Mikrotik to Cisco ASA IPsec VPN

We needed to setup IPsec VPN for a client with a remote location that already had Cisco ASA. So, here is a Mikrotik to Cisco ASA IPsec howto.

Tutorial Scenario

Cisco ASA site

  • WAN: (outside)
  • LAN: (inside)

Mikrotik site

  • WAN: (ether1)
  • LAN: (ether2)

Cisco ASA to Mikrotik configuration

Launch the VPN configuration wizard on your Cisco ASA router


Set VPN Tunnel Type as Site-to-Site

VPN Wizard Step1

Set the Remote Peer IP Address: WAN) and Pre-shared key. Also Tunnel Group Name should be the Remote Peer IP Address.

VPN Wizard Step2

Set the IKE Policy Encryption to 3DES, Authentication to MD5 and DH Group to 2

VPN Wizard Step3

Set the IPsec Encryption to 3DES and Authentication to MD5

VPN Wizard Step4

Set the Local and Remote Networks

VPN Wizard Step5

Don’t forget to set the IKE Parameters to Identity: Address to avoid connection problems

IKE Parameters


Mikrotik to Cisco ASA configuration

 Create new policy

MIkrotik IPsec Policy

Create new Peer

MIkrotik IPsec Peer

Modify the default proposal to accept MD5 as Authentication

MIkrotik IPsec Proposal

Create NAT rule to bypass the traffic that should to trough the tunnel

Mikrotik NAT Rule

Move the rule to the top

Mikrotik NAT

Now you can connect your branch offices using Mikrotik Routers even if you have Cisco ASA’s installed on the other locations.

Links: Cisco ASA, Mikrotik Routerboard