Reading time:
One of our recent projects required connecting a MikroTik-based office gateway to a client’s Cisco VPN. That task is just a click-away if you have access to a Cisco console or if you can create a support ticket for asking to change or debug VPN settings. We started with only a group name, a group password, and user credentials, which turned the issue into a true challenge. So, if you are in the same situation and cannot check logs or follow official guidelines, check out our solution.
Cisco VPN: Problem overview
By default, a MikroTik RouterBOARD with firmware older than version 5.0 offers an IPsec VPN interface and settings, but Cisco’s proprietory VPN is a modified IPsec, so we were dealing with two incompatible protocols.
Note: This method works only on RouterBOARDs with at least 16 MB of available RAM, the more — the better.
What you need
- RouterOS with the Metrouter package or KVM;
- OpenWrt for MIPS arch with MikroTik kernel patches (or KVM, if you have an x86 board).
Solution
After you load an image to router memory, import the image following instructions.
Import image:
[admin@MikroTik] >/metarouter> import-image file-name=openwrt-mr-mips-rootfs.tgz memory-size=16 enabled=no
Create an interface for a virtual machine:
[admin@MikroTik] >/metarouter interface> add dynamic-bridge=bridge-local type=dynamic virtual-machine=mr3
Note: OpenWrt provides a DHCP server by default. If you feel that your client might get an incorrect IP, you should block the interface’s MAC address using a firewall while you are configuring.
Begin with:
[admin@MikroTik] >/metarouter> enable mr3
Connect to the console and change the default settings:
[admin@MikroTik] >/metarouter> console mr3
Press Enter to activate this console.
You will see:
BusyBox v1.16.1 (2010-04-13 10:25:42 EEST) built-in shell (ash)
Enter “Help” for a list of built-in commands.
You will see:
_______ ________ __
| |.—–.—–.—–.| | | |.—-.| |_
| – || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
KAMIKAZE (bleeding edge, r20828) ——————
* 10 oz Vodka Shake well with ice and strain
* 10 oz Triple sec Pour mixture into 10 shot glasses
* 10 oz lime juice Add and enjoy!
—————————————————
device eth0 entered promiscuous mode
br-lan: port 1(eth0) entering forwarding state
root@OpenWrt:/# PPP generic driver version 2.4.2
ip_tables: (C) 2000-2006 Netfilter Core Team
NET: Registered protocol family 24
nf_conntrack version 0.5.0 (256 buckets, 1024 max)
root@OpenWrt:~# vi /etc/config/network
Change default values to dhcp or your static ip.
config interface lan option ifname eth0 option type bridge option proto dhcp option peerdns 1
After disabling the DHCP server:
root@OpenWrt:~# vi /etc/config/dhcp
config dhcp br-lan option interface br-lan option ignore 1
Save and restart Dnsmasq:
root@OpenWrt:~# /etc/init.d/dnsmasq restart
Switch off MikroTik firewall rule for the metarouter interface (if you have blocked it previously) and restart network on OpenWrt:
root@OpenWrt:~# /etc/init.d/network restart
Check network address:
root@OpenWrt:~# ifconfig br-lan
br-lan Link encap:Ethernet HWaddr 08:00:27:7A:C3:C0
inet addr:172.16.4.33 Bcast:172.16.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3014430 errors:0 dropped:477823 overruns:0 frame:0
TX packets:31940 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:401676602 (383.0 MiB) TX bytes:4923172 (4.6 MiB)
If interface has assigned the right IP address, go to next step.
Change the package repo URL and install the VPNC package:
root@OpenWrt:~# vi /etc/opkg.conf
src snapshots http://rnd.rajven.net/openwrt/mikrotik/metarouter/mr-mips/packages dest root/ dest ram/tmp lists_dir ext /var/opkg-lists option overlay_root/overlay
Save and install the package:
#opkg update && opkg install vpnc
Configure:
root@OpenWrt:~# vi /etc/vpnc/default.conf IPSec gateway <your-vpn-addr> IPSec ID <Group name> IPSec secret <Group password> Xauth username <Username> Xauth password <Userpassword>
Save and start:
root@OpenWrt:~# vpnc
Check results:
root@OpenWrt:~# ifconfig
<….>
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:<ip> P-t-P:<ip> Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1412 Metric:1
RX packets:2661 errors:0 dropped:0 overruns:0 frame:0
TX packets:2053 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:2573037 (2.4 MiB) TX bytes:374920 (366.1 KiB)
Add the route to a remote network on the RouterOS. I added all the routes that the VPN client received.
Use these routes on Openwrt:
root@OpenWrt:~# ip ro | grep tun0
10.0.0.0/24 dev tun0 scope link
10.1.1.0/24 dev tun0 scope link
On Mikrotik:
[admin@MikroTik] >/ip route add dst-address=10.0.0.0/24 gateway=<virtual-machine-ip> distance=1 type=unicast
And repeat this procedure for every route.
Additionally, you can add a monitoring script on Cron, which pings the remote network and restarts the connection, if packets become lost:
root@OpenWrt:~# vi /root/bin/vpn-check.sh #!/bin/sh # # Restart VPNC if both of the specified hosts on the command line are unavailable interface="$(ifconfig | grep tun | awk '{ print $1 }')" echo ${interface} <p>if ! [ $(ping -q -c 1 ${1} 2>&1 | grep "1 packets received" | sed "s/.*\(1\) packets received.*/\1/") ] || ! [ ${interface} == 'tun0' ];<br> then<br> echo Not alive $1, restarting VPNC<br> /etc/init.d/vpnc stop<br> sleep 5<br> /etc/init.d/vpnc start<br> else<br> echo Alive $1<br> fi</p>
On Cron:
root@OpenWrt:~# crontab -l */5 * * * * /root/bin/vpn-check.sh <remote-server-addr>
Links
- http://wiki.mikrotik.com/wiki/Manual:IP/IPsec
- http://wiki.mikrotik.com/wiki/Manual:Metarouter
- http://linux.die.net/man/8/vpnc
- https://forum.openwrt.org/viewtopic.php?id=31853
- Links to download a pre-built image.
Comments