[AusNOG] Mikrotik To Cisco IPSEC Multiple Tunnels/Subnets

Jeremy Visser jeremy at visser.name
Fri May 23 11:42:37 EST 2014


On 23/05/14 10:43, Phil Pierotti wrote:
> If you don’t have Level=Unique on your Mikrotik Policies give it a
> whirl, I believe it’s specifically for Cisco/Mikrotik and multiple
> subnets.

Seconded.

The MikroTik by default tries to use a single SA for all subnets.

The Cisco tries to use separate SAs for each subnet.

level=unique causes the MikroTik to assume the Cisco behaviour.

Also watch out because I was getting hard-to-reproduce VPN dropouts that I kept thinking was related to the SA lifetime.  Turns out that the Cisco ASA had a default SA "idle time" (*not* related to the SA "lifetime") where if it "idles out" the MikroTik will be unable to send any traffic until SAs are manually flushed.

So if your Cisco has an idle timeout option, make sure to set it to unlimited, as the MikroTik has no corresponding idle timeout ability.


More information about the AusNOG mailing list