Community discussions

MikroTik App
  4. RouterOS
  5. General

Can't start VPN from one side (Mikrotik and OpenSWAN)

Post Reply
 
loshak
just joined
Topic Author
Posts: 3
Joined: Tue Feb 15, 2011 9:45 pm

Can't start VPN from one side (Mikrotik and OpenSWAN)

Thu Sep 29, 2011 11:44 am

Hello, i'm trying to setup IPSec VPN between Mikrotik (5.7) and OpenSWAN 2.6.24
My schema looks like this:
LAN1 (10.99.0.0/20) <-> Mikrotik (111.222.333.444) ..... OpenSWAN (444.333.222.111) <-> LAN2 (10.20.50.0/24)
Mikrotik:
Peer conf:
Code: Select all
ip ipsec peer add address=444.333.222.111/32 port=500 auth-method=pre-shared-key secret="verybigsecret" exchange-mode=main proposal-check=exact hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 generate-policy=no lifetime=4h dpd-interval=disable-dpd
Policy conf:
Code: Select all
ip ipsec policy add src-address=10.99.0.0/20 src-port=any dst-address=10.20.50.0/24 dst-port=any sa-src-address=111.222.333.444 sa-dst-address=444.333.222.111 tunnel=yes action=encrypt proposal=ipsec-sha1-aes128
Nat conf:
Code: Select all
ip firewall nat add chain=srcnat action=accept place-before=0 src-address=10.99.0.0/20 dst-address=10.20.50.0/24
Firewall forward is allowed between those networks.

OpenSWAN:
ipsec.conf:
Code: Select all
version 2.0     # conforms to second version of ipsec.conf specification
config setup
        interfaces="ipsec0=eth0.1"
        klipsdebug="none"
        plutodebug="none"
        nat_traversal=no

conn vpn1
        auto=start
        keyingtries=1
        #IKE params (phase 1)
        authby=secret
        ike="aes128-sha1;modp1024"
        keyexchange=ike
        ikelifetime=240m
        #IPsec Params (phase 2)
        type=tunnel
        auth=esp
        esp="aes128-sha1;modp1024"
        pfs=yes
        keylife=60m
        #Subnets
        left=444.333.222.111
        leftsubnet=10.20.50.0/24
        right=111.222.333.444
        rightsubnet=10.99.0.0/20
When i start ipsec all is working fine, i can ping LAN1 -> LAN2 and LAN2 -> LAN1.
But after some time (around 15min), if no traffic goes from LAN2 to LAN1, VPN connection seems to be down, i can't ping LAN2 from LAN1, and can't do anything. Only thing that helps, that some one from LAN2 send any packet to LAN1, the tunnel is going up and every thing is ok.
Any way, when there is no traffic for 10-15min VPN again stops working, and i can't bring it UP from LAN1.

Output from "ip ipsec remote-peers print"
Code: Select all
0 local-address=111.222.333.444 remote-address=444.333.222.111 state=established side=responder established=50m13s
Any one faced such problem ?
Help.

UPD.
I think the problem is in remote-peers state of Mikrotik, it can be only initiator or responder, but how can i make it BothDirections (so it can be initiator and responder at one time)?

Thanks.
Top
Post Reply

Who is online

Users browsing this forum: akakua, normis, Techsystem and 208 guests
  4. RouterOS
  5. General