Hi All,
I'm new to the forums and am looking forward to learning from the community here!
I need to setup some IPSec VPNs for my company. The only problem is that I'm also new to IPSec. So, I thought I would take two MikroTik's and see if I could do it myself before working with our partners. However, I'm having some trouble. I read through a few guides and still must be missing something.
Below I've posted my logs upon generating "Interesting Traffic". I've highlighted in red what stands out to me. Also below are the IPSec configurations for both MikroTik's. Again, I've highlighted the oddball in red.
Can anyone help me with this? I'd appreciate it!
Thanks much!
z3r0day
The Initiator's (MikroTik#1) logs show:
17:38:08 ipsec IPSEC: IPsec-SA request for 99.x.y.z queued due to no phase1 found.
17:38:08 ipsec IPSEC: initiate new phase 1 negotiation: 204.x.y.z[500]<=>99.x.y.z[500]
17:38:08 ipsec IPSEC: begin Identity Protection mode.
17:38:08 ipsec IPSEC: received Vendor ID: DPD
17:38:08 ipsec IPSEC: ISAKMP-SA established 204.x.y.z[500]-99.x.y.z[500] spi:47e41b3a1bd2b89e:e79fdd2e11bfd272
17:38:09 ipsec IPSEC: initiate new phase 2 negotiation: 204.x.y.z[500]<=>99.x.y.z[500]
17:38:09 ipsec IPSEC: IPsec-SA established: ESP/Tunnel 99.x.y.z[0]->204.x.y.z[0] spi=34599208(0x20ff128)
17:38:09 ipsec IPSEC: IPsec-SA established: ESP/Tunnel 204.x.y.z[0]->99.x.y.z[0] spi=119021329(0x7181f11)
17:38:19 ipsec IPSEC: the packet is retransmitted by 99.x.y.z[500].
The Responder's (MikroTik#2) logs show:
17:38:08 ipsec IPSEC: respond new phase 1 negotiation: 99.x.y.z[500]<=>204.x.y.z[500]
17:38:08 ipsec IPSEC: begin Identity Protection mode.
17:38:08 ipsec IPSEC: received Vendor ID: DPD
17:38:08 ipsec IPSEC: ISAKMP-SA established 99.x.y.z[500]-204.x.t.z[500] spi:47e41b3a1bd2b89e:e79fdd2e11bfd272
17:38:09 ipsec IPSEC: respond new phase 2 negotiation: 99.x.y.z[500]<=>204.x.y.z[500]
17:38:19 ipsec IPSEC: pfkey UPDATE failed: No such file or directory
17:38:19 ipsec IPSEC: pfkey ADD failed: No such file or directory
17:38:39 ipsec IPSEC: 204.x.y.z give up to get IPsec-SA due to time up to wait.
17:38:39 ipsec IPSEC: IPsec-SA expired: ESP/Tunnel 204.x.y.z[0]->99.x.y.z[0] spi=119021329(0x7181f11
MikroTik#1 (204.x.y.z)
/ip ipsec peer print
address=99.x.y.z/32:500 auth-method=pre-shared-key secret="password" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-192 dh-group=modp1024 lifetime=8h lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1
/ip ipsec policy print
src-address=192.168.100.0/24:any dst-address=192.168.60.0/24:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=204.x.y.z sa-dst-address=99.x.y.z proposal=Test priority=0
/ip ipsec proposal print
name="Test" auth-algorithms=sha1 enc-algorithms=aes-128 lifetime=1h pfs-group=modp1024
/ip ipsec installed-sa print
1 E spi=0x9DEC98A src-address=99.x.y.z dst-address=204.x.y.z auth-algorithm=sha1 enc-algorithm=aes replay=4 state=mature auth-key="0a6139c33a5bfd0712453e7ba01de831013a3796" enc-key="943268ec03629c331a933b0872a4139c" add-lifetime=48m/1h use-lifetime=0s/0s lifebytes=0/0
3 E spi=0xDF49AEF src-address=204.x.y.z dst-address=99.x.y.z auth-algorithm=sha1 enc-algorithm=aes replay=4 state=mature auth-key="5f44b0f1aaf74da86b012d5c2bcb8295e12a371b" enc-key="3c54e431472208dcf4b007640dd925a1" add-lifetime=48m/1h use-lifetime=0s/0s lifebytes=0/0
MikroTik#2 (99.x.y.z)
/ip ipsec peer print
address=204.x.y.z/32:500 auth-method=pre-shared-key secret="password" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-192 dh-group=modp1024 lifetime=8h lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1
/ip ipsec policy print
src-address=192.168.60.0/24:any dst-address=192.168.100.0/24:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=99.x.y.z sa-dst-address=204.x.y.z proposal=Test priority=0
/ip ipsec proposal print
name="Test" auth-algorithms=sha1 enc-algorithms=aes-128 lifetime=1h pfs-group=modp1024
/ip ipsec installed-sa
0 E spi=0 src-address=99.x.y.z dst-address=204.x.y.z auth-algorithm=none enc-algorithm=none replay=0 state=larval add-lifetime=0s/30s use-lifetime=0s/0s lifebytes=0/0
1 E spi=0xDF49AEF src-address=204.x.y.z dst-address=99.x.y.z auth-algorithm=none enc-algorithm=none replay=0 state=larval add-lifetime=0s/30s use-lifetime=0s/0s lifebytes=0/0
Re: IPSec Assistance
No issue in IPSEC configuration. Firewall NAT Rule required like below.
and reboot both router then ping each other device via source.
Code: Select all
Mikrotik 1 :
/ip firewall nat add src-address=192.168.100.0/24 dst-address=192.168.60.0/24 action=accept
Mikrotik 2 :
/ip firewall nat add src-address=192.168.60.0/24 dst-address=192.168.100.0/24 action=acceptRe: IPSec Assistance
Hi vik,and reboot both router then ping each other device via source.
First of all, thank you for the reply! I already had the NAT rules in place, but forgot to mention that. I did, however, reboot MikroTik 2, but can't reboot MikroTik 1 because it's in production.
After rebooting MikroTik 2, I was unable to ping from MikroTik 1 to 2 and got errors on 2 showing the following:
10:57:41 ipsec IPSEC: can't start the quick mode, there is no ISAKMP-SA, 91a877bb150730ef:af3875a56903dd7f:e92017bc
But, I tried pinging from MikroTik 2 to 1, and that brought up the tunnel! Pings are succeeding both ways! Perhaps this is because the tunnel was trying to come up when I had rebooted MikroTik 2 just earlier...?
This brings up one more question, can the tunnel only be brought up from one direction?
Thanks again!!!
z3r0day
Re: IPSec Assistance
No tunnel can be up from both side. Generally IPSEC Tunnels work on DOD(Dial on demand ) type. Whenever any request receive after expiration of SA it again bring them up from both side.Hi vik,and reboot both router then ping each other device via source.
First of all, thank you for the reply! I already had the NAT rules in place, but forgot to mention that. I did, however, reboot MikroTik 2, but can't reboot MikroTik 1 because it's in production.
After rebooting MikroTik 2, I was unable to ping from MikroTik 1 to 2 and got errors on 2 showing the following:
10:57:41 ipsec IPSEC: can't start the quick mode, there is no ISAKMP-SA, 91a877bb150730ef:af3875a56903dd7f:e92017bc
But, I tried pinging from MikroTik 2 to 1, and that brought up the tunnel! Pings are succeeding both ways! Perhaps this is because the tunnel was trying to come up when I had rebooted MikroTik 2 just earlier...?
This brings up one more question, can the tunnel only be brought up from one direction?
Thanks again!!!
z3r0day
Re: IPSec Assistance
vik,
That helps. Thank you for all of your help!
z3r0day
That helps. Thank you for all of your help!
z3r0day
Re: IPSec Assistance
All my Pleasure...vik,
That helps. Thank you for all of your help!
z3r0day