Follow us on...
Follow us on G+ Follow us on Twitter Follow us on Facebook Watch us on YouTube
Register
Results 1 to 6 of 6
  1. #1
    Status
    Offline
    lordsanjay's Avatar
    Baru Gabung
    Join Date
    Apr 2008
    Posts
    8
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0

    [IPSEC] Mikrotik ke Cisco

    rekan - rekan, saya mau nanya,
    saya kan mau bikin koneksi ipsec tunnel

    saat ini terpasang di cisco 3845 dengan config seperti ini :

    crypto isakmp policy 10
    encr 3des
    hash md5
    authentication pre-share
    group 2

    crypto isakmp key passwordsangatrahasia address 172.20.221.93

    crypto isakmp invalid-spi-recovery

    crypto ipsec security-association lifetime seconds 86400

    crypto ipsec transform-set MYIPSEC esp-3des esp-sha-hmac

    crypto map MYIPSECTUNNEL 30 ipsec-isakmp
    set peer 172.20.221.93
    set transform-set MYIPSEC
    set pfs group2
    match address MYACL
    !

    interface Loopback1
    ip address 172.20.221.94 255.255.255.255
    !

    interface Tunnel1
    ip address 172.20.221.98 255.255.255.252
    ip mtu 1400
    ip tcp adjust-mss 1360
    load-interval 30
    keepalive 10 2
    tunnel source Loopback1
    tunnel destination 172.20.221.93
    crypto map MYIPSECTUNNEL
    !

    ip access-list extended MYACL
    permit ip host 172.20.221.98 host 172.20.221.97
    !
    Dengan cisco lawan sudah bisa terkoneksi, dan bisa ping ke 172.20.221.97.
    cek di sh crypto isakmp sa sudah muncul.

    Saya coba pindahkan ke mikrotik, dengan konfigurasi seperti ini :
    [admin@MIKROTIK] > interface print from=LOOPBACK-1 detail
    Flags: D - dynamic, X - disabled, R - running, S - slave
    0 R name="LOOPBACK-1" mtu=1500 type="bridge"

    [admin@MIKROTIK] > interface print from=TUNNEL-1 detail
    Flags: D - dynamic, X - disabled, R - running, S - slave
    0 R name="TUNNEL-1" mtu=1400 type="ipip"

    IP ADDRESS :
    address=172.20.221.94/32 network=172.20.221.94 broadcast=172.20.221.94 interface=LOOPBACK-1
    actual-interface=LOOPBACK-1

    address=172.20.221.98/30 network=172.20.221.96 broadcast=172.20.221.99 interface=TUNNEL-1 actual-interface=TUNNEL-1

    [admin@MIKROTIK] > ip ipsec policy print detail
    Flags: X - disabled, D - dynamic, I - inactive
    0 src-address=172.20.221.98/32:any dst-address=172.20.221.97/32:any protocol=all action=encrypt level=require
    ipsec-protocols=esp tunnel=yes sa-src-address=172.20.221.94 sa-dst-address=172.20.221.93 proposal=default
    manual-sa=none priority=0

    [admin@MIKROTIK] > ip ipsec peer print detail
    Flags: X - disabled
    0 address=172.20.221.93/32:500 auth-method=pre-shared-key secret="passwordsangatrahasia" generate-policy=no
    exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=md5
    enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1

    [admin@MIKROTIK] > ip ipsec proposal print detail
    Flags: X - disabled
    0 name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=1d pfs-group=modp1024
    Kalau dicoba ping ke 172.20.221.97 hasilnya di log :
    time=08:47:26 topics=ipsec message="initiate new phase 1 negotiation: 172.20.221.94[500]<=>172.20.221.93[500]"

    time=08:47:26 topics=ipsec message="begin Identity Protection mode."

    time=08:47:27 topics=ipsec message="received Vendor ID: CISCO-UNITY"

    time=08:47:27 topics=ipsec message="received Vendor ID: DPD"

    time=08:47:27 topics=ipsec message="received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt"

    time=08:47:27 topics=ipsec
    message="ISAKMP-SA established 172.20.221.94[500]-172.20.221.93[500] spi:21675a7e3b99d443:e9d80e2cd63de703"

    time=08:47:28 topics=ipsec message="initiate new phase 2 negotiation: 172.20.221.94[500]<=>172.20.221.93[500]"

    time=08:47:28 topics=ipsec message="ignore RESPONDER-LIFETIME notification."

    time=08:47:28 topics=ipsec message="attribute has been modified."

    time=08:47:28 topics=ipsec
    message="IPsec-SA established: ESP/Tunnel 172.20.221.93[0]->172.20.221.94[0] spi=143123234(0x887e322)"

    time=08:47:28 topics=ipsec
    message="IPsec-SA established: ESP/Tunnel 172.20.221.94[0]->172.20.221.93[0] spi=1372978830(0x51d5fe8e)"
    Status sudah established, tapi... ga bisa reply dari 172.20.221.97.
    Ada yang masih belum bener ya?
    Tolong bantuannya rekan2
    Click here to enlarge

  2. The Following User Says Thank You to lordsanjay For This Useful Post:


  3. #2
    Status
    Offline
    febiubl's Avatar
    Member Senior
    Join Date
    Jul 2009
    Location
    Jakarta
    Posts
    325
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Super diskus nie...
    kebetulan deh buat siap siap....
    ayo om moderath...di cerahken lah...Click here to enlarge

  4. #3
    Status
    Offline
    lordsanjay's Avatar
    Baru Gabung
    Join Date
    Apr 2008
    Posts
    8
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Ada yang udah pernah set IPSEC di mikrotik gak? Di share dong config dan pengalamannya. Mungkin ada yg kelewatan di config saya.

    mungkin salah satu pertanyaan saya, apakah interface tunnel di cisco sama dengan interface ip tunnel mikrotik?

  5. #4
    Status
    Online
    xeon's Avatar
    Verified Account - Partner
    Join Date
    Mar 2008
    Location
    DKI Jakarta
    Posts
    1,539
    Reviews
    Read 0 Reviews
    Downloads
    3
    Uploads
    0
    Feedback Score
    2 (100%)
    Untuk policy, jangan dibuat static, untuk connect ke cisco dia harus dibuat dynamic.

    /ip ipsec peer
    add address=[IP LAWAN]/32:500 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main generate-policy=yes hash-algorithm=md5 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=[SECRET] send-initial-contact=yes

    /ip ipsec proposal
    set default auth-algorithms=md5,sha1 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024

    Di mikrotik cukup mudah untuk menjalankan IPSec, cuma 2 itu aja. Kebetulan saya memang menggunakan IPSec dari Mikrotik ke Cisco, memang awalnya kelihatannya susah, cuma setelah di implentasikan, cukup dengan 2 baris ini aja udah bisa nyambung.

  6. The Following User Says Thank You to xeon For This Useful Post:


  7. #5
    Status
    Offline
    febiubl's Avatar
    Member Senior
    Join Date
    Jul 2009
    Location
    Jakarta
    Posts
    325
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    Jelasin yg Ip Peering dong om....Click here to enlarge

  8. #6
    Status
    Offline
    lede_cool's Avatar
    Baru Gabung
    Join Date
    Jan 2008
    Posts
    5
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0

    semoga bisa bro

    interface Tunnel1
    ip address 172.20.221.98 255.255.255.252
    ip mtu 1400
    ip tcp adjust-mss 1360
    load-interval 30
    keepalive 10 2
    tunnel source Loopback1
    tunnel destination 172.20.221.93
    crypto map MYIPSECTUNNE


    pada interface tunnel..tambahin

    tunnel mode ipip

    karena pada cisco kalo gak salah defaultnya gre.

    pada mikrotik tunnel di set di

    interface ipip kan?

 

 

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [Ask] setting IPSec
    By ahmad.rifani in forum General Networking
    Replies: 10
    Last Post: 15-08-2010, 04:40
  2. IPSec VPN dengan dynamic routing
    By Zoe MasterMind in forum General Networking
    Replies: 1
    Last Post: 04-12-2009, 00:14
  3. [ASK] IPsec mode Transport pada Mikrotik
    By kanankirioke in forum Beginner Basics
    Replies: 5
    Last Post: 12-10-2009, 17:29
  4. [ASK]ipsec mode transport
    By kanankirioke in forum General Networking
    Replies: 2
    Last Post: 11-10-2009, 13:38
  5. vpn protocol IPSec
    By chezz in forum General Networking
    Replies: 2
    Last Post: 07-03-2009, 12:01

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •