VPN with Virtual Routing and Forwarding / Mikrotik and Cisco

This example shows how to setup an VPN using Virtual Routing and Forwarding (VRF), Virtual Routing and Forwarding (VRF) is a technology used in computer networks that allows multiple instances of a routing table to co-exist within the same router at the same time. Because the routing instances are independent, the same or overlapping IP addresses can be used without conflicting with each other. In this example you can find setup between Mikrotik and Cisco routers. Below are the steps to complete the configuration.

First should configure a Tunnel Interface on Mikrotik Router1 and Router2

Router1:
/ interface ipip
add name="tunnel" local-address=218.100.100.29 remote-address=218.100.98.5 comment="" disabled=no

Router2:
/ interface ipip
add name="tunnel" local-address=218.100.100.30 remote-address=218.100.98.5 comment="" disabled=no

After all interfaces are configured, we should asign IP addresses for interfaces on Router1 and Router2

Router1:
add address=218.100.100.29/27 network=218.100.100.0 broadcast=218.100.100.31 interface=uplink comment="" disabled=no
add address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255 interface=ether1 comment="" disabled=no
add address=172.16.1.1/30 network=172.16.1.0 broadcast=172.16.1.3 interface=tunnel comment="" disabled=no

Router2:
add address=218.100.100.30/27 network=218.100.100.0 broadcast=218.100.100.31 interface=uplink comment="" disabled=no
add address=192.168.2.1/24 network=192.168.2.0 broadcast=192.168.2.255 interface=ether1 comment="" disabled=no
add address=172.16.1.5/30 network=172.16.1.4 broadcast=172.16.1.7 interface=tunnel comment="" disabled=no


On Cisco router create VRF instance :
cisco#conf t
cisco(config)#ip vrf TEST
cisco(config-vrf)#rd 10:10
cisco(config-vrf)#end


Create interface on Router1 and add to vrf TEST:
cisco#conf t
cisco(config)#interface Tunnel 900
cisco(config-if)#ip vrf forwarding TEST
cisco(config-if)#description Tunnel_to_Mikrotik_router1
cisco(config-if)#tunnel destination
cisco(config-if)#tunnel source Loopback1
cisco(config-if)#load-interval 30
cisco(config-if)#tunnel mode ipip
cisco(config-if)#tunnel path-mtu-discovery
cisco(config-if)#ip address 172.16.1.2 255.255.255.0
cisco(config-if)#end


Create Interface on Router2 and add to vrf TEST:
cisco#conf t
cisco(config)#interface Tunnel 901
cisco(config-if)#ip vrf forwarding TEST
cisco(config-if)#description Tunnel_to_Mikrotik_router2
cisco(config-if)#tunnel destination
cisco(config-if)#tunnel source Loopback1
cisco(config-if)#load-interval 30
cisco(config-if)#tunnel mode ipip
cisco(config-if)#tunnel path-mtu-discovery
cisco(config-if)#ip address 172.16.1.6 255.255.255.0
cisco(config-if)#end

Set up route and some rules on Mikrotik and Cisco

Router1:
/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=tun passthrough=yes
in-interface=ether1 src-address=192.168.1.0/24 disabled=no
/ip route rule
add add routing-mark=tun action=lookup table=tun
/ip route
add dst-address=192.168.2.0/24 gateway=172.16.1.2 routing-mark=tun

Router2:
/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=tun passthrough=yes
in-interface=ether1 src-address=192.168.2.0/24 disabled=no
/ip route rule
add add routing-mark=tun action=lookup table=tun
/ip route
add dst-address=192.168.1.0/24 gateway=172.16.1.6 routing-mark=tun

Cisco Router:
cisco#conf t
cisco(config)#ip ro vrf TEST 192.168.1.0 255.255.255.0 Tunnel900
cisco(config)#ip ro vrf TEST 192.168.2.0 255.255.255.0 Tunnel901
cisco(config)#end


It can be done vpn directly from Router1 to Router2, but when you have a lot customers with a lot routers and many of them have same address space , this is a great and easy solution.

All adresses are for example only.