How to Сonnect MikroTik to Cisco VPN
Azoft Blog How to Сonnect MikroTik to Cisco VPN

How to Сonnect MikroTik to Cisco VPN

By Anton Demenev on November 20, 2014

How to connect mikrotik to cisco vpn

One of our recent projects required connecting a MikroTik-based office gateway to a client’s Cisco VPN. That task is just a click-away if you have access to a Cisco console or if you can create a support ticket for asking to change or debug VPN settings. We started with only a group name, a group password, and user credentials, which turned the issue into a true challenge. So, if you are in the same situation and cannot check logs or follow official guidelines, check out our solution.

Problem overview

By default, a MikroTik RouterBOARD with firmware older than version 5.0 offers an IPsec VPN interface and settings, but Cisco’s proprietory VPN is a modified IPsec, so we were dealing with two incompatible protocols.

Note: This method works only on RouterBOARDs with at least 16 MB of available RAM, the more – the better.

What you need

  • RouterOS with the Metrouter package or KVM;
  • OpenWrt for MIPS arch with MikroTik kernel patches (or KVM, if you have an x86 board).


After you load an image to router memory, import the image following instructions.

Import image:

[admin@MikroTik] >/metarouter> import-image file-name=openwrt-mr-mips-rootfs.tgz memory-size=16 enabled=no

Create an interface for a virtual machine:

[admin@MikroTik] >/metarouter interface> add dynamic-bridge=bridge-local type=dynamic virtual-machine=mr3

Note: OpenWrt provides a DHCP server by default. If you feel that your client might get an incorrect IP, you should block the interface’s MAC address using a firewall while you are configuring.

Begin with:

[admin@MikroTik] >/metarouter> enable mr3

Connect to the console and change the default settings:

[admin@MikroTik] >/metarouter> console mr3

Press Enter to activate this console.

You will see:

BusyBox v1.16.1 (2010-04-13 10:25:42 EEST) built-in shell (ash)

Enter “Help” for a list of built-in commands.

You will see:

 _______                    ________       __
|       |.-----.-----.-----.|  |  |  |.----.|  |_
|   -   ||  _  | -__|     ||  |  | ||    _||   _|
|_______||  __|_____|__|__||________||__| |____|
         |__| W I R E L E S S F R E E D O M
KAMIKAZE (bleeding edge, r20828) ------------------
* 10 oz Vodka Shake well with ice and strain
* 10 oz Triple sec Pour mixture into 10 shot glasses
* 10 oz lime juice Add and enjoy!
device eth0 entered promiscuous mode
br-lan: port 1(eth0) entering forwarding state
root@OpenWrt:/# PPP generic driver version 2.4.2
ip_tables: (C) 2000-2006 Netfilter Core Team
NET: Registered protocol family 24
nf_conntrack version 0.5.0 (256 buckets, 1024 max)

root@OpenWrt:~#  vi /etc/config/network

Change default values to dhcp or your static ip.

config interface lan
option ifname   eth0
option type     bridge
option proto    dhcp
option peerdns  1

After disabling the DHCP server:

root@OpenWrt:~# vi /etc/config/dhcp
config dhcp br-lan
option interface    	br-lan
option ignore   1

Save and restart Dnsmasq:

root@OpenWrt:~# /etc/init.d/dnsmasq restart

Switch off MikroTik firewall rule for the metarouter interface (if you have blocked it previously) and restart network on OpenWrt:

root@OpenWrt:~# /etc/init.d/network restart

Check network address:

root@OpenWrt:~# ifconfig br-lan

br-lan Link encap:Ethernet HWaddr 08:00:27:7A:C3:C0
inet addr: Bcast: Mask:
RX packets:3014430 errors:0 dropped:477823 overruns:0 frame:0
TX packets:31940 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:401676602 (383.0 MiB) TX bytes:4923172 (4.6 MiB)

If interface has assigned the right IP address, go to next step.

Change the package repo URL and install the VPNC package:

root@OpenWrt:~# vi /etc/opkg.conf
src snapshots
dest root/
dest ram/tmp
lists_dir ext /var/opkg-lists
option overlay_root/overlay

Save and install the package:

#opkg update && opkg install vpnc


root@OpenWrt:~# vi /etc/vpnc/default.conf
IPSec gateway <your-vpn-addr>
IPSec ID <Group name>
IPSec secret <Group password>
Xauth username <Username>
Xauth password <Userpassword>

Save and start:

root@OpenWrt:~# vpnc

Check results:

root@OpenWrt:~# ifconfig

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:<ip> P-t-P:<ip> Mask:
RX packets:2661 errors:0 dropped:0 overruns:0 frame:0
TX packets:2053 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:2573037 (2.4 MiB) TX bytes:374920 (366.1 KiB)

Add the route to a remote network on the RouterOS. I added all the routes that the VPN client received.

Use these routes on Openwrt:

root@OpenWrt:~# ip ro | grep tun0 dev tun0 scope link dev tun0 scope link

On Mikrotik:

[admin@MikroTik] >/ip route add dst-address= gateway=<virtual-machine-ip> distance=1 type=unicast

And repeat this procedure for every route.

Additionally, you can add a monitoring script on Cron, which pings the remote network and restarts the connection, if packets become lost:

root@OpenWrt:~# vi /root/bin/
# Restart VPNC if both of the specified hosts on the command line are unavailable
interface="$(ifconfig | grep tun | awk '{ print $1 }')"
echo ${interface}

if ! [ $(ping -q -c 1 ${1} 2>&1 | grep "1 packets received" | sed "s/.*\(1\) packets received.*/\1/") ] || ! [ ${interface} == 'tun0' ];
echo Not alive $1, restarting VPNC
/etc/init.d/vpnc stop
sleep 5
/etc/init.d/vpnc start
echo Alive $1

On Cron:

root@OpenWrt:~# crontab -l
*/5 * * * * /root/bin/ <remote-server-addr>


Author: Anton Demenev, system administrator at Azoft

VN:F [1.9.22_1171]
Rating: 5.0/5 (2 votes cast)
VN:F [1.9.22_1171]
Rating: +2 (from 2 votes)
How to Сonnect MikroTik to Cisco VPN, 5.0 out of 5 based on 2 ratings

Request a Free Quote

Please enter the result and submit the form

Content created by Anton Demenev