Scribd Logo
Upload

Welcome to Scribd!

  • Godinichconsulting Mum

    Uploaded by

    NaingWinOo
    55 views83 pages
    MTp

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    MTp

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    55 views83 pages

    Godinichconsulting Mum

    Uploaded by

    NaingWinOo
    MTp

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 83

    GodinichConsulting

    VPN'sBetweenMikrotik and
    3rdPartyDevices

    VinceGodinich
    experience

    TOPICS
    PPTPMikrotik ClienttoCiscoServer
    IPSECShrewClientToMikrotik
    router
    IPSECMikrotik routertoCiscoIOS
    router

    PPTPMikrotik ClienttoCiscoServer
    ConfigureaMikrotik routertoactasaPPTP
    clientconnectingtoa CiscoPPTPserverto
    connectremotelans
    AllowsreplacementofaCiscobranchrouter
    withaMikroTikrouter without
    changingorreplacingexistingCiscomain
    router

    PPTPMikrotik ClienttoCiscoServer

    Mikrotik Router Ether1


    10.0.0.2/24
    Ether2
    192.168.1.1/24

    SiteAPC
    192.168.1.79/24

    internet

    Ether1
    10.0.0.1/24

    CiscoRouter
    Ether2
    192.168.0.1/24

    SiteBServer
    192.168.0.2/24

    PPTPMikrotik ClienttoCiscoServer
    Ether1
    Mikrotik Router 10.0.0.2/24
    Ether2
    192.168.1.1/24

    Ether1
    10.0.0.1/24 CiscoRouter
    PPTPTUNNEL
    PPTPTUNNEL
    Ether2
    192.168.0.1/24
    internet

    SiteAPC
    192.168.1.79/24

    SiteBServer
    192.168.0.2/24

    PPTPMikrotik ClienttoCiscoServer

    Mikrotik Router
    Ether2
    192.168.1.1/24

    pptpout1
    192.168.79.2

    VirtualTemplate1
    192.168.79.1

    CiscoRouter

    PPTPTUNNEL
    PPTPTUNNEL
    Ether2
    192.168.0.1/24
    internet

    SiteAPC
    192.168.1.79/24

    SiteBServer
    192.168.0.2/24

    PPTPMikrotik ClienttoCiscoServer

    PPTPMikrotik ClienttoCiscoServer

    PPTPMikrotik ClienttoCiscoServer

    PPTPMikrotik ClienttoCiscoServer

    PPTPMikrotik ClienttoCiscoServer

    PPTPMikrotik ClienttoCiscoServer

    PPTPMikrotik ClienttoCiscoServer

    PPTPMikrotik ClienttoCiscoServer

    PPTPMikrotik ClienttoCiscoServer
    aaa newmodel
    aaa authenticationppp defaultlocal
    vpdn enable
    vpdngroup1

    acceptdialin

    protocolpptp

    virtualtemplate1

    l2tptunneltimeoutnosession15

    usernamepptp_branch password01234

    PPTPMikrotik ClienttoCiscoServer
    interfaceVirtualTemplate1
    ip address192.168.79.1255.255.255.0
    peerdefaultip addresspoolPPTP_POOL
    nokeepalive
    ppp encryptmppe 128required
    ppp authenticationmschapv2
    ip localpoolPPTP_POOL192.168.79.2

    PPTPMikrotik ClienttoCiscoServer
    ip nat insidesourcelistnonat interfaceFastEthernet0/0overload
    ip route192.168.1.0255.255.255.0192.168.79.2
    ip accesslistextendednonat
    denyip 192.168.1.00.0.0.255192.168.0.00.0.0.255
    permitip 192.168.1.00.0.0.255any

    PPTPMikrotik ClienttoCiscoServer

    Mikrotik Router Ether1


    10.0.0.2/24
    Ether2
    192.168.1.1/24

    internet

    Ether1
    10.0.0.1/24

    CiscoRouter
    Ether2
    192.168.0.1/24

    Ping
    SiteAPC
    192.168.1.79/24

    SiteBServer
    192.168.0.2/24

    PPTPMikrotik ClienttoCiscoServer

    PPTPMikrotik ClienttoCiscoServer

    PPTPMikrotik ClienttoCiscoServer

    PPTPMikrotik ClienttoCiscoServer

    PPTPMikrotik ClienttoCiscoServer
    /interfacepptpclient
    addallow=mschap2connectto=10.0.0.1disabled=nomrru=1600
    name=pptpout1\
    password=1234user=pptp_branch
    /ppp profile
    set1useencryption=required
    /ip firewallnat
    addchain=srcnat dstaddress=192.168.0.0/24outinterface=ether2

    IPSECShrewClientToMikrotik
    ConfigureaShrewclientonremotePCtoconnecttoaMikrotik router

    andaccessinternallan network
    EliminatesneedforMicrosoftVPNclient
    EnablesoneclienttobeusedforremoteaccesstoMikrotik andCisco
    deviceseliminatingneedforaCiscoVPNClient
    EasytoimportexistingCiscoVPNprofilesintoShrewclient
    AllowsforeaseofmigrationfromCiscodevicestoMikrotik routers

    IPSECShrewClientToMikrotik
    RemotePC
    10.0.0.2/24
    internet

    Ether1
    10.0.0.1/24

    Mikrotik Router
    Ether2
    10.10.0.2/22

    SiteA Server
    10.10.0.2

    IPSECShrewClientToMikrotik
    www.shrew.net/download/vpn

    IPSECShrewClientToMikrotik

    IPSECShrewClientToMikrotik

    IPSECShrewClientToMikrotik

    IPSECShrewClientToMikrotik

    IPSECShrewClientToMikrotik

    IPSECShrewClientToMikrotik

    IPSECShrewClientToMikrotik

    IPSECShrewClientToMikrotik

    IPSECShrewClientToMikrotik

    IPSECShrewClientToMikrotik

    IPSECShrewClientToMikrotik

    IPSECShrewClientToMikrotik

    IPSECShrewClientToMikrotik

    IPSECShrewClientToMikrotik

    IPSECShrewClientToMikrotik
    n:version:4
    n:networkikeport:500
    n:networkmtusize:1380
    n:clientaddrauto:1
    n:networknattport:4500
    n:networknattrate:15
    n:networkfragsize:540
    n:networkdpdenable:0
    n:clientbannerenable:0
    n:networknotifyenable:0
    n:clientdnsused:0
    n:clientdnsauto:0
    n:clientdnssuffixauto:0
    n:clientsplitdnsused:0
    n:clientsplitdnsauto:0n:clientwinsused:0
    n:clientwinsauto:1n:phase1dhgroup:2
    n:phase1lifesecs:86400

    n:phase1lifekbytes:0
    n:vendorchkptenable:0
    n:phase2lifesecs:3600
    n:phase2lifekbytes:0
    n:policynailed:0
    n:policylistauto:0
    n:phase1keylen:128
    n:phase2
    keylen:128s:network
    host:10.10.0.1
    s:clientautomode:pull
    s:clientiface:virtual
    s:networknattmode:disable
    s:networkfragmode:disable

    s:authmethod:mutualpsk
    s:identclienttype:address
    s:identservertype:address
    b:authmutualpsk:Y3RiNjUx
    s:phase1exchange:main
    s:phase1cipher:aes
    s:phase1hash:sha1
    s:phase2transform:espaes
    s:phase2hmac:sha1
    s:ipcomptransform:disabled
    n:phase2pfsgroup:2
    s:policylevel:require
    s:policylistinclude:10.10.0.0/
    255.255.252.0

    IPSECShrewClientToMikrotik

    IPSECShrewClientToMikrotik

    IPSECShrewClientToMikrotik
    RemotePC
    10.0.0.2/24
    internet

    Ether1
    10.0.0.1/24

    Mikrotik Router
    Ether2
    10.10.0.2/22

    SiteA Server
    10.10.0.2

    IPSECShrewClientToMikrotik
    RemotePC
    10.0.0.2/24
    internet

    Ether1
    10.0.0.1/24

    Mikrotik Router
    Ether2
    10.10.0.2/22

    PING
    SiteA Server
    10.10.0.2

    IPSECShrewClientToMikrotik

    IPSECCiscoIOSorASAToMikrotik

    ConfigureanIPSECVPNbetweenaCisco
    IOSrouterorASAandaMikrotik
    router
    AllowsreplacementofaCiscobranch
    routerorASAwithaMikroTikrouter
    withoutchangingorreplacingexisting
    Ciscomainrouter

    IPSECCiscoIOSToMikrotik

    Mikrotik router
    Ether2
    192.168.1.1/24

    SiteAPC
    192.168.1.2/24

    Ether1
    10.0.0.1/24
    internet

    Ether0/0
    10.0.0.2/24

    Ciscorouter
    Ether0/1
    192.168.0.1/24

    SiteBServer
    192.168.0.2/24

    IPSECCiscoIOSToMikrotik

    IPSEC

    IPSECCiscoIOSToMikrotik

    Locallan subnet
    Remotelan subnet

    IPSECCiscoIOSToMikrotik

    Localwanaddress
    Remotewanaddress

    IPSECCiscoIOSToMikrotik
    Remotewanaddress

    PRESHAREDPASSWORD

    IPSECCiscoIOSToMikrotik

    IPSECCiscoIOSToMikrotik
    Locallan subnet
    Remotelan subnet

    IPSECCiscoIOSToMikrotik

    IPSECCiscoIOSToMikrotik
    cryptoisakmp policy1
    encr aes
    authenticationpreshare
    group2
    cryptoisakmp key1234address10.0.0.2noxauth
    !
    !
    cryptoipsec transformsetremoteespaes espshahmac
    !
    cryptomapremote5ipsecisakmp
    setpeer10.0.0.2
    settransformsetremote
    setpfs group2
    matchaddressremote
    !

    interfaceFastEthernet0/0
    ip address10.0.0.1255.255.255.0
    ip nat outside
    duplexauto
    speedauto
    cryptomapremote
    !
    ip nat insidesourcelistnonat interfaceFastEthernet0/0
    overload
    ip accesslistextendednonat
    denyip 192.168.0.00.0.0.255192.168.1.00.0.0.255
    permitip 192.168.0.00.0.0.255any
    !
    ip accesslistextendedremote
    permitip 192.168.0.00.0.0.255192.168.1.00.0.0.255
    !

    IPSECCiscoIOSToMikrotik
    vince_1841#shcryptoisakmpsa
    IPv4CryptoISAKMPSA
    dstsrcstateconnidstatus
    10.0.0.110.0.0.2QM_IDLE1003ACTIVE

    IPSECCiscoIOSToMikrotik
    vince_1841#shcryptoipsec sa
    interface:FastEthernet0/0
    Cryptomaptag:remote,localaddr 10.0.0.1
    protectedvrf:(none)
    localident (addr/mask/prot/port):(192.168.0.0/255.255.255.0/0/0)
    remoteident (addr/mask/prot/port):(192.168.1.0/255.255.255.0/0/0)
    current_peer 10.0.0.2port500
    PERMIT,flags={origin_is_acl,}
    #pkts encaps:121,#pkts encrypt:121,#pkts digest:121
    #pkts decaps:124,#pkts decrypt:124,#pkts verify:124
    #pkts compressed:0,#pkts decompressed:0
    #pkts notcompressed:0,#pkts compr.failed:0
    #pkts notdecompressed:0,#pkts decompressfailed:0
    #senderrors0,#recv errors0

    IPSECCiscoIOSToMikrotik
    localcryptoendpt.:10.0.0.1,remotecryptoendpt.:10.0.0.2
    pathmtu 1500,ip mtu 1500,ip mtu idb FastEthernet0/0
    currentoutboundspi:0x23D508(2348296)
    PFS(Y/N):Y,DHgroup:group2
    inboundesp sas:
    spi:0x89A2A46B(2309137515)
    transform:espaes espshahmac ,
    inusesettings={Tunnel,}
    connid:2003,flow_id:FPGA:3,sibling_flags 80000046,cryptomap:remote
    sa timing:remainingkeylifetime(k/sec):(4533419/2928)
    IVsize:16bytes
    replaydetectionsupport:Y
    Status:ACTIVE

    IPSECCiscoIOSToMikrotik
    vince_1841#shcryptoisakmp sa
    IPv4CryptoISAKMPSA
    dst
    src
    stateconnidstatus
    10.0.0.110.0.0.2QM_IDLE1003ACTIVE

    IPSECCiscoASAToMikrotik

    Mikrotik router
    Ether2
    192.168.0.1/24

    SiteAPC
    192.168.0.2/24

    Ether1
    10.0.0.2/24
    internet

    Outside
    10.0.0.1/24

    CiscoASA
    Inside
    192.168.1.1/24

    SiteBServer
    192.168.1.79/24

    IPSECCiscoASAToMikrotik

    IPSECCiscoASAToMikrotik

    Locallan subnet
    Remotelan subnet

    IPSECCiscoASAToMikrotik

    SourceWanAddress
    RemoteWanAddress

    IPSECCiscoASAToMikrotik
    RemoteWanAddress

    IPSECCiscoASAToMikrotik

    IPSECCiscoASAToMikrotik

    Locallan subnet
    Remotelan subnet

    Srcnat

    IPSECCiscoASAToMikrotik

    IPSECCiscoASAToMikrotik

    IPSECCiscoASAToMikrotik

    IPSECCiscoASAToMikrotik

    IPSECCiscoASAToMikrotik

    IPSECCiscoASAToMikrotik

    IPSECCiscoASAToMikrotik

    IPSECCiscoASAToMikrotik

    IPSECCiscoASAToMikrotik

    IPSECCiscoASAToMikrotik

    IPSECCiscoASAToMikrotik

    IPSECCiscoASAToMikrotik

    IPSECCiscoASAToMikrotik

    IPSECCiscoASAToMikrotik

    IPSECCiscoASAToMikrotik

    You might also like