Upload
naingwinoo
View
18
Download
0
Embed Size (px)
DESCRIPTION
MTp
Citation preview
GodinichConsulting
VPN'sBetweenMikrotik and3rdPartyDevices
VinceGodinich
experience
TOPICSPPTPMikrotik ClienttoCiscoServerIPSECShrewClientToMikrotikrouterIPSECMikrotik routertoCiscoIOSrouter
PPTPMikrotik ClienttoCiscoServer
ConfigureaMikrotik routertoactasaPPTPclientconnectingtoa CiscoPPTPservertoconnectremotelans
AllowsreplacementofaCiscobranchrouterwithaMikroTikrouter withoutchangingorreplacingexistingCiscomainrouter
PPTPMikrotik ClienttoCiscoServer
internet
Ether110.0.0.1/24
Ether110.0.0.2/24
SiteAPC192.168.1.79/24
SiteBServer192.168.0.2/24
Ether2192.168.0.1/24
Ether2192.168.1.1/24
Mikrotik RouterCiscoRouter
PPTPMikrotik ClienttoCiscoServer
internet
Ether110.0.0.1/24
Ether110.0.0.2/24
SiteAPC192.168.1.79/24
SiteBServer192.168.0.2/24
Ether2192.168.0.1/24
Ether2192.168.1.1/24
Mikrotik RouterCiscoRouter
PPTPTUNNELPPTPTUNNEL
PPTPMikrotik ClienttoCiscoServer
internet
VirtualTemplate1192.168.79.1
pptpout1192.168.79.2
SiteAPC192.168.1.79/24
SiteBServer192.168.0.2/24
Ether2192.168.0.1/24
Ether2192.168.1.1/24
Mikrotik RouterCiscoRouter
PPTPTUNNELPPTPTUNNEL
PPTPMikrotik ClienttoCiscoServer
PPTPMikrotik ClienttoCiscoServer
PPTPMikrotik ClienttoCiscoServer
PPTPMikrotik ClienttoCiscoServer
PPTPMikrotik ClienttoCiscoServer
PPTPMikrotik ClienttoCiscoServer
PPTPMikrotik ClienttoCiscoServer
PPTPMikrotik ClienttoCiscoServer
PPTPMikrotik ClienttoCiscoServer
aaa newmodel aaa authenticationppp defaultlocal vpdn enable vpdngroup1 acceptdialin protocolpptp virtualtemplate1 l2tptunneltimeoutnosession15
usernamepptp_branch password01234
PPTPMikrotik ClienttoCiscoServer
interfaceVirtualTemplate1 ip address192.168.79.1255.255.255.0 peerdefaultip addresspoolPPTP_POOL nokeepalive ppp encryptmppe 128required ppp authenticationmschapv2 ip localpoolPPTP_POOL192.168.79.2
PPTPMikrotik ClienttoCiscoServer
ip nat insidesourcelistnonat interfaceFastEthernet0/0overload ip route192.168.1.0255.255.255.0192.168.79.2 ip accesslistextendednonat denyip 192.168.1.00.0.0.255192.168.0.00.0.0.255 permitip 192.168.1.00.0.0.255any
PPTPMikrotik ClienttoCiscoServer
internet
Ether110.0.0.1/24
Ether110.0.0.2/24
SiteAPC192.168.1.79/24
SiteBServer192.168.0.2/24
Ether2192.168.0.1/24
Ether2192.168.1.1/24
Mikrotik RouterCiscoRouter
Ping
PPTPMikrotik ClienttoCiscoServer
PPTPMikrotik ClienttoCiscoServer
PPTPMikrotik ClienttoCiscoServer
PPTPMikrotik ClienttoCiscoServer
PPTPMikrotik ClienttoCiscoServer
/interfacepptpclient addallow=mschap2connectto=10.0.0.1disabled=nomrru=1600name=pptpout1\
password=1234user=pptp_branch
/ppp profile set1useencryption=required
/ip firewallnat addchain=srcnat dstaddress=192.168.0.0/24outinterface=ether2
IPSECShrewClientToMikrotik
ConfigureaShrewclientonremotePCtoconnecttoaMikrotik router andaccessinternallan network EliminatesneedforMicrosoftVPNclient EnablesoneclienttobeusedforremoteaccesstoMikrotik andCisco
deviceseliminatingneedforaCiscoVPNClient EasytoimportexistingCiscoVPNprofilesintoShrewclient AllowsforeaseofmigrationfromCiscodevicestoMikrotik routers
IPSECShrewClientToMikrotik
internet
Ether110.0.0.1/2410.0.0.2/24
RemotePC
SiteA Server10.10.0.2
Ether210.10.0.2/22
Mikrotik Router
IPSECShrewClientToMikrotik
www.shrew.net/download/vpn
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
n:version:4n:networkikeport:500n:networkmtusize:1380n:clientaddrauto:1n:networknattport:4500n:networknattrate:15n:networkfragsize:540n:networkdpdenable:0n:clientbannerenable:0n:networknotifyenable:0n:clientdnsused:0n:clientdnsauto:0n:clientdnssuffixauto:0n:clientsplitdnsused:0n:clientsplitdnsauto:0n:clientwinsused:0n:clientwinsauto:1n:phase1dhgroup:2n:phase1lifesecs:86400
n:phase1lifekbytes:0n:vendorchkptenable:0n:phase2lifesecs:3600n:phase2lifekbytes:0n:policynailed:0n:policylistauto:0n:phase1keylen:128n:phase2keylen:128s:networkhost:10.10.0.1s:clientautomode:pulls:clientiface:virtuals:networknattmode:disables:networkfragmode:disable
s:authmethod:mutualpsks:identclienttype:addresss:identservertype:addressb:authmutualpsk:Y3RiNjUxs:phase1exchange:mains:phase1cipher:aess:phase1hash:sha1s:phase2transform:espaess:phase2hmac:sha1s:ipcomptransform:disabledn:phase2pfsgroup:2s:policylevel:requires:policylistinclude:10.10.0.0/255.255.252.0
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
IPSECShrewClientToMikrotik
internet
Ether110.0.0.1/2410.0.0.2/24
RemotePC
SiteA Server10.10.0.2
Ether210.10.0.2/22
Mikrotik Router
IPSECShrewClientToMikrotik
internet
Ether110.0.0.1/2410.0.0.2/24
RemotePC
SiteA Server10.10.0.2
Ether210.10.0.2/22
Mikrotik Router
PING
IPSECShrewClientToMikrotik
IPSECCiscoIOSorASAToMikrotik
ConfigureanIPSECVPNbetweenaCiscoIOSrouterorASAandaMikrotikrouter
AllowsreplacementofaCiscobranchrouterorASAwithaMikroTikrouter
withoutchangingorreplacingexistingCiscomainrouter
IPSECCiscoIOSToMikrotik
internet
Ether0/010.0.0.2/24
Ether110.0.0.1/24
SiteAPC192.168.1.2/24
SiteBServer192.168.0.2/24
Ether0/1192.168.0.1/24
Ether2192.168.1.1/24
CiscorouterMikrotik router
IPSECCiscoIOSToMikrotik
IPSEC
IPSECCiscoIOSToMikrotik
Locallan subnet
Remotelan subnet
IPSECCiscoIOSToMikrotik
Localwanaddress
Remotewanaddress
IPSECCiscoIOSToMikrotik
Remotewanaddress
PRESHAREDPASSWORD
IPSECCiscoIOSToMikrotik
IPSECCiscoIOSToMikrotik
Locallan subnetRemotelan subnet
IPSECCiscoIOSToMikrotik
IPSECCiscoIOSToMikrotik
cryptoisakmp policy1encr aesauthenticationpresharegroup2cryptoisakmp key1234address10.0.0.2noxauth!!cryptoipsec transformsetremoteespaes espshahmac!cryptomapremote5ipsecisakmpsetpeer10.0.0.2settransformsetremotesetpfs group2matchaddressremote!
interfaceFastEthernet0/0ip address10.0.0.1255.255.255.0ip nat outsideduplexautospeedautocryptomapremote!ip nat insidesourcelistnonat interfaceFastEthernet0/0overloadip accesslistextendednonatdenyip 192.168.0.00.0.0.255192.168.1.00.0.0.255permitip 192.168.0.00.0.0.255any!ip accesslistextendedremotepermitip 192.168.0.00.0.0.255192.168.1.00.0.0.255!
IPSECCiscoIOSToMikrotik
vince_1841#shcryptoisakmpsaIPv4CryptoISAKMPSAdstsrcstateconnidstatus10.0.0.110.0.0.2QM_IDLE1003ACTIVE
IPSECCiscoIOSToMikrotik
vince_1841#shcryptoipsec sa
interface:FastEthernet0/0Cryptomaptag:remote,localaddr 10.0.0.1
protectedvrf:(none)localident (addr/mask/prot/port):(192.168.0.0/255.255.255.0/0/0)remoteident (addr/mask/prot/port):(192.168.1.0/255.255.255.0/0/0)current_peer 10.0.0.2port500PERMIT,flags={origin_is_acl,}#pkts encaps:121,#pkts encrypt:121,#pkts digest:121#pkts decaps:124,#pkts decrypt:124,#pkts verify:124#pkts compressed:0,#pkts decompressed:0#pkts notcompressed:0,#pkts compr.failed:0#pkts notdecompressed:0,#pkts decompressfailed:0#senderrors0,#recv errors0
IPSECCiscoIOSToMikrotik
localcryptoendpt.:10.0.0.1,remotecryptoendpt.:10.0.0.2pathmtu 1500,ip mtu 1500,ip mtu idb FastEthernet0/0currentoutboundspi:0x23D508(2348296)PFS(Y/N):Y,DHgroup:group2
inboundesp sas:spi:0x89A2A46B(2309137515)transform:espaes espshahmac ,inusesettings={Tunnel,}connid:2003,flow_id:FPGA:3,sibling_flags 80000046,cryptomap:remotesa timing:remainingkeylifetime(k/sec):(4533419/2928)IVsize:16bytesreplaydetectionsupport:YStatus:ACTIVE
IPSECCiscoIOSToMikrotik
vince_1841#shcryptoisakmp saIPv4CryptoISAKMPSAdst src stateconnidstatus10.0.0.110.0.0.2QM_IDLE1003ACTIVE
IPSECCiscoASAToMikrotik
internet
Outside10.0.0.1/24
Ether110.0.0.2/24
SiteAPC192.168.0.2/24
SiteBServer192.168.1.79/24
Inside192.168.1.1/24
Ether2192.168.0.1/24
CiscoASAMikrotik router
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik
Locallan subnet
Remotelan subnet
IPSECCiscoASAToMikrotik
SourceWanAddressRemoteWanAddress
IPSECCiscoASAToMikrotik
RemoteWanAddress
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik
Locallan subnet
Remotelan subnet
Srcnat
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik
IPSECCiscoASAToMikrotik