I'm pretty sure the root cause is in the mangle/nat rules, but I'm having trouble getting the information needed to confirm this and isolate where it is failing.
On a Cisco ASA device I can run a command to see what SAs are in place, watch the number of encapsulated/decapsulated packets change, etc:
Code: Select all
[color=#0000FF]scon-edge# show crypto ipsec sa peer 203.X.X.X
peer address: 203.X.X.X
Crypto map tag: outside_map0, seq num: 1, local addr: iinet_adsl
access-list outside_cryptomap_1 extended permit ip 10.1.0.0 255.255.0.0 10.50.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.50.0.0/255.255.0.0/0/0)
current_peer: syscon_endpoint
#pkts encaps: 4592807, #pkts encrypt: 4596250, #pkts digest: 4596250
#pkts decaps: 4276868, #pkts decrypt: 4276868, #pkts verify: 4276868
[...][/color]
Code: Select all
[color=#0000FF]
[doug@PANDA] /ip ipsec remote-peers> /ip ipsec remote-peers print
0 local-address=203.Y.Y.Y remote-address=125.X.X.X state=established side=responder established=2h25m12s
[doug@PANDA] /ip ipsec> /ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs
0 E spi=0xE2648F3 src-address=203.206.233.73 dst-address=125.X.X.X auth-algorithm=sha1 enc-algorithm=aes replay=4 state=mature
auth-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" enc-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" addtime=jun/02/2010 04:55:36
add-lifetime=24m/30m usetime=jun/02/2010 04:55:47 use-lifetime=0s/0s current-bytes=128903 lifebytes=0/0
1 E spi=0xF7919D2 src-address=125.254.47.74 dst-address=203.Y.Y.Y auth-algorithm=sha1 enc-algorithm=aes replay=4 state=mature
auth-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" enc-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" addtime=jun/02/2010 04:55:36
add-lifetime=24m/30m usetime=jun/02/2010 04:55:46 use-lifetime=0s/0s current-bytes=129817 lifebytes=0/0[/color]
How can I get more information on what the RouterOS systems are doing with the IPSEC VPN?