Mikrotik to Cisco ASA IPsec VPN


We needed to setup IPsec VPN for a client with a remote location that already had Cisco ASA. So, here is a Mikrotik to Cisco ASA IPsec howto.

Tutorial Scenario

Cisco ASA site

  • WAN: 1.1.1.2/30 (outside)
  • LAN: 192.168.2.1/24 (inside)

Mikrotik site

  • WAN: 1.1.1.1/30 (ether1)
  • LAN: 192.168.1.1/24 (ether2)

Cisco ASA to Mikrotik configuration

Launch the VPN configuration wizard on your Cisco ASA router

Set VPN Tunnel Type as Site-to-Site

VPN Wizard Step1

Set the Remote Peer IP Address: 1.1.1.1(Mikrotik WAN) and Pre-shared key. Also Tunnel Group Name should be the Remote Peer IP Address.

VPN Wizard Step2

Set the IKE Policy Encryption to 3DES, Authentication to MD5 and DH Group to 2

VPN Wizard Step3

Set the IPsec Encryption to 3DES and Authentication to MD5

VPN Wizard Step4

Set the Local and Remote Networks

VPN Wizard Step5

Don’t forget to set the IKE Parameters to Identity: Address to avoid connection problems

IKE Parameters

 

Mikrotik to Cisco ASA configuration

 Create new policy

MIkrotik IPsec Policy

Create new Peer

MIkrotik IPsec Peer

Modify the default proposal to accept MD5 as Authentication

MIkrotik IPsec Proposal

Create NAT rule to bypass the traffic that should to trough the tunnel

Mikrotik NAT Rule

Move the rule to the top

Mikrotik NAT

Now you can connect your branch offices using Mikrotik Routers even if you have Cisco ASA’s installed on the other locations.

Links: Cisco ASA, Mikrotik Routerboard

 



14
Leave a Reply

avatar
12 Comment threads
2 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
13 Comment authors
Антон СеменовSyed JahanzaibjkGerardo Malaksamira Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Damjan Momirovski
Guest

Mnogu dobar blog , povekje od korisen :) , bravo za Mrki.

patriotmk
Guest
patriotmk

Многу добар блог, Фала ти многу за сценариово, работи :) Поздрав

Horst Bursik
Guest
Horst Bursik

You saved my day – thank you! :)

Configurations Mikrotik
Guest

Good post

astoneo
Guest
astoneo

Good job

ricky
Guest
ricky

Didn’t work for me.

nstojanoski
Guest
nstojanoski

check if PFS enabled or disabled and the the encryption. MD5 is getting removed from the new Cisco devices.I haven’t checked Mikrotik’s default proposals on the latest RouterOS.
It should work.

Evgeny
Guest
Evgeny

Great article! Thank you very much!
Worked for me after enabling PFS in ASA!
Also, I used SHA instead of MD5

samira
Guest
samira

Hi,Thank you,it helped me a lot,but i connected site to site IPSec between juniper and Mikrotik.

Gerardo Malak
Guest
Gerardo Malak

Hello, I consulted, so configure as itemize the mikrotik and handle the other side, behind the handle is where these equipment I need to connect, the problem I have to shoot from the ASA a ‘packet-tracert “tool for the mikrotik the ipsec vpn connects, has any idea what is happening?

I from him tug mikrotik lan ping but I can not activate the vpn on the handle. Thank You

jk
Guest
jk

im connected with ip sec but trafic not work

nstojanoski
Guest
nstojanoski

From the Mikrotik try to ping the ASA private IP to see if you have NAT issues or something else.

If you can ping the ASA private IP then see if your NAT bypass rule is above your masquerade rule as shown on the last picture.

Regards,
Nikola

Syed Jahanzaib
Guest
Syed Jahanzaib

Hi, I have similar requirement. at some remote site Cisco ASA is running, they have provided us with vpn client dialer which we uses from our windows base pc to connect to there site. Now i want to connect my mikroitk. I have not control over there ASA and they have not provided us much details. all details i have gathered via vpn dialer. How i achieve the task to conenct mikrotik to remote asa ?

Антон Семенов
Guest
Антон Семенов

Niko, is it possible to enable traffic from ASA LANs to LAN behind Mikrotik in this configuration? We have similar IPsec configs with Fortigate routers and it works with them fine, but not with Mikrotik. Is it necessary to make ip-ip tunnel?

Advertisement