Ip firewall nat add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.0.0/24 action=accept place-before=0ĬLI ip ipsec proposal add name=MyProposal auth-algorithms=sha1 enc-algorithms=aes-256-cbc pfs-group=none Ip firewall filter add chain=input proto=udp port=4500 action accept place-before=0 Ip firewall filter add chain=input proto=udp port=500 action accept place-before=0 Ip firewall filter add chain=input proto=ipsec-esp action=accept place-before=0 Ip firewall filter add chain=input proto=ipsec-ah action=accept place-before=0 On Console the configuration looks like this: You need to add a rule with ACCEPT source LOCAL_LAN (192.168.88.0/24 in this example) destination REMOTE_LAN (192.168.0.0/24 in this example). On NAT channel, SRCNAT you need have the rule involving interesting traffic (local LAN subnets for example) before NAT masquerade. You can check logs if you want to troubleshoot. It may be that you don’t need all these ports, but you can close them later. On INPUT channel allow the following on the interface facing Internet You need to be sure that at least the IPsec packets are able to be accepted inbound on the WAN interface, so the below rules needs to be placed before the rule dropping packets (the Firewal rules are checked top-down) Mikrotik Configurationīy default, the Mikrotik comes with the INPUT channel that drop the connection incoming on ether1-gateway (which is the WAN interface). In this way the below configuration will be easier to understand. The red line represent the IPsec VPN tunnel. I did test the entire construct in GNS3 integrated with Mikrotik.
For today, I will replace the Linux device with a Cisco.
Cisco ipsec vpn client v5 how to#
Not long ago I wrote an article on how to configure an IPsec VPN using Mikrotik and Linux devices.