Jump to content
Калькуляторы

mikrotik ipsec gre to cisco

не могу собрать шифрованый тунель между mikrotik и cisco

# apr/23/2014 09:21:44 by RouterOS 6.12
# software id = J46A-68XZ
#
/interface gre
add local-address=1.1.1.5 name=gre-tunnel10 remote-address=2.2.2.2
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
   mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des
/port
set 0 name=serial0
set 1 name=serial1
/routing ospf area
set [ find default=yes ] disabled=yes name="area 10"
add area-id=0.0.0.10 name=area1
/routing ospf instance
set [ find default=yes ] redistribute-connected=as-type-2 router-id=\
   10.0.90.25
/ip address
add address=1.1.1.5/24 comment="default configuration" interface=ether1 \
   network=1.1.1.0
add address=172.16.0.17/16 interface=ether2 network=172.16.0.0
add address=10.0.90.25/30 interface=gre-tunnel10 network=10.0.90.24
/ip dns
set servers=172.16.0.5
/ip firewall filter
add action=drop chain=input comment=drop_all disabled=yes in-interface=ether1 \
   protocol=tcp
add action=drop chain=input disabled=yes in-interface=ether1 protocol=udp
add chain=output comment=out protocol=udp
add chain=output protocol=tcp
add chain=input comment="Allow IPSec-esp" protocol=ipsec-esp
add chain=input comment="Allow IKE" dst-port=500 protocol=udp
add chain=input comment="Allow IPSec-ah" protocol=ipsec-ah
add chain=input comment=icp_input protocol=icmp
add chain=input comment=ssh dst-port=22 protocol=tcp
add chain=input dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list=ssh_blacklist \
   address-list-timeout=3h chain=input connection-state=new dst-port=22 \
   protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage2 \
   address-list-timeout=1m chain=input connection-state=new dst-port=22 \
   protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage3 \
   address-list-timeout=1m chain=input connection-state=new dst-port=22 \
   protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage1 \
   address-list-timeout=1m chain=input connection-state=new dst-port=22 \
   protocol=tcp
add chain=input comment=www dst-port=80 protocol=tcp
add chain=input dst-port=443 protocol=tcp
add chain=input comment="access to winbox" dst-port=8291 in-interface=ether1 \
   protocol=tcp
add chain=input dst-port=8291 in-interface=ether2 protocol=tcp
add chain=input connection-state=new dst-port=8291,65522 protocol=tcp
add chain=input comment=dns dst-port=53 in-interface=all-ethernet protocol=\
   udp
add chain=input dst-port=53 in-interface=all-ethernet protocol=tcp
add chain=input connection-state=established
add chain=input connection-state=related
add chain=input dst-port=1723 protocol=tcp
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
   protocol=tcp src-address-list=ftp_blacklist
add chain=output content="530 Login incorrect" dst-limit=\
   1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
   address-list-timeout=1h chain=output content="530 Login incorrect" \
   protocol=tcp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec peer
add address=2.2.2.2/32 enc-algorithm=3des hash-algorithm=md5 secret=\
   "pass"
/ip route
add distance=1 gateway=1.1.1.1
add disabled=yes distance=1 dst-address=10.0.90.26/32 gateway=gre-tunnel10
/ip upnp
set allow-disable-external-interface=no
/lcd interface
set sfp-sfpplus1 interface=sfp-sfpplus1
set sfp-sfpplus2 interface=sfp-sfpplus2
set ether1 interface=ether1
set ether2 interface=ether2
set ether3 interface=ether3
set ether4 interface=ether4
set ether5 interface=ether5
set ether6 interface=ether6
set ether7 interface=ether7
set ether8 interface=ether8
/routing ospf interface
add cost=700 interface=gre-tunnel10 network-type=broadcast
/routing ospf network
add area=area1 network=10.0.90.0/24
/system clock
set time-zone-name=Europe/Moscow
/system leds
set 0 type=interface-speed
set 2 type=interface-speed
/system ntp client
set enabled=yes mode=unicast primary-ntp=194.149.67.129 secondary-ntp=\
   172.16.0.5
/system routerboard settings
set cpu-frequency=1200MHz memory-frequency=1066DDR

на cisco

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key pass address 0.0.0.0 0.0.0.0
crypto ipsec transform-set tr-3des esp-3des
crypto ipsec profile prof_tun
set transform-set tr-3des

interface Tunnel10
bandwidth 30
ip address 10.0.90.26 255.255.255.252
ip mtu 1476
ip virtual-reassembly in
ip route-cache policy
ip ospf cost 700
ip ospf 100 area 10
tunnel source 2.2.2.2
tunnel mode ipsec ipv4
tunnel destination 1.1.1.5
tunnel protection ipsec profile prof_tun

с cisco

show interfaces tunnel 10

Tunnel10 is up, line protocol is down
 Hardware is Tunnel
 Internet address is 10.0.90.26/30
 MTU 17940 bytes, BW 30 Kbit/sec, DLY 50000 usec,
    reliability 255/255, txload 1/255, rxload 1/255
 Encapsulation TUNNEL, loopback not set
 Keepalive not set
 Tunnel source 83.167.101.203, destination 91.216.48.5
 Tunnel protocol/transport IPSEC/IP
 Tunnel TTL 255
 Tunnel transport MTU 1500 bytes
 Tunnel transmit bandwidth 8000 (kbps)
 Tunnel receive bandwidth 8000 (kbps)
 Tunnel protection via IPSec (profile "prof_tun")
 Last input 01:30:07, output 01:30:08, output hang never
 Last clearing of "show interface" counters never
 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
 Queueing strategy: fifo
 Output queue: 0/0 (size/max)
 5 minute input rate 0 bits/sec, 0 packets/sec
 5 minute output rate 0 bits/sec, 0 packets/sec
    24660 packets input, 2397924 bytes, 0 no buffer
    Received 0 broadcasts (0 IP multicasts)
    0 runts, 0 giants, 0 throttles
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    24417 packets output, 3108372 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 unknown protocol drops
    0 output buffer failures, 0 output buffers swapped out

с microtik ping 10.0.90.26

HOST                                     SIZE TTL TIME  STATUS                 
10.0.90.26                                              timeout                
10.0.90.26                                              timeout                
10.0.90.26                                              timeout                
10.0.90.26                                              timeout                
10.0.90.26                                              timeout                
10.0.90.26                                              timeout                

Share this post


Link to post
Share on other sites

На микротике:

ip ipsec proposal add name="AES-128" auth-algorithms=md5 enc-algorithms=aes-128 lifetime=8m20s

 

ip ipsec policy add src-address=2.2.2.2/32 src-port=any dst-address=1.1.1.1/32 dst-port=any

protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=no

sa-src-address=2.2.2.2 sa-dst-address=1.1.1.1 proposal=AES-128

priority=10

 

ip ipsec add address=1.1.1.1/32 port=500 auth-method=pre-shared-key secret="PASS" generate-policy=yes exchange-mode=main send-initial-contact=yes nat-traversal=no my-id-user-fqdn="" proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1536 lifetime=8m20s lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1

 

На циске:

 

crypto isakmp policy 66
encr 3des
authentication pre-share
group 5
lifetime 500

crypto isakmp key PASS address 2.2.2.2 no-xauth


crypto ipsec transform-set ipsec-transform esp-3des esp-md5-hmac 
mode transport require
crypto ipsec transform-set ipsec-transform-aes esp-aes esp-md5-hmac 
mode transport require
crypto ipsec df-bit clear
!
crypto ipsec profile ipsec-ipsec-aes
set transform-set ipsec-transform-aes

interface Tunnel123
description # Tunnel123 #
ip address 172.16.0.1 255.255.255.252
ip mtu 1450
ip ospf network point-to-point
ip ospf cost 10
ip ospf mtu-ignore
ip ospf 1 area 0.0.0.0
tunnel source 1.1.1.1
tunnel mode ipip
tunnel destination 2.2.2.2
tunnel protection ipsec profile ipsec-ipsec-aes

Share this post


Link to post
Share on other sites

ip ipsec proposal add name="AES-128" auth-algorithms=md5 enc-algorithms=aes-128 lifetime=8m20s
invalid value for argument enc-algorithms

ip ipsec proposal add name="AES-128" auth-algorithms=md5 enc-algorithms=aes-128-

aes-128-cbc  aes-128-ctr  aes-128-gcm

Share this post


Link to post
Share on other sites

ROS 6ка

там синтаксис поменялся aes-128-cbc

Share this post


Link to post
Share on other sites

ip ipsec add address=1.1.1.1/32 port=500 auth-method=pre-shared-key secret="PASS" generate-policy=yes exchange-mode=main send-initial-contact=yes nat-traversal=no my-id-user-fqdn="" proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1536 lifetime=8m20s lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1

add нету

/ip ipsec> 
IP security supports secure (encrypted) communications over IP networks

.. -- go up to ip
export -- Print or save an export script that can be used to restore configuration
installed-sa -- Currently installed security associations
key -- 
mode-config -- 
peer -- IKE peer configuration
policy -- Security policies
proposal -- phase2 IKE proposal settings
remote-peers -- Remote peers
statistics -- 
user -- 

Share this post


Link to post
Share on other sites

/ip ipsec peer> add address=1.1.1.5 port=500 auth-method=pre-shared-key secret=PASS generate-policy=

eneratePolicy ::= no | port-override | port-strict
 port-override -- force policy to use any port
 port-strict -- use ports from peer's proposal

Edited by svetogor82

Share this post


Link to post
Share on other sites

не хочет по прежнему соединяться

/ip ipsec policy> print detail

Flags: T - template, X - disabled, D - dynamic, I - inactive 
0    src-address=1.1/1.5/32 src-port=any dst-address=2.2.2.2/32 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=no sa-src-address=1.1.1.5 sa-dst-address=2.2.2.2 proposal=AES-128 priority=10 

/ip ipsec peer> print detail

Flags: X - disabled 
0   address=2.2.2.2/32 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key secret="pass" generate-policy=port-override exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey 
    hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1536 lifetime=8m20s lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1 

/ip ipsec remote-peers> print detail

local-address=1.1.1.5 remote-address=2.2.2.2 state=message-3-sent side=initiator 

/ip ipsec proposal> print detail

Flags: X - disabled, * - default 
0 X* name="default" auth-algorithms=md5 enc-algorithms=3des lifetime=30m pfs-group=modp1024 

1    name="AES-128" auth-algorithms=md5 enc-algorithms=aes-128-cbc lifetime=8m20s pfs-group=modp1024 

с cisco

crypto isakmp key pass address 2.2.2.2 255.255.255.0 no-xauth
crypto ipsec transform-set tr-3des esp-3des
crypto ipsec transform-set ipsec-transform esp-3des esp-md5-hmac
mode transport require
crypto ipsec transform-set ipsec-transform-aes esp-aes esp-md5-hmac
mode transport require
crypto ipsec df-bit clear
!
crypto ipsec profile ipsec-ipsec-aes
set transform-set ipsec-transform-aes
!
crypto ipsec profile prof_tun
set transform-set tr-3des
interface Tunnel20
ip address 10.0.90.26 255.255.255.252
ip mtu 1450
ip ospf cost 700
ip ospf mtu-ignore
ip ospf 100 area 10
tunnel source 2.2.2.2
tunnel mode ipip
tunnel destination 1.1.1.5
tunnel protection ipsec profile ipsec-ipsec-aes

show interfaces tunnel 20

show interfaces  tunnel 20
Tunnel20 is up, line protocol is up
 Hardware is Tunnel
 Description: odincovo
 Internet address is 10.0.90.26/30
 MTU 17920 bytes, BW 100 Kbit/sec, DLY 50000 usec,
    reliability 255/255, txload 1/255, rxload 1/255
 Encapsulation TUNNEL, loopback not set
 Keepalive not set
 Tunnel source 2.2.2.2, destination 1.1.1.5
 Tunnel protocol/transport IP/IP
 Tunnel TTL 255, Fast tunneling enabled
 Tunnel transport MTU 1480 bytes
 Tunnel transmit bandwidth 8000 (kbps)
 Tunnel receive bandwidth 8000 (kbps)
 Tunnel protection via IPSec (profile "ipsec-ipsec-aes")
 Last input never, output 02:03:53, output hang never
 Last clearing of "show interface" counters never
 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 809
 Queueing strategy: fifo
 Output queue: 0/0 (size/max)
 5 minute input rate 0 bits/sec, 0 packets/sec
 5 minute output rate 0 bits/sec, 0 packets/sec
    0 packets input, 0 bytes, 0 no buffer
    Received 0 broadcasts (0 IP multicasts)
    0 runts, 0 giants, 0 throttles
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    810 packets output, 78480 bytes, 0 underruns
    0 output errors, 0 collisions, 0 interface resets
    0 unknown protocol drops
    0 output buffer failures, 0 output buffers swapped out

ping 10.0.90.25 source 10.0.90.26

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.90.25, timeout is 2 seconds:
Packet sent with a source address of 10.0.90.26
.....
Success rate is 0 percent (0/5)

Share this post


Link to post
Share on other sites

А если выключить IPSEC на обоих концах? работает?

Share this post


Link to post
Share on other sites

да работает если выключить ipsec

Включай дебаг IPSEC на циске и смотри что происходит.

Я дал полностью рабочий конфиг у меня так работают десятки девайсов.

Edited by myst

Share this post


Link to post
Share on other sites

на cisco в логах только

%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 1.1.1.5 failed its sanity check or is malformed

Share this post


Link to post
Share on other sites

на cisco в логах только

%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 1.1.1.5 failed its sanity check or is malformed

Время синхронизовать не пробовали ?

Share this post


Link to post
Share on other sites

поменял на cisco

crypto isakmp key pass address 2.2.2.2 255.255.255.0 no-xauth

на

crypto isakmp key pass address 1.1.1.5 255.255.255.0 no-xauth

ошибка пропала время на устройствах стоит одинаковое

 

может на cisco забыл какие-нибудь логи включить сейчас включено

General-purpose tunnel:
 Tunnel Interface debugging is on

Cryptographic Subsystem:
 Crypto ISAKMP debugging is on
 Crypto IPSEC Error debugging is on
 Crypto IPSEC High Availability debugging is on
EzVPN:
 EzVPN debugging is on

Share this post


Link to post
Share on other sites

еще в логах

 Tunnel20: IP/IP encapsulated 2.2.2.2->1.1.1.5 (linktype=7, len=96)

Тут надо с азов видимо проверять. Ipsec поднимется, если все параметры с обоих концов совпадут, поднимал между разными железяками. И еще надо проверить маршрутизацию меж сетями клиентов, что должно идти в туннель, а что - мимо... Нельзя например в ipsec завернуть весь интернет, только описанные сети и маски, и уж одинаковые сети завернуть в ipsec мне ни разу не удалось, только маршутизируемые.

Share this post


Link to post
Share on other sites

еще в логах

 Tunnel20: IP/IP encapsulated 2.2.2.2->1.1.1.5 (linktype=7, len=96)

Тут надо с азов видимо проверять. Ipsec поднимется, если все параметры с обоих концов совпадут, поднимал между разными железяками. И еще надо проверить маршрутизацию меж сетями клиентов, что должно идти в туннель, а что - мимо... Нельзя например в ipsec завернуть весь интернет, только описанные сети и маски, и уж одинаковые сети завернуть в ipsec мне ни разу не удалось, только маршутизируемые.

В IPsec можно завернуть что угодно.

Было бы желание.

Share this post


Link to post
Share on other sites

после перезагруздки cisco в логах поевилось

*Apr 24 05:59:55.251: IPSEC(key_engine): request timer fired: count = 2,
 (identity) local= 2.2.2.2:0, remote= 1.1.1.5:0,
   local_proxy= 2.2.2.2/255.255.255.255/4/0 (type=1),
   remote_proxy= 1.1.1.5/255.255.255.255/4/0 (type=1)
*Apr 24 05:59:55.275: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Apr 24 06:00:02.871: IPSEC(sa_request): ,
 (key eng. msg.) OUTBOUND local= 2.2.2.2:500, remote= 1.1.1.5:500,
   local_proxy= 2.2.2.2/255.255.255.255/4/0 (type=1),
   remote_proxy= 1.1.1.5/255.255.255.255/4/0 (type=1),
   protocol= ESP, transform= esp-aes esp-md5-hmac  (Transport),
   lifedur= 3600s and 4608000kb,
   spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

*Apr 24 06:00:05.203: IPSEC(sa_request): ,
 (key eng. msg.) OUTBOUND local= 2.2.2.2:500, remote= 2.2.2.2:500,
   local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
   remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
   protocol= ESP, transform= esp-3des  (Tunnel),
   lifedur= 3600s and 4608000kb,
   spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Share this post


Link to post
Share on other sites

перезагрузка то зачем??!! =)))

clear crypto sa

Share this post


Link to post
Share on other sites

еще в логах

*Apr 24 08:57:36.551: ISAKMP: set new node 0 to QM_IDLE
*Apr 24 08:57:36.551: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 2.2.2.2, remote 1.1.1.5)
*Apr 24 08:57:36.551: ISAKMP: Error while processing SA request: Failed to initialize SA
*Apr 24 08:57:36.551: ISAKMP: Error while processing KMI message 0, error 2.
*Apr 24 08:57:40.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Apr 24 08:57:40.247: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Apr 24 08:57:40.247: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Apr 24 08:57:40.247: ISAKMP:(0): sending packet to 1.1.1.5 my_port 500 peer_port 500 (I) MM_NO_STATE
*Apr 24 08:57:40.247: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Apr 24 08:57:43.523: ISAKMP:(0):purging node -808193248
*Apr 24 08:57:43.523: ISAKMP:(0):purging node 412670883
*Apr 24 08:57:44.539: ISAKMP (0): received packet from 1.1.1.5 dport 500 sport 500 Global (R) MM_NO_STATE
*Apr 24 08:57:45.207: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Apr 24 08:57:45.207: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Apr 24 08:57:45.207: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

Share this post


Link to post
Share on other sites

local-address=0.0.0.0

вот это непонятно откуда в ipsec peer

Share this post


Link to post
Share on other sites

прописал там адрес но на ситуацию это не повлеяло

 local-address=1.1.1.5

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this