{"id":840,"date":"2013-03-13T10:41:21","date_gmt":"2013-03-13T09:41:21","guid":{"rendered":"http:\/\/diablo.craem.net\/wordpress\/?p=840"},"modified":"2013-03-13T10:41:21","modified_gmt":"2013-03-13T09:41:21","slug":"vpn-ipsec-cisco-asa-y-mikrotik","status":"publish","type":"post","link":"https:\/\/diablo.craem.net\/?p=840","title":{"rendered":"Vpn IPSEC cisco asa y mikrotik"},"content":{"rendered":"<p>Otra entrada que es un apunte.<br \/>\nHoy toca detallar la configuraci\u00f3n de una vpn ipsec entre un cisco ASA y una mikrotik x86.<br \/>\nEscenario:<br \/>\nEQUIPO<br \/>\n192.168.0.1<br \/>\n<strong><-><\/strong><br \/>\nCISCO ASA<br \/>\n192.168.0.254 <strong>INSIDE<\/strong><br \/>\n1.1.1.1 <strong>OUTSIDE<\/strong><br \/>\n<strong><-><\/strong><br \/>\nINTERNET<br \/>\n<strong><-><\/strong><br \/>\nMIKROTIK<br \/>\n192.168.11.254 <strong>INSIDE<\/strong><br \/>\n2.2.2.2 <strong>OUTSIDE<\/strong><br \/>\n<strong><-><\/strong><br \/>\nEQUIPO<br \/>\n192.168.11.1\/24<br \/>\nCon este esquema, empezamos las configuraciones del lado mikrotik:<br \/>\n<code><br \/>\n\/ip ipsec proposal<br \/>\nset [ find default=yes ] auth-algorithms=md5,sha1 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024<br \/>\nadd auth-algorithms=md5,sha1 disabled=no enc-algorithms=3des lifetime=59m59s name=cisco pfs-group=modp1024<br \/>\n\/ip ipsec peer<br \/>\nadd address=1.1.1.1\/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des<br \/>\n    exchange-mode=main generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d my-id-user-fqdn=\"\" nat-traversal=no port=500 proposal-check=obey<br \/>\n    secret=miSuperSecreto send-initial-contact=yes<br \/>\n\/ip ipsec policy<br \/>\nadd action=encrypt disabled=no dst-address=192.168.0.0\/24 dst-port=any ipsec-protocols=esp level=require priority=0 proposal=default protocol=all<br \/>\n    sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=192.168.11.0\/24 src-port=any tunnel=yes<br \/>\n\/ip neighbor discovery<br \/>\n<\/code><br \/>\nY la regla de NAT para evitarlo dentro del tunel IPSEC:<br \/>\n<code><br \/>\n\/ip firewall nat<br \/>\nadd action=accept chain=srcnat disabled=no dst-address=192.168.0.0\/24 src-address=192.168.11.0\/24<br \/>\n<\/code><br \/>\nY ahora la parte cisco:<br \/>\n<code><br \/>\naccess-list 100 remark --> acl denegar nat vpn<br \/>\naccess-list 100 extended permit ip redLocal 255.255.255.0 192.168.11.0 255.255.255.0<br \/>\naccess-list 110 remark --> acl permitir_vpn<br \/>\naccess-list 110 extended permit ip redLocal 255.255.255.0 192.168.11.0 255.255.255.0<br \/>\nglobal (outside) 1 interface<br \/>\nnat (inside) 0 access-list 100<br \/>\nnat (inside) 1 192.168.0.0 255.255.255.0<br \/>\ncrypto ipsec transform-set myset esp-3des esp-md5-hmac<br \/>\ncrypto ipsec security-association lifetime seconds 28800<br \/>\ncrypto ipsec security-association lifetime kilobytes 4608000<br \/>\ncrypto dynamic-map dynmap 1 set transform-set myset<br \/>\ncrypto map dyn-map 20 ipsec-isakmp dynamic dynmap<br \/>\ncrypto map dyn-map 30 match address 110<br \/>\ncrypto map dyn-map 30 set peer 2.2.2.2<br \/>\ncrypto map dyn-map 30 set transform-set myset<br \/>\ncrypto map dyn-map interface outside<br \/>\ncrypto isakmp identity address<br \/>\ncrypto isakmp enable outside<br \/>\ncrypto isakmp policy 10<br \/>\n authentication pre-share<br \/>\n encryption 3des<br \/>\n hash md5<br \/>\n group 2<br \/>\n lifetime 86400<br \/>\ncrypto isakmp nat-traversal 10<br \/>\ntunnel-group 2.2.2.2 type ipsec-l2l<br \/>\ntunnel-group 2.2.2.2 ipsec-attributes<br \/>\n pre-shared-key miSuperSecreto<br \/>\n<\/code><br \/>\nHacemos un ping en los extremos para generar tr\u00e1fico interesante en la vpn y listos !!!!!!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Otra entrada que es un apunte. Hoy toca detallar la configuraci\u00f3n de una vpn ipsec entre un cisco ASA y una mikrotik x86. Escenario: EQUIPO 192.168.0.1 CISCO ASA 192.168.0.254 INSIDE 1.1.1.1 OUTSIDE INTERNET MIKROTIK 192.168.11.254 INSIDE 2.2.2.2 OUTSIDE EQUIPO 192.168.11.1\/24 Con este esquema, empezamos las configuraciones del lado mikrotik: \/ip ipsec proposal set [ find [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,8],"tags":[],"class_list":["post-840","post","type-post","status-publish","format-standard","hentry","category-cisco","category-varios"],"_links":{"self":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts\/840","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=840"}],"version-history":[{"count":0,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts\/840\/revisions"}],"wp:attachment":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=840"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=840"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=840"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}