IPSec VPN Configuration Between MikroTik and Cisco
Creating a secure IPSec VPN between MikroTik and Cisco devices allows encrypted communication across remote sites. This guide shows how to configure a site-to-site IPSec tunnel between MikroTik RouterOS and Cisco IOS using clear, direct steps and real configuration examples.
Table of Contents
- 1. Why Use IPSec VPN Between MikroTik and Cisco?
- 2. Prerequisites
- 3. Network Topology
- 4. MikroTik IPSec Configuration
- 5. Cisco Router IPSec Configuration (IOS)
- 6. Verify VPN Tunnel
- 7. Troubleshooting Tips
- 8. MikroTik NAT Bypass Rule (If Needed)
- 9. Security Recommendations
- 10. Performance Tips
- 11. Conclusion
- 12. FAQ
1. Why Use IPSec VPN Between MikroTik and Cisco?
- Secure site-to-site communication
- Connect branch offices or data centers
- Enable encrypted tunnels over public networks
- Support for multi-vendor environments
2. Prerequisites
- MikroTik RouterOS (v6.45+ or v7.x recommended)
- Cisco Router with IOS or IOS XE
- Static public IP on both ends
- IP address plan for LANs
- Open ports: UDP 500, UDP 4500, ESP (IP protocol 50)
3. Network Topology
Site A (MikroTik) Site B (Cisco) LAN: 192.168.10.0/24 LAN: 192.168.20.0/24 WAN IP: 1.1.1.1 WAN IP: 2.2.2.2
4. MikroTik IPSec Configuration
1: Define the IPSec Proposal
/ip ipsec proposal add name="vpn-proposal" auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=none
2: Create Peer Settings
/ip ipsec peer
add address=2.2.2.2/32 exchange-mode=main secret="YourSharedKey" \
enc-algorithm=aes-256 hash-algorithm=sha256 dh-group=modp1024 \
generate-policy=no
3: Configure IPSec Policy
/ip ipsec policy
add src-address=192.168.10.0/24 dst-address=192.168.20.0/24 \
sa-dst-address=2.2.2.2 sa-src-address=1.1.1.1 \
tunnel=yes proposal=vpn-proposal
4: Set Identity (if needed)
/ip ipsec identity add peer=2.2.2.2 secret="YourSharedKey" generate-policy=never
5: Allow IPSec in Firewall
/ip firewall filter add chain=input protocol=ipsec-esp action=accept add chain=input protocol=udp port=500,4500 action=accept
5. Cisco Router IPSec Configuration (IOS)
1: Define ISAKMP Policy (Phase 1)
crypto isakmp policy 10 encr aes 256 hash sha256 authentication pre-share group 2 lifetime 86400
2: Set Pre-shared Key
crypto isakmp key YourSharedKey address 1.1.1.1
3: Define IPSec Transform Set (Phase 2)
crypto ipsec transform-set TRANS1 esp-aes 256 esp-sha256-hmac mode tunnel
4: Create Access List for Interesting Traffic
access-list 110 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
5: Apply Crypto Map
crypto map VPN-MAP 10 ipsec-isakmp set peer 1.1.1.1 set transform-set TRANS1 match address 110 set pfs group2
6: Apply Crypto Map to Interface
interface GigabitEthernet0/1 crypto map VPN-MAP
6. Verify VPN Tunnel
On MikroTik:
- Go to IP → IPSec → Active Peers: See the remote IP
- Go to Installed SAs: Confirm SPI values and tunnel state
On Cisco:
show crypto isakmp sa show crypto ipsec sa
7. Troubleshooting Tips
| Issue | Cause | Fix |
|---|---|---|
| Tunnel not forming | IP mismatch or pre-shared key | Verify peer IPs and key |
| Phase 2 fails | Proposal mismatch | Align proposals on both devices |
| No traffic over tunnel | Missing ACL or routing | Check crypto ACL and static routes |
| NAT interference | No NAT bypass | Add NAT exclusion rule on MikroTik |
8. MikroTik NAT Bypass Rule (If Needed)
/ip firewall nat add chain=srcnat src-address=192.168.10.0/24 dst-address=192.168.20.0/24 action=accept
9. Security Recommendations
- Use IKEv2 where possible
- Use AES-256 and SHA-256
- Enable Dead Peer Detection (DPD)
- Rotate keys regularly
10. Performance Tips
- Enable Fast Path on MikroTik
- Use hardware encryption if available
- Monitor CPU and traffic:
/tool profile /interface monitor-traffic
11. Conclusion
MikroTik and Cisco routers can establish a stable IPSec VPN with proper configuration. Focus on matching policies, avoiding NAT conflicts, and securing your keys. Test each phase and monitor traffic flow.
12. FAQ
Q: Can MikroTik use IKEv2 with Cisco?
A: Yes. Both support IKEv2. MikroTik requires RouterOS v6.40+.
Q: What encryption algorithms are compatible?
A: AES-128/256 and SHA-1/SHA-256 are common on both platforms.
Q: How can I log IPSec errors on MikroTik?
A: Use /log print where message~"ipsec" or enable detailed logging with /system logging.
Check our list of MikroTik guides.
