Friday, October 30, 2020

IPSEC Mikrotik integration with Cisco

I spent a good portion of this week working on an IPSEC/GRE BGP connection to a 3rd party vendor. They are using Cisco and we are using Mikrotik. For those who encounter this combination, perhaps I can save you the time and headache of searching through Cisco and Mikrotik documentation and troubleshooting. This may be common knowledge, but if the Cisco router is using "route" based IPSEC, it will send over a traffic selector of 0.0.0.0/0. If this is the only way the vendor is willing to configure the tunnel, you can create a few IPSEC policies to exclude non-interesting traffic from the tunnel and then a policy for 0.0.0.0/0. Noninteresting traffic should include your management network and any networks traversing the GRE tunnel. The downfall of this method is that you will now need to create exceptions for each network you want to route over. Alternatively, just get the vendor use ACL based IPSEC.



No comments:

Post a Comment