4|0d5ebd67-eddd-11eb-82fb-079b31812f0f
pager lines 24
logging enable
logging timestamp
logging permit-hostdown
mtu inside 1500
mtu outside 1500
mtu mgmt 1500
mtu lan 1500
mtu kameros 1500
mtu guest 1500
mtu diagnostic 1500
no failover
no monitor-interface outside
no monitor-interface mgmt
no monitor-interface lan
no monitor-interface kameros
no monitor-interface guest
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
access-group NGFW_ONBOX_ACL global
route outside 0.0.0.0 0.0.0.0 192.168.1.3 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 inside
http ::/0 inside
http 192.168.10.0 255.255.255.0 inside
http 192.168.5.0 255.255.255.0 inside
ip-client diagnostic
ip-client diagnostic ipv6
ip-client inside
ip-client inside ipv6
ip-client mgmt
ip-client mgmt ipv6
ip-client lan
ip-client lan ipv6
ip-client kameros
ip-client kameros ipv6
ip-client guest
ip-client guest ipv6
ip-client outside
ip-client outside ipv6
no snmp-server location
no snmp-server contact
sysopt connection tcpmss 0
no sysopt connection permit-vpn
crypto ipsec ikev2 ipsec-proposal Mikrotik-IPSEC
protocol esp encryption aes-256 aes-192 aes
protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map s2sCryptoMap 1 match address |s2sAcl|0d5ebd67-eddd-11eb-82fb-079b31812f0f
crypto map s2sCryptoMap 1 set peer 78.62.135.52
crypto map s2sCryptoMap 1 set ikev2 ipsec-proposal Mikrotik-IPSEC
crypto map s2sCryptoMap 1 set security-association lifetime seconds 28800
crypto map s2sCryptoMap 1 set security-association lifetime kilobytes 4608000
crypto map s2sCryptoMap interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256 aes-192 aes
integrity sha256
group 14
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 policy 150
authentication rsa-sig
encryption des
hash sha
group 14
lifetime 86400
crypto ikev1 policy 160
authentication pre-share
encryption des
hash sha
group 14
lifetime 86400
telnet timeout 5
console timeout 0
dhcpd dns 212.59.8.18 212.59.8.19
!
dhcpd address 192.168.5.50-192.168.5.90 mgmt
dhcpd enable mgmt
!
dhcpd address 192.168.10.1-192.168.10.250 lan
dhcpd enable lan
!
dhcpd address 192.168.11.1-192.168.11.250 kameros
dhcpd enable kameros
!
dhcpd address 192.168.200.1-192.168.200.250 guest
dhcpd enable guest
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ssl-client
webvpn
anyconnect ssl dtls none
group-policy |s2sGP|78.62.135.52 internal
group-policy |s2sGP|78.62.135.52 attributes
vpn-tunnel-protocol ikev2
dynamic-access-policy-record DfltAccessPolicy
tunnel-group 78.62.135.52 type ipsec-l2l
tunnel-group 78.62.135.52 general-attributes
default-group-policy |s2sGP|78.62.135.52
tunnel-group 78.62.135.52 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
class-map class_snmp
match port udp eq 4161
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
inspect snmp
inspect xdmcp
class class_snmp
inspect snmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
app-agent heartbeat interval 1000 retry-count 3
snort preserve-connection
Cryptochecksum:eb1f599597de7afd85462325c344acbb
: end
Mikrotik:
/ip ipsec active-peers> print
Flags: R - responder, N - natt-peer
# ID STATE UPTIME PH2-TOTAL REMOTE-ADDRESS DYNAMIC-ADDRESS
0 R 192.168.1.2 established 5d24m31s 1 82.135.241.34
/ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 R name="Kalv ASA" address=82.135.241.34/32 local-address=78.62.135.52 passive=yes profile=Kalv ASA exchange-mode=ike2 send-initial-contact=no
/ip ipsec policy print
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default
# PEER TUNNEL SRC-ADDRESS DST-ADDRESS PROTOCOL ACTION LEVEL PH2-COUNT
0 T * ::/0 ::/0 all
2 A Kalv ASA yes 0.0.0.0/0 192.168.5.0/24 all encrypt require 1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-20-2021 12:21 AM
Hello,
this is your interesting traffic:
access-list |s2sAcl|0d5ebd67-eddd-11eb-82fb-079b31812f0f extended permit ip object-group |s2sAclSrcNwgV4|0d5ebd67-eddd-11eb-82fb-079b31812f0f object-group |s2sAclDestNwgV4|0d5ebd67-eddd-11eb-82fb-079b31812f0f
I can at the very least not find 'network-object object any-ipv4'. You might want to change the access lists and VPN object groups to something more descriptive, as it is now very difficult to see what is what.
Either way, what are the source and destination IP subnets on both sides ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-20-2021 01:15 AM
From Mikrotik - 172.22.10.0/24
To FTD - i set MGMT network, i mean i hoped that i would be able to reach devices in that network (192.168.5.0/24)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-20-2021 02:41 AM
Hello,
I don't see anything on the FTD matching the Mikrotik network, 172.22.10.0/24 ? Which object is supposed to represent this subnet ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-20-2021 03:09 AM
From FTD, i had this added. But after that, i had to change Mikrotik network and i did not made changes in FTD. So i will change this object to match 172.22.10.0/24
object network VPNnetwork
subnet 192.168.1.0 255.255.255.0
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-04-2021 06:03 AM
Hi,
i think i will drop this one. Because i cannot make normal connection to FTD and i actually do not know to i where actually been connecting (FTD or Router, because i tried to make IPSec to router before that)..
So thank you for your help. The general idea i think was very opportunistic
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-04-2021 08:48 AM
Hello,
FTD/ASA or IOS router should not really matter, as the settings are very similar.
