godinichconsulting mum

Download Godinichconsulting Mum

Post on 06-Jan-2016

10 views

Category:

Documents

0 download

Embed Size (px)

DESCRIPTION

MTp

TRANSCRIPT

  • GodinichConsulting

    VPN'sBetweenMikrotik and3rdPartyDevices

  • VinceGodinich

    experience

  • TOPICSPPTPMikrotik ClienttoCiscoServerIPSECShrewClientToMikrotikrouterIPSECMikrotik routertoCiscoIOSrouter

  • PPTPMikrotik ClienttoCiscoServer

    ConfigureaMikrotik routertoactasaPPTPclientconnectingtoa CiscoPPTPservertoconnectremotelans

    AllowsreplacementofaCiscobranchrouterwithaMikroTikrouter withoutchangingorreplacingexistingCiscomainrouter

  • PPTPMikrotik ClienttoCiscoServer

    internet

    Ether110.0.0.1/24

    Ether110.0.0.2/24

    SiteAPC192.168.1.79/24

    SiteBServer192.168.0.2/24

    Ether2192.168.0.1/24

    Ether2192.168.1.1/24

    Mikrotik RouterCiscoRouter

  • PPTPMikrotik ClienttoCiscoServer

    internet

    Ether110.0.0.1/24

    Ether110.0.0.2/24

    SiteAPC192.168.1.79/24

    SiteBServer192.168.0.2/24

    Ether2192.168.0.1/24

    Ether2192.168.1.1/24

    Mikrotik RouterCiscoRouter

    PPTPTUNNELPPTPTUNNEL

  • PPTPMikrotik ClienttoCiscoServer

    internet

    VirtualTemplate1192.168.79.1

    pptpout1192.168.79.2

    SiteAPC192.168.1.79/24

    SiteBServer192.168.0.2/24

    Ether2192.168.0.1/24

    Ether2192.168.1.1/24

    Mikrotik RouterCiscoRouter

    PPTPTUNNELPPTPTUNNEL

  • PPTPMikrotik ClienttoCiscoServer

  • PPTPMikrotik ClienttoCiscoServer

  • PPTPMikrotik ClienttoCiscoServer

  • PPTPMikrotik ClienttoCiscoServer

  • PPTPMikrotik ClienttoCiscoServer

  • PPTPMikrotik ClienttoCiscoServer

  • PPTPMikrotik ClienttoCiscoServer

  • PPTPMikrotik ClienttoCiscoServer

  • PPTPMikrotik ClienttoCiscoServer

    aaa newmodel aaa authenticationppp defaultlocal vpdn enable vpdngroup1 acceptdialin protocolpptp virtualtemplate1 l2tptunneltimeoutnosession15

    usernamepptp_branch password01234

  • PPTPMikrotik ClienttoCiscoServer

    interfaceVirtualTemplate1 ip address192.168.79.1255.255.255.0 peerdefaultip addresspoolPPTP_POOL nokeepalive ppp encryptmppe 128required ppp authenticationmschapv2 ip localpoolPPTP_POOL192.168.79.2

  • PPTPMikrotik ClienttoCiscoServer

    ip nat insidesourcelistnonat interfaceFastEthernet0/0overload ip route192.168.1.0255.255.255.0192.168.79.2 ip accesslistextendednonat denyip 192.168.1.00.0.0.255192.168.0.00.0.0.255 permitip 192.168.1.00.0.0.255any

  • PPTPMikrotik ClienttoCiscoServer

    internet

    Ether110.0.0.1/24

    Ether110.0.0.2/24

    SiteAPC192.168.1.79/24

    SiteBServer192.168.0.2/24

    Ether2192.168.0.1/24

    Ether2192.168.1.1/24

    Mikrotik RouterCiscoRouter

    Ping

  • PPTPMikrotik ClienttoCiscoServer

  • PPTPMikrotik ClienttoCiscoServer

  • PPTPMikrotik ClienttoCiscoServer

  • PPTPMikrotik ClienttoCiscoServer

  • PPTPMikrotik ClienttoCiscoServer

    /interfacepptpclient addallow=mschap2connectto=10.0.0.1disabled=nomrru=1600name=pptpout1\

    password=1234user=pptp_branch

    /ppp profile set1useencryption=required

    /ip firewallnat addchain=srcnat dstaddress=192.168.0.0/24outinterface=ether2

  • IPSECShrewClientToMikrotik

    ConfigureaShrewclientonremotePCtoconnecttoaMikrotik router andaccessinternallan network EliminatesneedforMicrosoftVPNclient EnablesoneclienttobeusedforremoteaccesstoMikrotik andCisco

    deviceseliminatingneedforaCiscoVPNClient EasytoimportexistingCiscoVPNprofilesintoShrewclient AllowsforeaseofmigrationfromCiscodevicestoMikrotik routers

  • IPSECShrewClientToMikrotik

    internet

    Ether110.0.0.1/2410.0.0.2/24

    RemotePC

    SiteA Server10.10.0.2

    Ether210.10.0.2/22

    Mikrotik Router

  • IPSECShrewClientToMikrotik

    www.shrew.net/download/vpn

  • IPSECShrewClientToMikrotik

  • IPSECShrewClientToMikrotik

  • IPSECShrewClientToMikrotik

  • IPSECShrewClientToMikrotik

  • IPSECShrewClientToMikrotik

  • IPSECShrewClientToMikrotik

  • IPSECShrewClientToMikrotik

  • IPSECShrewClientToMikrotik

  • IPSECShrewClientToMikrotik

  • IPSECShrewClientToMikrotik

  • IPSECShrewClientToMikrotik

  • IPSECShrewClientToMikrotik

  • IPSECShrewClientToMikrotik

  • IPSECShrewClientToMikrotik

  • IPSECShrewClientToMikrotik

    n:version:4n:networkikeport:500n:networkmtusize:1380n:clientaddrauto:1n:networknattport:4500n:networknattrate:15n:networkfragsize:540n:networkdpdenable:0n:clientbannerenable:0n:networknotifyenable:0n:clientdnsused:0n:clientdnsauto:0n:clientdnssuffixauto:0n:clientsplitdnsused:0n:clientsplitdnsauto:0n:clientwinsused:0n:clientwinsauto:1n:phase1dhgroup:2n:phase1lifesecs:86400

    n:phase1lifekbytes:0n:vendorchkptenable:0n:phase2lifesecs:3600n:phase2lifekbytes:0n:policynailed:0n:policylistauto:0n:phase1keylen:128n:phase2keylen:128s:networkhost:10.10.0.1s:clientautomode:pulls:clientiface:virtuals:networknattmode:disables:networkfragmode:disable

    s:authmethod:mutualpsks:identclienttype:addresss:identservertype:addressb:authmutualpsk:Y3RiNjUxs:phase1exchange:mains:phase1cipher:aess:phase1hash:sha1s:phase2transform:espaess:phase2hmac:sha1s:ipcomptransform:disabledn:phase2pfsgroup:2s:policylevel:requires:policylistinclude:10.10.0.0/255.255.252.0

  • IPSECShrewClientToMikrotik

  • IPSECShrewClientToMikrotik

  • IPSECShrewClientToMikrotik

    internet

    Ether110.0.0.1/2410.0.0.2/24

    RemotePC

    SiteA Server10.10.0.2

    Ether210.10.0.2/22

    Mikrotik Router

  • IPSECShrewClientToMikrotik

    internet

    Ether110.0.0.1/2410.0.0.2/24

    RemotePC

    SiteA Server10.10.0.2

    Ether210.10.0.2/22

    Mikrotik Router

    PING

  • IPSECShrewClientToMikrotik

  • IPSECCiscoIOSorASAToMikrotik

    ConfigureanIPSECVPNbetweenaCiscoIOSrouterorASAandaMikrotikrouter

    AllowsreplacementofaCiscobranchrouterorASAwithaMikroTikrouter

    withoutchangingorreplacingexistingCiscomainrouter

  • IPSECCiscoIOSToMikrotik

    internet

    Ether0/010.0.0.2/24

    Ether110.0.0.1/24

    SiteAPC192.168.1.2/24

    SiteBServer192.168.0.2/24

    Ether0/1192.168.0.1/24

    Ether2192.168.1.1/24

    CiscorouterMikrotik router

  • IPSECCiscoIOSToMikrotik

    IPSEC

  • IPSECCiscoIOSToMikrotik

    Locallan subnet

    Remotelan subnet

  • IPSECCiscoIOSToMikrotik

    Localwanaddress

    Remotewanaddress

  • IPSECCiscoIOSToMikrotik

    Remotewanaddress

    PRESHAREDPASSWORD

  • IPSECCiscoIOSToMikrotik

  • IPSECCiscoIOSToMikrotik

    Locallan subnetRemotelan subnet

  • IPSECCiscoIOSToMikrotik

  • IPSECCiscoIOSToMikrotik

    cryptoisakmp policy1encr aesauthenticationpresharegroup2cryptoisakmp key1234address10.0.0.2noxauth!!cryptoipsec transformsetremoteespaes espshahmac!cryptomapremote5ipsecisakmpsetpeer10.0.0.2settransformsetremotesetpfs group2matchaddressremote!

    interfaceFastEthernet0/0ip address10.0.0.1255.255.255.0ip nat outsideduplexautospeedautocryptomapremote!ip nat insidesourcelistnonat interfaceFastEthernet0/0overloadip accesslistextendednonatdenyip 192.168.0.00.0.0.255192.168.1.00.0.0.255permitip 192.168.0.00.0.0.255any!ip accesslistextendedremotepermitip 192.168.0.00.0.0.255192.168.1.00.0.0.255!

  • IPSECCiscoIOSToMikrotik

    vince_1841#shcryptoisakmpsaIPv4CryptoISAKMPSAdstsrcstateconnidstatus10.0.0.110.0.0.2QM_IDLE1003ACTIVE

  • IPSECCiscoIOSToMikrotik

    vince_1841#shcryptoipsec sa

    interface:FastEthernet0/0Cryptomaptag:remote,localaddr 10.0.0.1

    protectedvrf:(none)localident (addr/mask/prot/port):(192.168.0.0/255.255.255.0/0/0)remoteident (addr/mask/prot/port):(192.168.1.0/255.255.255.0/0/0)current_peer 10.0.0.2port500PERMIT,flags={origin_is_acl,}#pkts encaps:121,#pkts encrypt:121,#pkts digest:121#pkts decaps:124,#pkts decrypt:124,#pkts verify:124#pkts compressed:0,#pkts decompressed:0#pkts notcompressed:0,#pkts compr.failed:0#pkts notdecompressed:0,#pkts decompressfailed:0#senderrors0,#recv errors0

  • IPSECCiscoIOSToMikrotik

    localcryptoendpt.:10.0.0.1,remotecryptoendpt.:10.0.0.2pathmtu 1500,ip mtu 1500,ip mtu idb FastEthernet0/0currentoutboundspi:0x23D508(2348296)PFS(Y/N):Y,DHgroup:group2

    inboundesp sas:spi:0x89A2A46B(2309137515)transform:espaes espshahmac ,inusesettings={Tunnel,}connid:2003,flow_id:FPGA:3,sibling_flags 80000046,cryptomap:remotesa timing:remainingkeylifetime(k/sec):(4533419/2928)IVsize:16bytesreplaydetectionsupport:YStatus:ACTIVE

  • IPSECCiscoIOSToMikrotik

    vince_1841#shcryptoisakmp saIPv4CryptoISAKMPSAdst src stateconnidstatus10.0.0.110.0.0.2QM_IDLE1003ACTIVE

  • IPSECCiscoASAToMikrotik

    internet

    Outside10.0.0.1/24

    Ether110.0.0.2/24

    SiteAPC192.168.0.2/24

    SiteBServer192.168.1.79/24

    Inside192.168.1.1/24

    Ether2192.168.0.1/24

    CiscoASAMikrotik router

  • IPSECCiscoASAToMikrotik

  • IPSECCiscoASAToMikrotik

    Locallan subnet

    Remotelan subnet

  • IPSECCiscoASAToMikrotik

    SourceWanAddressRemoteWanAddress

  • IPSECCiscoASAToMikrotik

    RemoteWanAddress

  • IPSECCiscoASAToMikrotik

  • IPSECCiscoASAToMikrotik

    Locallan subnet

    Remotelan subnet

    Srcnat

  • IPSECCiscoASAToMikrotik

  • IPSECCiscoASAToMikrotik

  • IPSECCiscoASAToMikrotik

  • IPSECCiscoASAToMikrotik

  • IPSECCiscoASAToMikrotik

  • IPSECCiscoASAToMikrotik

  • IPSECCiscoASAToMikrotik

  • IPSECCiscoASAToMikrotik

  • IPSECCiscoASAToMikrotik