Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3883
Views
5
Helpful
19
Replies

VPN Site to Site/IPSec from FW1010 to Mikrotik

Go to solution
san4ez39
Level 1
Level 1

‎08-04-2021 09:33 AM

Hello,

I am wondering if i am able to have VPN Site to Site connection from Firepower 1010 to my home Mikrotik.

The configuration that i have in place A, where FW is placed looks like this:

ISP to cisco router ISR1101 (without security license (so i cannot have IPSec there)). ISR1101 to FTD1010 Port1

I have on FTD configured route 0.0.0.0/0 to 192.168.1.1 (this is routers Vlan1 IP address that is configured on Gi0/1/0). FTD 1 Interface is routed and has 192.168.1.2 IP address.

 

My home Mikrotik, has DHCP IP address from ISP and also has internal IP address 192.168.1.1

 

So i am wondering, because i do not have license for router to make IPSec, is it possible to make IPSec to FTD instead? I made this Site to Site config on FTD for the moment, that is not finished:

 

Connection Name: VPN

 

VPN Access Interface IP: outside (192.168.1.2)  this is FTD Interface 1 IP address, interface connected to router

Network: MGMT(192.168.5.0/24)

 

Peer IP Address: here is IP of my Home Mikrotik

Peer Network: VPN (my Home ip address range that i receive from ISP)

 

IKE Version 2

IKE Policy: aes-sha256-sha256-14

IPSec Proposal: aes-256-sha-256

Authentication Type: Pre-shared Manual Key

 

IKE Version 1: Disabled

 

OTHER

NAT Exempt: —

 

Diffie-Hellman Group: Null (not selected)

 

Router IP: Here is Cisco routers IP address that it receives from ISP.

 

Router config:

boot-start-marker

boot system bootflash:c1100-universalk9_ias.17.03.03.SPA.bin

boot-end-marker

no logging console

aaa new-model

aaa authentication login default local

aaa authorization exec default local

aaa session-id common

clock timezone GMT 2 0

clock summer-time GMT+2 recurring last Sun Mar 2:00 last Sun Oct 2:00

ip options drop

no ip domain lookup

ip domain lookup source-interface GigabitEthernet0/0/0

login block-for 120 attempts 4 within 120

login on-failure log

login on-success log

subscriber templating

multilink bundle-name authenticated

no device-tracking logging theft

license accept end user agreement

license boot level appxk9

archive

 log config

  logging enable

  logging size 500

  notify syslog contenttype plaintext

memory free low-watermark processor 71858

diagnostic bootup level minimal

spanning-tree extend system-id

redundancy

 mode none

vlan internal allocation policy ascending

interface GigabitEthernet0/0/0

 description ISP1

 ip address dhcp

 ip nat outside

 media-type rj45

 negotiation auto

 no cdp enable

interface GigabitEthernet0/1/0

 description TO FW Port 1

 switchport mode access

interface GigabitEthernet0/1/1

 shutdown

interface GigabitEthernet0/1/2

 shutdown

interface GigabitEthernet0/1/3

 shutdown

interface Vlan1

 description LAN

 ip address 192.168.1.1 255.255.255.0

 ip nat inside

no ip http server

no ip http secure-server

no ip forward-protocol nd

ip nat inside source list 1 interface GigabitEthernet0/0/0 overload

ip route 192.168.5.0 255.255.255.0 192.168.1.2 name MGMT

ip route 192.168.10.0 255.255.255.0 192.168.1.2 name LAN

ip route 192.168.11.0 255.255.255.0 192.168.1.2 name Kameros

ip route 192.168.200.0 255.255.255.0 192.168.1.2 name Guest

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp

ip ssh rsa keypair-name MGMT

ip ssh version 2

logging trap notifications

logging origin-id hostname

logging facility syslog

ip access-list standard 1

 10 permit 192.168.1.0 0.0.0.255

 20 permit 192.168.10.0 0.0.0.255

 30 permit 192.168.5.0 0.0.0.255

 40 permit 192.168.11.0 0.0.0.255

 50 permit 192.168.200.0 0.0.0.255

0 Helpful
19 Replies 19

Go to solution
san4ez39
Level 1
Level 1
In response to Georg Pauwen

‎10-04-2021 10:05 PM

Yes, that is correct. Only problem that i never did IPSec connections before (full config by my own) and that FW is behind router and does not have Public IP address at all.

So for client to be happy - i decided to make IPSec to mikrotik from router. And after that is done - i can work my way to mikrotik FTD IPSec. As for now - i need to make IPSec and see eqiupment that is there as fast as i can

There are many gaps that i need to fill in networking, just need time and determination.

For now i do thank you for your help and will mark your replies accordingly.

0 Helpful

Go to solution
san4ez39
Level 1
Level 1
In response to Georg Pauwen

‎10-13-2021 10:07 AM - edited ‎10-13-2021 10:09 AM

Hi,

 

well i did made IPSec from mikrotik ti Cisco router. Just have a problem - i cannot ping anything))

Cisco router IPSec config:

crypto isakmp policy 1
encryption aes 256
hash sha256
authentication pre-share
group 14
crypto isakmp key randompsw address 78.62.135.52
!
crypto ipsec transform-set mikrotik esp-aes 256 esp-sha256-hmac
mode transport
!
crypto ipsec profile Remote
set transform-set mikrotik
!
crypto map VPN 1 ipsec-isakmp
set peer 78.62.135.52
set transform-set mikrotik
match address 110

interface GigabitEthernet0/0/0
description ISP1
ip address dhcp
ip nat outside
media-type rj45
negotiation auto
no cdp enable
crypto map VPN
ip virtual-reassembly

 

interface Vlan1
description LAN
ip address 192.168.1.3 255.255.255.0
ip nat inside
ip virtual-reassembly
!
no ip http server
ip http authentication local
no ip http secure-server
ip http client source-interface GigabitEthernet0/1/0
no ip forward-protocol nd
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload (old nat source list, removed source list, need to restart router to remove this line).
ip nat inside source list 101 interface GigabitEthernet0/0/0 overload
ip route 192.168.5.0 255.255.255.0 192.168.1.2 name MGMT
ip route 192.168.10.0 255.255.255.0 192.168.1.2 name LAN
ip route 192.168.11.0 255.255.255.0 192.168.1.2 name Kameros
ip route 192.168.200.0 255.255.255.0 192.168.1.2 name Guest
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
!
logging trap notifications
logging origin-id hostname
logging facility syslog
ip access-list extended 101
10 permit ip 192.168.1.0 0.0.0.255 any
20 permit ip 192.168.10.0 0.0.0.255 any
30 permit ip 192.168.5.0 0.0.0.255 any
40 permit ip 192.168.11.0 0.0.0.255 any
50 permit ip 192.168.200.0 0.0.0.255 any
60 deny ip 192.168.5.0 0.0.0.255 172.22.10.0 0.0.0.255
70 deny ip 192.168.10.0 0.0.0.255 172.22.10.0 0.0.0.255

80 deny ip 192.168.1.0 0.0.0.255 172.22.10.0 0.0.0.255
ip access-list extended 110
10 permit ip 192.168.5.0 0.0.0.255 172.22.10.0 0.0.0.255
20 permit ip 192.168.10.0 0.0.0.255 172.22.10.0 0.0.0.255
30 permit ip 192.168.1.0 0.0.0.255 172.22.10.0 0.0.0.255

 

#ping 172.22.10.1 source vlan 1 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 172.22.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.3
........................
Success rate is 0 percent (0/24)

 

#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
82.135.241.34 78.62.135.52 QM_IDLE 1013 ACTIVE

IPv6 Crypto ISAKMP SA

 

#sh crypto ipsec sa

interface: GigabitEthernet0/0/0
Crypto map tag: VPN, local addr 82.135.241.34

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.22.10.0/255.255.255.0/0/0)
current_peer 78.62.135.52 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 82.135.241.34, remote crypto endpt.: 78.62.135.52
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.22.10.0/255.255.255.0/0/0)
current_peer 78.62.135.52 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 401, #pkts decrypt: 401, #pkts verify: 401
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 82.135.241.34, remote crypto endpt.: 78.62.135.52
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0x51DFCA0(85851296)
PFS (Y/N): Y, DH group: group14

inbound esp sas:
spi: 0x231396CA(588486346)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2287, flow_id: ESG:287, sibling_flags FFFFFFFF80000048, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4607999/1488)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x51DFCA0(85851296)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2288, flow_id: ESG:288, sibling_flags FFFFFFFF80000048, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4608000/1488)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.22.10.0/255.255.255.0/0/0)
current_peer 78.62.135.52 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 82.135.241.34, remote crypto endpt.: 78.62.135.52
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

 

And i cannot figure out where the problem is here. Here i do have problem:

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to san4ez39

‎10-13-2021 10:29 AM

Hello,

 

the sequences in your access list 101 are in the wrong order. Make sure the access list looks EXACTLY like this:

 

ip access-list extended 101
10 deny ip 192.168.5.0 0.0.0.255 172.22.10.0 0.0.0.255
20 deny ip 192.168.10.0 0.0.0.255 172.22.10.0 0.0.0.255
30 deny ip 192.168.1.0 0.0.0.255 172.22.10.0 0.0.0.255
40 permit ip 192.168.1.0 0.0.0.255 any
50 permit ip 192.168.10.0 0.0.0.255 any
60 permit ip 192.168.5.0 0.0.0.255 any
70 permit ip 192.168.11.0 0.0.0.255 any
80 permit ip 192.168.200.0 0.0.0.255 any

0 Helpful

Go to solution
san4ez39
Level 1
Level 1
In response to Georg Pauwen

‎10-13-2021 10:49 AM

Thank you. That did it.

i never thought that deny should be first and then permit

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to san4ez39

‎10-13-2021 11:25 AM

Hello,

 

the permit is the first match, if that match is found, the rest of the access list is never checked. That is why the order is important.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card