08-04-2021 09:33 AM
Hello,
I am wondering if i am able to have VPN Site to Site connection from Firepower 1010 to my home Mikrotik.
The configuration that i have in place A, where FW is placed looks like this:
ISP to cisco router ISR1101 (without security license (so i cannot have IPSec there)). ISR1101 to FTD1010 Port1
I have on FTD configured route 0.0.0.0/0 to 192.168.1.1 (this is routers Vlan1 IP address that is configured on Gi0/1/0). FTD 1 Interface is routed and has 192.168.1.2 IP address.
My home Mikrotik, has DHCP IP address from ISP and also has internal IP address 192.168.1.1
So i am wondering, because i do not have license for router to make IPSec, is it possible to make IPSec to FTD instead? I made this Site to Site config on FTD for the moment, that is not finished:
Connection Name: VPN
VPN Access Interface IP: outside (192.168.1.2) this is FTD Interface 1 IP address, interface connected to router
Network: MGMT(192.168.5.0/24)
Peer IP Address: here is IP of my Home Mikrotik
Peer Network: VPN (my Home ip address range that i receive from ISP)
IKE Version 2
IKE Policy: aes-sha256-sha256-14
IPSec Proposal: aes-256-sha-256
Authentication Type: Pre-shared Manual Key
IKE Version 1: Disabled
OTHER
NAT Exempt: —
Diffie-Hellman Group: Null (not selected)
Router IP: Here is Cisco routers IP address that it receives from ISP.
Router config:
boot-start-marker
boot system bootflash:c1100-universalk9_ias.17.03.03.SPA.bin
boot-end-marker
no logging console
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
clock timezone GMT 2 0
clock summer-time GMT+2 recurring last Sun Mar 2:00 last Sun Oct 2:00
ip options drop
no ip domain lookup
ip domain lookup source-interface GigabitEthernet0/0/0
login block-for 120 attempts 4 within 120
login on-failure log
login on-success log
subscriber templating
multilink bundle-name authenticated
no device-tracking logging theft
license accept end user agreement
license boot level appxk9
archive
log config
logging enable
logging size 500
notify syslog contenttype plaintext
memory free low-watermark processor 71858
diagnostic bootup level minimal
spanning-tree extend system-id
redundancy
mode none
vlan internal allocation policy ascending
interface GigabitEthernet0/0/0
description ISP1
ip address dhcp
ip nat outside
media-type rj45
negotiation auto
no cdp enable
interface GigabitEthernet0/1/0
description TO FW Port 1
switchport mode access
interface GigabitEthernet0/1/1
shutdown
interface GigabitEthernet0/1/2
shutdown
interface GigabitEthernet0/1/3
shutdown
interface Vlan1
description LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
no ip http server
no ip http secure-server
no ip forward-protocol nd
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 192.168.5.0 255.255.255.0 192.168.1.2 name MGMT
ip route 192.168.10.0 255.255.255.0 192.168.1.2 name LAN
ip route 192.168.11.0 255.255.255.0 192.168.1.2 name Kameros
ip route 192.168.200.0 255.255.255.0 192.168.1.2 name Guest
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
ip ssh rsa keypair-name MGMT
ip ssh version 2
logging trap notifications
logging origin-id hostname
logging facility syslog
ip access-list standard 1
10 permit 192.168.1.0 0.0.0.255
20 permit 192.168.10.0 0.0.0.255
30 permit 192.168.5.0 0.0.0.255
40 permit 192.168.11.0 0.0.0.255
50 permit 192.168.200.0 0.0.0.255
Solved! Go to Solution.
10-04-2021 10:05 PM
Yes, that is correct. Only problem that i never did IPSec connections before (full config by my own) and that FW is behind router and does not have Public IP address at all.
So for client to be happy - i decided to make IPSec to mikrotik from router. And after that is done - i can work my way to mikrotik FTD IPSec. As for now - i need to make IPSec and see eqiupment that is there as fast as i can
There are many gaps that i need to fill in networking, just need time and determination.
For now i do thank you for your help and will mark your replies accordingly.
10-13-2021 10:07 AM - edited 10-13-2021 10:09 AM
Hi,
well i did made IPSec from mikrotik ti Cisco router. Just have a problem - i cannot ping anything))
Cisco router IPSec config:
crypto isakmp policy 1
encryption aes 256
hash sha256
authentication pre-share
group 14
crypto isakmp key randompsw address 78.62.135.52
!
crypto ipsec transform-set mikrotik esp-aes 256 esp-sha256-hmac
mode transport
!
crypto ipsec profile Remote
set transform-set mikrotik
!
crypto map VPN 1 ipsec-isakmp
set peer 78.62.135.52
set transform-set mikrotik
match address 110
interface GigabitEthernet0/0/0
description ISP1
ip address dhcp
ip nat outside
media-type rj45
negotiation auto
no cdp enable
crypto map VPN
ip virtual-reassembly
interface Vlan1
description LAN
ip address 192.168.1.3 255.255.255.0
ip nat inside
ip virtual-reassembly
!
no ip http server
ip http authentication local
no ip http secure-server
ip http client source-interface GigabitEthernet0/1/0
no ip forward-protocol nd
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload (old nat source list, removed source list, need to restart router to remove this line).
ip nat inside source list 101 interface GigabitEthernet0/0/0 overload
ip route 192.168.5.0 255.255.255.0 192.168.1.2 name MGMT
ip route 192.168.10.0 255.255.255.0 192.168.1.2 name LAN
ip route 192.168.11.0 255.255.255.0 192.168.1.2 name Kameros
ip route 192.168.200.0 255.255.255.0 192.168.1.2 name Guest
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
!
logging trap notifications
logging origin-id hostname
logging facility syslog
ip access-list extended 101
10 permit ip 192.168.1.0 0.0.0.255 any
20 permit ip 192.168.10.0 0.0.0.255 any
30 permit ip 192.168.5.0 0.0.0.255 any
40 permit ip 192.168.11.0 0.0.0.255 any
50 permit ip 192.168.200.0 0.0.0.255 any
60 deny ip 192.168.5.0 0.0.0.255 172.22.10.0 0.0.0.255
70 deny ip 192.168.10.0 0.0.0.255 172.22.10.0 0.0.0.255
80 deny ip 192.168.1.0 0.0.0.255 172.22.10.0 0.0.0.255
ip access-list extended 110
10 permit ip 192.168.5.0 0.0.0.255 172.22.10.0 0.0.0.255
20 permit ip 192.168.10.0 0.0.0.255 172.22.10.0 0.0.0.255
30 permit ip 192.168.1.0 0.0.0.255 172.22.10.0 0.0.0.255
#ping 172.22.10.1 source vlan 1 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 172.22.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.3
........................
Success rate is 0 percent (0/24)
#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
82.135.241.34 78.62.135.52 QM_IDLE 1013 ACTIVE
IPv6 Crypto ISAKMP SA
#sh crypto ipsec sa
interface: GigabitEthernet0/0/0
Crypto map tag: VPN, local addr 82.135.241.34
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.22.10.0/255.255.255.0/0/0)
current_peer 78.62.135.52 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 82.135.241.34, remote crypto endpt.: 78.62.135.52
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.22.10.0/255.255.255.0/0/0)
current_peer 78.62.135.52 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 401, #pkts decrypt: 401, #pkts verify: 401
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 82.135.241.34, remote crypto endpt.: 78.62.135.52
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0x51DFCA0(85851296)
PFS (Y/N): Y, DH group: group14
inbound esp sas:
spi: 0x231396CA(588486346)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2287, flow_id: ESG:287, sibling_flags FFFFFFFF80000048, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4607999/1488)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x51DFCA0(85851296)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2288, flow_id: ESG:288, sibling_flags FFFFFFFF80000048, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4608000/1488)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.22.10.0/255.255.255.0/0/0)
current_peer 78.62.135.52 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 82.135.241.34, remote crypto endpt.: 78.62.135.52
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
And i cannot figure out where the problem is here. Here i do have problem:
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
10-13-2021 10:29 AM
Hello,
the sequences in your access list 101 are in the wrong order. Make sure the access list looks EXACTLY like this:
ip access-list extended 101
10 deny ip 192.168.5.0 0.0.0.255 172.22.10.0 0.0.0.255
20 deny ip 192.168.10.0 0.0.0.255 172.22.10.0 0.0.0.255
30 deny ip 192.168.1.0 0.0.0.255 172.22.10.0 0.0.0.255
40 permit ip 192.168.1.0 0.0.0.255 any
50 permit ip 192.168.10.0 0.0.0.255 any
60 permit ip 192.168.5.0 0.0.0.255 any
70 permit ip 192.168.11.0 0.0.0.255 any
80 permit ip 192.168.200.0 0.0.0.255 any
10-13-2021 10:49 AM
Thank you. That did it.
i never thought that deny should be first and then permit
10-13-2021 11:25 AM
Hello,
the permit is the first match, if that match is found, the rest of the access list is never checked. That is why the order is important.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide