How to Сonnect MikroTik to Cisco VPN

One of our recent projects required connecting a MikroTik-based office gateway to a client’s Cisco VPN. That task is just a click-away if you have access to a Cisco console or if you can create a support ticket for asking to change or debug VPN settings. We started with only a group name, a group password, and user credentials, which turned the issue into a true challenge. So, if you are in the same situation and cannot check logs or follow official guidelines, check out our solution.

Cisco VPN: Problem overview

By default, a MikroTik RouterBOARD with firmware older than version 5.0 offers an IPsec VPN interface and settings, but Cisco’s proprietory VPN is a modified IPsec, so we were dealing with two incompatible protocols.

Note: This method works only on RouterBOARDs with at least 16 MB of available RAM, the more — the better.

What you need

• RouterOS with the Metrouter package or KVM;
• OpenWrt for MIPS arch with MikroTik kernel patches (or KVM, if you have an x86 board).

Solution

After you load an image to router memory, import the image following instructions.

Import image:

[admin@MikroTik] >/metarouter> import-image file-name=openwrt-mr-mips-rootfs.tgz memory-size=16 enabled=no

Create an interface for a virtual machine:

[admin@MikroTik] >/metarouter interface> add dynamic-bridge=bridge-local type=dynamic virtual-machine=mr3

Note: OpenWrt provides a DHCP server by default. If you feel that your client might get an incorrect IP, you should block the interface’s MAC address using a firewall while you are configuring.

Begin with:

[admin@MikroTik] >/metarouter> enable mr3

Connect to the console and change the default settings:

[admin@MikroTik] >/metarouter> console mr3

Press Enter to activate this console.

You will see:

BusyBox v1.16.1 (2010-04-13 10:25:42 EEST) built-in shell (ash)

Enter “Help” for a list of built-in commands.

You will see:

_______                    ________       __
|       |.—–.—–.—–.|  |  |  |.—-.|  |_
|   –   ||  _  | -__|     ||  |  | ||    _||   _|
|_______||  __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
KAMIKAZE (bleeding edge, r20828) ——————
* 10 oz Vodka Shake well with ice and strain
* 10 oz Triple sec Pour mixture into 10 shot glasses
* 10 oz lime juice Add and enjoy!
—————————————————
device eth0 entered promiscuous mode
br-lan: port 1(eth0) entering forwarding state
root@OpenWrt:/# PPP generic driver version 2.4.2
ip_tables: (C) 2000-2006 Netfilter Core Team
NET: Registered protocol family 24
nf_conntrack version 0.5.0 (256 buckets, 1024 max)

root@OpenWrt:~# vi /etc/config/network

Change default values to dhcp or your static ip.

config interface lan 
option ifname eth0 
option type bridge 
option proto dhcp 
option peerdns 1

After disabling the DHCP server:

root@OpenWrt:~# vi /etc/config/dhcp

config dhcp br-lan 
option interface br-lan 
option ignore 1

Save and restart Dnsmasq:

root@OpenWrt:~# /etc/init.d/dnsmasq restart

Switch off MikroTik firewall rule for the metarouter interface (if you have blocked it previously) and restart network on OpenWrt:

root@OpenWrt:~# /etc/init.d/network restart

Check network address:

root@OpenWrt:~# ifconfig br-lan

br-lan Link encap:Ethernet HWaddr 08:00:27:7A:C3:C0
inet addr:172.16.4.33 Bcast:172.16.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3014430 errors:0 dropped:477823 overruns:0 frame:0
TX packets:31940 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:401676602 (383.0 MiB) TX bytes:4923172 (4.6 MiB)

If interface has assigned the right IP address, go to next step.

Change the package repo URL and install the VPNC package:

root@OpenWrt:~# vi /etc/opkg.conf

src snapshots http://rnd.rajven.net/openwrt/mikrotik/metarouter/mr-mips/packages 
dest root/ 
dest ram/tmp 
lists_dir ext /var/opkg-lists 
option overlay_root/overlay

Save and install the package:

#opkg update && opkg install vpnc

Configure:

root@OpenWrt:~# vi /etc/vpnc/default.conf 
IPSec gateway <your-vpn-addr> 
IPSec ID <Group name> 
IPSec secret <Group password> 
Xauth username <Username> 
Xauth password <Userpassword>

Save and start:

root@OpenWrt:~# vpnc

Check results:

root@OpenWrt:~# ifconfig

<….>
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:<ip> P-t-P:<ip> Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1412 Metric:1
RX packets:2661 errors:0 dropped:0 overruns:0 frame:0
TX packets:2053 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:2573037 (2.4 MiB) TX bytes:374920 (366.1 KiB)

Add the route to a remote network on the RouterOS. I added all the routes that the VPN client received.

Use these routes on Openwrt:

root@OpenWrt:~# ip ro | grep tun0

10.0.0.0/24 dev tun0 scope link
10.1.1.0/24 dev tun0 scope link

On Mikrotik:

[admin@MikroTik] >/ip route add dst-address=10.0.0.0/24 gateway=<virtual-machine-ip> distance=1 type=unicast

And repeat this procedure for every route.

Additionally, you can add a monitoring script on Cron, which pings the remote network and restarts the connection, if packets become lost:

root@OpenWrt:~# vi /root/bin/vpn-check.sh 
#!/bin/sh 
# 
# Restart VPNC if both of the specified hosts on the command line are unavailable 
interface="$(ifconfig | grep tun | awk '{ print $1 }')" 
echo ${interface} 
<p>if ! [ $(ping -q -c 1 ${1} 2>&1 | grep "1 packets received" | sed "s/.*\(1\) packets received.*/\1/") ] || ! [ ${interface} == 'tun0' ];<br> then<br> echo Not alive $1, restarting VPNC<br> /etc/init.d/vpnc stop<br> sleep 5<br> /etc/init.d/vpnc start<br> else<br> echo Alive $1<br> fi</p>

On Cron:

root@OpenWrt:~# crontab -l 
*/5 * * * * /root/bin/vpn-check.sh <remote-server-addr>

Links

• http://wiki.mikrotik.com/wiki/Manual:IP/IPsec
• http://wiki.mikrotik.com/wiki/Manual:Metarouter
• http://linux.die.net/man/8/vpnc
• https://forum.openwrt.org/viewtopic.php?id=31853
• Links to download a pre-built image.