aqui
Goto Top

Cisco IPsec VPN with Mikrotik or FritzBox

article-picture

back-to-topPreamble


The following tutorial is a quick overview how a site-to-site VPN access using the IPsec protocoll can be realized with a Cisco IOS or IOS-XE router and popular mass production routers like Mikrotik and/or AVM FritzBox.
One characteristic feature used here is the Cisco onboard, statefull Zone Based Firewall or ZFW.
The Cisco router additionally provides an L2TP client VPN dialin access, which makes it possible to access the network with all standard, onboard L2TP VPN clients embedded in Windows, Apple MacOS, Apple iOS and Android as well as Linux.
The basic layer 3 overview of such a setup is shown in the following picture.

cisco-zfw-vpn

In this design the Cisco router acts as an IPsec responder so that VPN site-to-site client routers and mobile L2TP VPN clients can either connect with dynamic IP addresses or with a static IP address. The Cisco configuration in the next chapter also shows an additional IPsec connection with static peer IP adresses. (Not shown in the above picture).
Due to the fact that Cisco‘s IOS configuration syntax is universal over all models the configuration can be used for other router models as well.
Enhanced protection for CLI access and authorization secures login acces on virtual interfaces as well as the serial console.


back-to-topCisco router configuration



back-to-topMikrotik configuration


The corresponding Mikrotik VPN configuration shown here is the customized, out-of-the-box default configuration where eth1 is the firewall protected WAN Port and ports 2 to x are the local LAN bundled in a bridge to keep the setup as simple as possible. This has to be finetuned if VLANs etc. are used.
Configuration is shown in WinBox screenshots and the classic configuration via export.

back-to-topSetting IPsec cipher suites

  • Old and non secure cipher suites like 3DES etc. should be removed here. In case a stricter negotiation policy is required remove the 128bit and 192bit checkboxes as well as DH 1024. Recommendation is AES256 with SHA256 and DH Group 14 or stronger.
  • Cisco is using a P2 lifetime of 1 hour by default which should be set in the Mikrotik settings as well. Allways use consistent lifetimes.
mtpcrydef

back-to-topVPN peer address and identity setup

mtpeer

back-to-topPhase 2 policy setup

Two SA policies need to be setup here. One for the local LAN and one for the L2TP client network. Make sure to set the Level setting in the Action menu to unique !
mt-p2

back-to-topConfiguration in export format



back-to-topAVM FritzBox configuration

The FritzBox VPN setup can be done either by the onboard GUI or a customized VPN configuration file.
The setup GUI is pretty easy and done with a few mouseclicks.
fritz2
fritz1
The green button shows a running and established tunnel.
Further VPN settings can be done by a customized VPN configuration file.


back-to-topLinks with further information


General Cisco router setup:
https://administrator.de/contentid/191718

Cisco, Mikrotik and pfSense with dynamic routing over VPN:
https://administrator.pro/contentid/852176744

Mikrotik VPN Tutorial:
https://administrator.de/contentid/367186

Mikrotik PPPoE setup:
https://administrator.de/contentid/632633

Content-Key: 2145635754

Url: https://administrator.pro/contentid/2145635754

Printed on: October 3, 2022 at 10:10 o'clock