Goto Top

Cisco IPsec VPN with Mikrotik or FritzBox



The following tutorial is a quick overview how a site-to-site VPN access using the IPsec protocoll can be realized with a Cisco IOS or IOS-XE router and popular mass production routers like Mikrotik and/or AVM FritzBox.
One characteristic feature used here is the Cisco onboard, statefull Zone Based Firewall or ZFW.
The Cisco router additionally provides an L2TP client VPN dialin access, which makes it possible to access the network with all standard, onboard L2TP VPN clients embedded in Windows, Apple MacOS, Apple iOS and Android as well as Linux.
The basic layer 3 overview of such a setup is shown in the following picture.


In this design the Cisco router acts as an IPsec responder so that VPN site-to-site client routers and mobile L2TP VPN clients can either connect with dynamic IP addresses or with a static IP address. The Cisco configuration in the next chapter also shows an additional IPsec connection with static peer IP adresses. (Not shown in the above picture).
Due to the fact that Cisco‘s IOS configuration syntax is universal over all platforms the configuration can be used for other router models as well.
Enhanced ACL protection for CLI access and authorization secures login access on virtual interfaces as well as the serial console.

back-to-topCisco router configuration

back-to-topMikrotik configuration

The corresponding Mikrotik VPN configuration shown here is the customized, out-of-the-box default configuration where eth1 is the firewall protected WAN Port and ports 2 to x are the local LAN bundled in a bridge to keep the setup as simple as possible. This has to be finetuned if VLANs etc. are used.
Configuration is shown in WinBox screenshots and the classic configuration via export.

back-to-topSetting IPsec cipher suites

  • Old and non secure cipher suites like 3DES etc. should be removed here. In case a stricter negotiation policy is required remove the 128bit and 192bit checkboxes as well as DH 1024. Recommendation is AES256 with SHA256 and DH Group 14 or stronger.
  • Cisco is using a P2 lifetime of 1 hour by default which should be set in the Mikrotik settings as well. Allways use consistent lifetimes.

back-to-topVPN peer address and identity setup


back-to-topPhase 2 policy setup

Two SA policies need to be setup here. One for the local LAN and one for the L2TP client network. Make sure to set the Level setting in the Action menu to unique !

back-to-topConfiguration in export format

back-to-topAVM FritzBox configuration

The FritzBox VPN setup can be done either by the onboard webGUI or a customized VPN configuration file.
The setup GUI is pretty easy and done with a few mouseclicks.
The green button shows a running and established IPsec VPN tunnel.
Further VPN settings for the FritzBox can also be done by a customized VPN configuration file.
Examples for FritzBox VPN files can be found here.

back-to-topLinks with further information

General Cisco router setup:
Cisco 880, 890 und ISR Router Konfiguration mit xDSL, Kabel oder FTTH Anschluss plus VPN und IP-TV

Cisco, Mikrotik and pfSense with dynamic routing over VPN:
Cisco, Mikrotik, pfSense site-to-site VPN with dynamic routing

Detailed notes to FritzBox crypto credentials:
Routingprobleme über OpenVPN auf Fritzbox
Routingprobleme über OpenVPN auf Fritzbox

Secure port forwarding with ZFW firewall:
Cisco router with zone based firewall and port forwarding

Off topic:
Mikrotik VPN Tutorial:
Mikrotik VLAN Konfiguration ab RouterOS Version 6.41

Mikrotik PPPoE setup:
IPv6 mittels Prefix Delegation bei PPPoE (Mikrotik)

Content-Key: 2145635754


Printed on: March 20, 2023 at 10:03 o'clock