Community discussions

MikroTik App
 
djmuk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Mon Jan 18, 2010 8:48 pm

IPSEC Vpn wrinkle

Wed Feb 10, 2010 10:25 pm

I have set up VPN's from my cisco router to the RouterOS box. Because I want to access each of the 3 separate IP networks on the ROS box I had to set up 3 sets of address matching ACLs (policies in ROS world). It wasn't working well as the first VPN to establish would work OK but then the next one would establish but not pass traffic - I could see packets arrving at the ROS box but no replies went down the retun SA for that connection. In fact the return packets seemed to be going down the ORIGINAL SA... This also led to "decrypted packet failed sa identity check" on the cisco. Eventually found a solution - set 'level' to unique on the policy / action tab rather than the default 'require'. This seems to force each policy to associate with the correct SA....

Hope this helps someone!
David
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6695
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: IPSEC Vpn wrinkle

Fri Feb 12, 2010 5:18 pm

I think that Cisco uses unique as default for their peer configuration.

Who is online

Users browsing this forum: Neon278, zendra and 83 guests