I need help transferring IPSec VPN configuration to Mikrotik IPSec conf.
Netgear router connects fine, here are the logs:
Code: Select all
2011-02-22 : INFO: Flushing SAs for peer "XXX.XXX.dest.ip" with spi 1422077629
2011-02-22 : INFO: Sending Informational Exchange: delete payload[]
2011-02-22 : INFO: accept a request to establish IKE-SA: XXX.XXX.dest.ip
2011-02-22 : INFO: Configuration found for XXX.XXX.dest.ip.
2011-02-22 : INFO: Initiating new phase 2 negotiation: XXX.XXX.source.ip[500]<=>XXX.XXX.dest.ip[0]
2011-02-22 : WARNING: attribute has been modified.
2011-02-22 : INFO: IPsec-SA established: ESP/Tunnel XXX.XXX.dest.ip->XXX.XXX.source.ip with spi=26990430(0x19bd75e)
2011-02-22 : INFO: IPsec-SA established: ESP/Tunnel XXX.XXX.source.ip->XXX.XXX.dest.ip with spi=1422077659(0x54c32edb)
1. Netgear uses ESP (and not AH). ---> not sure about that - looks like ESP from Netgear log (above)
2. It uses tunneling
IKE POLICY:
3. from configuration menu i can read that it uses SHA-1 for authentication and 3DES for encrypton
4. It uses Pre-shared key ("_some_random_key")
5. Dh group = 2 (1024)
6. SA lifetime 28800
7. it uses Aggressive mode
8. it uses User-FQDN: user@domain.de
9. it direction: Both
10. Local net: 192.168.88.0/24
11. Remote net: 172.16.0.0/16
12: Remote IP have a Fixed XXX.XXX.destin.IP
13: Local public IP, fixed: XXX.XXX.source.IP
I have read all the conf data from NETGEAR. I am using RouterOS v5.rc10.
The reason for v5 is /ip ipsec peer - my-id-user-fqdn parameter.
I have transfered all data to Mikrotik but i am still unable to connect to server with Mikrotik router.
Question 1: Is SHA-1 (Netgear) = SHA on Mikrotik (note the "-1")
Question 2: Log entry error: "malformed cookie received or the spi expired." - ANY IDEAS???
Here are log entries from Mikrotik router WHILE trying to ping the remote local IP (Through IPSec Tunnel)
Code: Select all
13:48:54 ipsec,debug,packet agreed on pre-shared key auth.
---
13:48:54 ipsec,debug,packet hashtype = SHA:SHA
13:48:54 ipsec,debug,packet authmethod = pre-shared key:pre-shared key
13:48:54 ipsec,debug,packet dh_group = 1024-bit MODP group:1024-bit MODP group
13:48:54 ipsec,debug,packet an acceptable proposal found.
13:48:54 ipsec,debug,packet hmac(modp1024)
13:48:54 ipsec,debug,packet agreed on pre-shared key auth.
13:48:54 ipsec,debug,packet compute DH's shared.
-----------
13:48:54 ipsec,debug,packet the psk found.
----------
13:48:54 ipsec,debug,packet hmac(hmac_sha1)
13:48:54 ipsec,debug,packet SKEYID computed:
--------
13:48:54 ipsec,debug,packet SKEYID_d computed:
---------
13:48:54 ipsec,debug,packet encryption(3des)
13:48:54 ipsec,debug,packet hash(sha1)
13:48:54 ipsec,debug,packet len(SKEYID_e) < len(Ka) (20 < 24), generating long key (Ka = K1 | K2 | ...)
13:48:54 ipsec,debug,packet hmac(hmac_sha1)
13:48:54 ipsec,debug,packet compute intermediate encryption key K1
--------
13:48:54 ipsec,debug,packet hmac(hmac_sha1)
13:48:54 ipsec,debug,packet compute intermediate encryption key K2
--------
13:48:54 ipsec,debug,packet final encryption key computed:
--------
13:48:54 ipsec,debug,packet hash(sha1)
13:48:54 ipsec,debug,packet encryption(3des)
13:48:54 ipsec,debug,packet IV computed:
13:48:54 ipsec,debug,packet b7fb7a7c 61dd2a4d
13:48:54 ipsec,debug,packet HASH received:
--------
13:48:54 ipsec,debug,packet 931dc71c 9617ddf0 7d61e4f0 c0fcca62 ec44e13b
13:48:54 ipsec,debug HASH mismatched <===================ERROR???
--------
13:48:54 ipsec,debug,packet compute IV for phase2
13:48:54 ipsec,debug,packet phase1 last IV:
--------
13:48:54 ipsec,debug,packet begin encryption.
13:48:54 ipsec,debug,packet encryption(3des)
13:48:54 ipsec,debug,packet pad length = 4
13:48:54 ipsec,debug,packet 0b000018 fb989a3c 0f857486 e5dd2d07 abdb295a 4433872f 0000000c 00000001
13:48:54 ipsec,debug,packet 01000017 39ef5c03
13:48:54 ipsec,debug,packet encryption(3des)
13:48:54 ipsec,debug,packet with key:
13:48:54 ipsec,debug,packet ca99acd9 06c61209 0d781c6b 86441f45 35da3153 fd857775
13:48:54 ipsec,debug,packet encrypted payload by IV:
13:48:54 ipsec,debug,packet 2a57c310 cff42242
13:48:54 ipsec,debug,packet save IV for next:
13:48:54 ipsec,debug,packet 628aac96 5e4f94b6
13:48:54 ipsec,debug,packet encrypted.
-------
ipsec,debug phase1 negotiation failed due to time up.
"malformed cookie received or the spi expired." repeats every few seconds