Godinichconsulting Mum
-
Upload
naingwinoo -
Category
Documents
-
view
18 -
download
0
description
Transcript of Godinichconsulting Mum
-
GodinichConsulting
VPN'sBetweenMikrotik and3rdPartyDevices
-
VinceGodinich
experience
-
TOPICSPPTPMikrotik ClienttoCiscoServerIPSECShrewClientToMikrotikrouterIPSECMikrotik routertoCiscoIOSrouter
-
PPTPMikrotik ClienttoCiscoServer
ConfigureaMikrotik routertoactasaPPTPclientconnectingtoa CiscoPPTPservertoconnectremotelans
AllowsreplacementofaCiscobranchrouterwithaMikroTikrouter withoutchangingorreplacingexistingCiscomainrouter
-
PPTPMikrotik ClienttoCiscoServer
internet
Ether110.0.0.1/24
Ether110.0.0.2/24
SiteAPC192.168.1.79/24
SiteBServer192.168.0.2/24
Ether2192.168.0.1/24
Ether2192.168.1.1/24
Mikrotik RouterCiscoRouter
-
PPTPMikrotik ClienttoCiscoServer
internet
Ether110.0.0.1/24
Ether110.0.0.2/24
SiteAPC192.168.1.79/24
SiteBServer192.168.0.2/24
Ether2192.168.0.1/24
Ether2192.168.1.1/24
Mikrotik RouterCiscoRouter
PPTPTUNNELPPTPTUNNEL
-
PPTPMikrotik ClienttoCiscoServer
internet
VirtualTemplate1192.168.79.1
pptpout1192.168.79.2
SiteAPC192.168.1.79/24
SiteBServer192.168.0.2/24
Ether2192.168.0.1/24
Ether2192.168.1.1/24
Mikrotik RouterCiscoRouter
PPTPTUNNELPPTPTUNNEL
-
PPTPMikrotik ClienttoCiscoServer
-
PPTPMikrotik ClienttoCiscoServer
-
PPTPMikrotik ClienttoCiscoServer
-
PPTPMikrotik ClienttoCiscoServer
-
PPTPMikrotik ClienttoCiscoServer
-
PPTPMikrotik ClienttoCiscoServer
-
PPTPMikrotik ClienttoCiscoServer
-
PPTPMikrotik ClienttoCiscoServer
-
PPTPMikrotik ClienttoCiscoServer
aaa newmodel aaa authenticationppp defaultlocal vpdn enable vpdngroup1 acceptdialin protocolpptp virtualtemplate1 l2tptunneltimeoutnosession15
usernamepptp_branch password01234
-
PPTPMikrotik ClienttoCiscoServer
interfaceVirtualTemplate1 ip address192.168.79.1255.255.255.0 peerdefaultip addresspoolPPTP_POOL nokeepalive ppp encryptmppe 128required ppp authenticationmschapv2 ip localpoolPPTP_POOL192.168.79.2
-
PPTPMikrotik ClienttoCiscoServer
ip nat insidesourcelistnonat interfaceFastEthernet0/0overload ip route192.168.1.0255.255.255.0192.168.79.2 ip accesslistextendednonat denyip 192.168.1.00.0.0.255192.168.0.00.0.0.255 permitip 192.168.1.00.0.0.255any
-
PPTPMikrotik ClienttoCiscoServer
internet
Ether110.0.0.1/24
Ether110.0.0.2/24
SiteAPC192.168.1.79/24
SiteBServer192.168.0.2/24
Ether2192.168.0.1/24
Ether2192.168.1.1/24
Mikrotik RouterCiscoRouter
Ping
-
PPTPMikrotik ClienttoCiscoServer
-
PPTPMikrotik ClienttoCiscoServer
-
PPTPMikrotik ClienttoCiscoServer
-
PPTPMikrotik ClienttoCiscoServer
-
PPTPMikrotik ClienttoCiscoServer
/interfacepptpclient addallow=mschap2connectto=10.0.0.1disabled=nomrru=1600name=pptpout1\
password=1234user=pptp_branch
/ppp profile set1useencryption=required
/ip firewallnat addchain=srcnat dstaddress=192.168.0.0/24outinterface=ether2
-
IPSECShrewClientToMikrotik
ConfigureaShrewclientonremotePCtoconnecttoaMikrotik router andaccessinternallan network EliminatesneedforMicrosoftVPNclient EnablesoneclienttobeusedforremoteaccesstoMikrotik andCisco
deviceseliminatingneedforaCiscoVPNClient EasytoimportexistingCiscoVPNprofilesintoShrewclient AllowsforeaseofmigrationfromCiscodevicestoMikrotik routers
-
IPSECShrewClientToMikrotik
internet
Ether110.0.0.1/2410.0.0.2/24
RemotePC
SiteA Server10.10.0.2
Ether210.10.0.2/22
Mikrotik Router
-
IPSECShrewClientToMikrotik
www.shrew.net/download/vpn
-
IPSECShrewClientToMikrotik
-
IPSECShrewClientToMikrotik
-
IPSECShrewClientToMikrotik
-
IPSECShrewClientToMikrotik
-
IPSECShrewClientToMikrotik
-
IPSECShrewClientToMikrotik
-
IPSECShrewClientToMikrotik
-
IPSECShrewClientToMikrotik
-
IPSECShrewClientToMikrotik
-
IPSECShrewClientToMikrotik
-
IPSECShrewClientToMikrotik
-
IPSECShrewClientToMikrotik
-
IPSECShrewClientToMikrotik
-
IPSECShrewClientToMikrotik
-
IPSECShrewClientToMikrotik
n:version:4n:networkikeport:500n:networkmtusize:1380n:clientaddrauto:1n:networknattport:4500n:networknattrate:15n:networkfragsize:540n:networkdpdenable:0n:clientbannerenable:0n:networknotifyenable:0n:clientdnsused:0n:clientdnsauto:0n:clientdnssuffixauto:0n:clientsplitdnsused:0n:clientsplitdnsauto:0n:clientwinsused:0n:clientwinsauto:1n:phase1dhgroup:2n:phase1lifesecs:86400
n:phase1lifekbytes:0n:vendorchkptenable:0n:phase2lifesecs:3600n:phase2lifekbytes:0n:policynailed:0n:policylistauto:0n:phase1keylen:128n:phase2keylen:128s:networkhost:10.10.0.1s:clientautomode:pulls:clientiface:virtuals:networknattmode:disables:networkfragmode:disable
s:authmethod:mutualpsks:identclienttype:addresss:identservertype:addressb:authmutualpsk:Y3RiNjUxs:phase1exchange:mains:phase1cipher:aess:phase1hash:sha1s:phase2transform:espaess:phase2hmac:sha1s:ipcomptransform:disabledn:phase2pfsgroup:2s:policylevel:requires:policylistinclude:10.10.0.0/255.255.252.0
-
IPSECShrewClientToMikrotik
-
IPSECShrewClientToMikrotik
-
IPSECShrewClientToMikrotik
internet
Ether110.0.0.1/2410.0.0.2/24
RemotePC
SiteA Server10.10.0.2
Ether210.10.0.2/22
Mikrotik Router
-
IPSECShrewClientToMikrotik
internet
Ether110.0.0.1/2410.0.0.2/24
RemotePC
SiteA Server10.10.0.2
Ether210.10.0.2/22
Mikrotik Router
PING
-
IPSECShrewClientToMikrotik
-
IPSECCiscoIOSorASAToMikrotik
ConfigureanIPSECVPNbetweenaCiscoIOSrouterorASAandaMikrotikrouter
AllowsreplacementofaCiscobranchrouterorASAwithaMikroTikrouter
withoutchangingorreplacingexistingCiscomainrouter
-
IPSECCiscoIOSToMikrotik
internet
Ether0/010.0.0.2/24
Ether110.0.0.1/24
SiteAPC192.168.1.2/24
SiteBServer192.168.0.2/24
Ether0/1192.168.0.1/24
Ether2192.168.1.1/24
CiscorouterMikrotik router
-
IPSECCiscoIOSToMikrotik
IPSEC
-
IPSECCiscoIOSToMikrotik
Locallan subnet
Remotelan subnet
-
IPSECCiscoIOSToMikrotik
Localwanaddress
Remotewanaddress
-
IPSECCiscoIOSToMikrotik
Remotewanaddress
PRESHAREDPASSWORD
-
IPSECCiscoIOSToMikrotik
-
IPSECCiscoIOSToMikrotik
Locallan subnetRemotelan subnet
-
IPSECCiscoIOSToMikrotik
-
IPSECCiscoIOSToMikrotik
cryptoisakmp policy1encr aesauthenticationpresharegroup2cryptoisakmp key1234address10.0.0.2noxauth!!cryptoipsec transformsetremoteespaes espshahmac!cryptomapremote5ipsecisakmpsetpeer10.0.0.2settransformsetremotesetpfs group2matchaddressremote!
interfaceFastEthernet0/0ip address10.0.0.1255.255.255.0ip nat outsideduplexautospeedautocryptomapremote!ip nat insidesourcelistnonat interfaceFastEthernet0/0overloadip accesslistextendednonatdenyip 192.168.0.00.0.0.255192.168.1.00.0.0.255permitip 192.168.0.00.0.0.255any!ip accesslistextendedremotepermitip 192.168.0.00.0.0.255192.168.1.00.0.0.255!
-
IPSECCiscoIOSToMikrotik
vince_1841#shcryptoisakmpsaIPv4CryptoISAKMPSAdstsrcstateconnidstatus10.0.0.110.0.0.2QM_IDLE1003ACTIVE
-
IPSECCiscoIOSToMikrotik
vince_1841#shcryptoipsec sa
interface:FastEthernet0/0Cryptomaptag:remote,localaddr 10.0.0.1
protectedvrf:(none)localident (addr/mask/prot/port):(192.168.0.0/255.255.255.0/0/0)remoteident (addr/mask/prot/port):(192.168.1.0/255.255.255.0/0/0)current_peer 10.0.0.2port500PERMIT,flags={origin_is_acl,}#pkts encaps:121,#pkts encrypt:121,#pkts digest:121#pkts decaps:124,#pkts decrypt:124,#pkts verify:124#pkts compressed:0,#pkts decompressed:0#pkts notcompressed:0,#pkts compr.failed:0#pkts notdecompressed:0,#pkts decompressfailed:0#senderrors0,#recv errors0
-
IPSECCiscoIOSToMikrotik
localcryptoendpt.:10.0.0.1,remotecryptoendpt.:10.0.0.2pathmtu 1500,ip mtu 1500,ip mtu idb FastEthernet0/0currentoutboundspi:0x23D508(2348296)PFS(Y/N):Y,DHgroup:group2
inboundesp sas:spi:0x89A2A46B(2309137515)transform:espaes espshahmac ,inusesettings={Tunnel,}connid:2003,flow_id:FPGA:3,sibling_flags 80000046,cryptomap:remotesa timing:remainingkeylifetime(k/sec):(4533419/2928)IVsize:16bytesreplaydetectionsupport:YStatus:ACTIVE
-
IPSECCiscoIOSToMikrotik
vince_1841#shcryptoisakmp saIPv4CryptoISAKMPSAdst src stateconnidstatus10.0.0.110.0.0.2QM_IDLE1003ACTIVE
-
IPSECCiscoASAToMikrotik
internet
Outside10.0.0.1/24
Ether110.0.0.2/24
SiteAPC192.168.0.2/24
SiteBServer192.168.1.79/24
Inside192.168.1.1/24
Ether2192.168.0.1/24
CiscoASAMikrotik router
-
IPSECCiscoASAToMikrotik
-
IPSECCiscoASAToMikrotik
Locallan subnet
Remotelan subnet
-
IPSECCiscoASAToMikrotik
SourceWanAddressRemoteWanAddress
-
IPSECCiscoASAToMikrotik
RemoteWanAddress
-
IPSECCiscoASAToMikrotik
-
IPSECCiscoASAToMikrotik
Locallan subnet
Remotelan subnet
Srcnat
-
IPSECCiscoASAToMikrotik
-
IPSECCiscoASAToMikrotik
-
IPSECCiscoASAToMikrotik
-
IPSECCiscoASAToMikrotik
-
IPSECCiscoASAToMikrotik
-
IPSECCiscoASAToMikrotik
-
IPSECCiscoASAToMikrotik
-
IPSECCiscoASAToMikrotik
-
IPSECCiscoASAToMikrotik
-
IPSECCiscoASAToMikrotik
-
IPSECCiscoASAToMikrotik
-
IPSECCiscoASAToMikrotik
-
IPSECCiscoASAToMikrotik
-
IPSECCiscoASAToMikrotik
-
IPSECCiscoASAToMikrotik