! - 5 3des (pre-share) crypto isakmp policy 20 encr 3des hash md5 authentication pre-share ! group2 , dh-group=modp1024 group 2 ! crypto isakmp key MyPassWord address 99.99.99.2 no-xauth crypto isakmp keepalive 30 ! . ! transport, tunnel crypto ipsec transform-set transform-2 esp-3des esp-md5-hmac mode transport crypto dynamic-map dynmap 10 set transform-set transform-2 reverse-route crypto map vpnmap client configuration address respond crypto map vpnmap 5 ipsec-isakmp dynamic dynmap crypto map vpnmap 10 ipsec-isakmp ! crypto map vpnmap 95 ipsec-isakmp description polyanka ! ip set peer 99.99.99.2 set security-association lifetime seconds 86400 set transform-set transform-2 ! pfs group2 , dh-group=modp1024 set pfs group2 ! access-, match address 136 ! interface Tunnel95 description tunnel_NewMikrotik ip unnumbered GigabitEthernet0/1 ! tunnel source 77.77.77.226 ! . ! - . - ... ! , . tunnel destination 172.16.99.2 tunnel mode ipip interface GigabitEthernet0/1 description Internet ip address 77.77.77.226 255.255.255.224 no ip redirects no ip unreachables no ip proxy-arp ip wccp web-cache redirect out ip virtual-reassembly ip route-cache policy no ip mroute-cache duplex auto speed auto no mop enabled ! crypto map vpnmap ! , ip route 192.168.100.0 255.255.255.0 Tunnel95 ! access-list 136 permit ip host 77.77.77.226 host 99.99.99.2 access-list 136 permit ip host 77.77.77.226 host 172.16.99.2
/interface ipip add comment="Office tunnel" disabled=no dscp=0 local-address=172.16.99.2 \ mtu=1260 name=Cisco-VPN remote-address=77.77.77.226 /ip ipsec proposal set [ find default=yes ] auth-algorithms=md5 disabled=no enc-algorithms=3des \ lifetime=30m name=default pfs-group=modp1024 /ip ipsec peer add address=77.77.77.226/32 auth-method=pre-shared-key dh-group=modp1024 \ disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des \ exchange-mode=main generate-policy=yes hash-algorithm=md5 lifebytes=0 \ lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=\ obey secret=MyPassWord send-initial-contact=yes /ip route add disabled=no distance=1 dst-address=10.192.0.0/22 gateway=Cisco-VPN scope=30 \ target-scope=10 /ip firewall filter add action=accept chain=input comment="default configuration" disabled=no add action=accept chain=output disabled=no
Source: https://habr.com/ru/post/154829/