I am attempting to create a IPSec VPN tunnel from my Routerboard to a Juniper SSG. I am unable to get the tunnel to connect at all. It would be preferable to have a numbered interface for the tunnel because I will need to add 5 or more routes to route thru this interface. Here is my current config:

delmar@gw1.delmar] /ip ipsec> export
# apr/10/2010 01:08:13 by RouterOS 4.6
# software id = Z56K-SU07
#
/ip ipsec proposal
set default auth-algorithms=md5 comment="" disabled=no enc-algorithms=3des lifetime=1h name=default pfs-group=modp1024

/ip ipsec peer
add address=206.xxx.xxx.185/32:500 auth-method=pre-shared-key comment="" dh-group=modp1024 disabled=yes dpd-interval=disable-dpd dpd-maximum-failures=1 \
enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=md5 lifebytes=471859200 lifetime=1d nat-traversal=yes proposal-check=obey secret=\
xxxxxxxxx send-initial-contact=yes

/ip ipsec policy
add action=encrypt comment="" disabled=no dst-address=172.16.16.0/22:any ipsec-protocols=esp level=require priority=0 proposal=default protocol=all \
sa-dst-address=206.xxx.xxx.185 sa-src-address=216.xxx.xxx.82 src-address=172.16.31.0/27:any tunnel=yes


0 ;;; Source NAT to HNS
chain=srcnat action=accept src-address=172.16.31.0/27 dst-address=172.16.16.0/22 out-interface=PPPoE

1 chain=dstnat action=accept src-address=172.16.16.0/22 dst-address=172.16.31.0/27 in-interface=PPPoE

Does anyone have any suggestions???
Thanks

What do the logs on either side show when you try to bring the tunnel up? I don't see an error in that configuration.

Sadly, you can't have a virtual interface for IPsec on RouterOS.

The tunnel doesn't even try to come up. I'll pull config from the Juniper and verify that there isn't an issue there.

How do you route multiple subnets thru a IPSec tunnel without using a virtual interface??

Thanks for your help.

ipsec tunnel binding, aka "Virtual Tunnel Interface" is not currently supported on RouterOS as mentioned by Fewi.

If you want to see it added, please vote for it at http://wiki.mikrotik.com/wiki/MikroTik_ ... e_Requests

You can just define multiple proxy-id's at each end, it's tedious...
Or you can run an IPIP tunnel on top of the IPSEC tunnel, which has overheads.

im pretty much have the same problem as you do and just couldnt find the answer... if you found out what have you been doing wrong, please share?

just to add, ive worked out solution.
upgraded OS 3.6 to 4.6 and all started working like charm... took me two days and lot of nerves, but its working

Can you shared config? I have same scenario and no worky. I keep getting Hash Mismatch and I know they are correct.

I did it. Maybe something don't work as expected... actually I want to check encryption in my tricky solution.

I have Juniper SSG140 in central site and Mikrotik (v5.5 and v5.9) routers in branches. In central site I have several networks with servers and/or services.

Juniper config:
Untrust zone, interface ethernet0/0, IP x.x.101.1/27 (public network)
DMZ zone, interface ethernet0/1, IP 192.168.1.1/24
DATA zone, interface ethernet0/2, IP 192.168.2.1/24

Mikrotik config:
eth1 IP x.x.102.1/27 (public network)
bridge1 IP 192.168.3.1/27 (LAN)

Trick is - do not try to encrypt traffic between networks. Try to encapsulate traffic in tunnel between 2 adresses and encrypt traffic between this 2 addresses. On both sides create GRE tunnel from external IP to external IP and create IPSEC policy to encrypt traffic between this addresses.
Add routes to GRE tunnel interfaces on both sides and add firewall Policies.

Juniper:
Create new security zone - "Branches" (in future all other tunnels from other branches can be terminated in this zone).
Create new Tunnel IF ("tunnel.1"): Zone (VR) - "Branches", Interface - ethernet0/0.
In interface tunnel.1 tunnel properties change: Encap - GRE, Local interface - ethernet0/0, Destination IP - x.x.102.1.
Create VPN AutoKey Gateway ("branch-1"): IKEv1, Remote Gateway Static IP - x.x.102.1, Outgoing Interface - ethernet0/0, give it preshared key and phase 1 proposal.
Create AutoKey IKE to predefined gateway "branch-1", Bind to tunnel.1, Proxy-ID: Local x.x.101.1/32, Remote x.x.102.1/32.
Create destination route: 192.168.3.1/27, Next Hop - Gateway - Interface - tunnel.1
Add policy to allow traffic between zones: branches<->dmz, branches<->data.

Mikrotik:
Create GRE Tunnel interface ("gre-tunnel1"): Local address: x.x.102.1, Remote address: x.x.101.1.
Create IPsec Peer x.x.101.1 with encryption and preshared key as described in Juniper config.
Create IPsec Policy: Action - encrypt, Tunnel - Yes, SA Src. Address: x.x.102.1, SA Dst. Address x.x.101.1, Src. Address: x.x.102.1/32, Dst. Address: x.x.101.1/32.
Add routes: Dst. Address: 192.168.1.1/24, Gateway: "gre-tunnel1". Dst. Address: 192.168.2.1/24, Gateway: "gre-tunnel1"
Add firewall rules and NAT action as needed.

BUT! I not shure about data security! Please, guru, check it please and report back?
I look for idea in this manual - http://wiki.mikrotik.com/wiki/IPSec_VPN ... _and_Cisco . Just - I can't find "ipip" interfaces for Juniper...

Maybe it's a alternative or workaround for Mikrotik to use "unimplemented" IPSec tunnel interfaces?

Storms,
Your solution works. Thanks.
I am also curious to know if there are any downsides for using this configuration. I just dont have the time to set it up in lab for probing.

I have handfulls of SSG and SRX devices deployed and we are using more and more Mikrotik devices, this ability for site to site VPN using Mikrotik=Juniper is a must. Even using more and more Mikrotik, we will always continue to use Juniper, not to mention Cisco, Fortigate, SonicWall, Adtran, Cradlepoint, etc.

I am really curious about seeing "detailed" VPN configurations with

1. RouterOS to ScreenOS (junipers SSG older devices OS)
2. RouterOS to Junos

I have been super impressed with Mikrotik, the Groove is groovy, would like to see a omnitik or groove that is dual channel.

Thanks!