Hi All,
I'm new to the forums and am looking forward to learning from the community here!
I need to setup some IPSec VPNs for my company. The only problem is that I'm also new to IPSec. So, I thought I would take two MikroTik's and see if I could do it myself before working with our partners. However, I'm having some trouble. I read through a few guides and still must be missing something.
Below I've posted my logs upon generating "Interesting Traffic". I've highlighted in red what stands out to me. Also below are the IPSec configurations for both MikroTik's. Again, I've highlighted the oddball in red.
Can anyone help me with this? I'd appreciate it!
Thanks much!
z3r0day
The Initiator's (MikroTik#1) logs show:
17:38:08 ipsec IPSEC: IPsec-SA request for 99.x.y.z queued due to no phase1 found.
17:38:08 ipsec IPSEC: initiate new phase 1 negotiation: 204.x.y.z[500]<=>99.x.y.z[500]
17:38:08 ipsec IPSEC: begin Identity Protection mode.
17:38:08 ipsec IPSEC: received Vendor ID: DPD
17:38:08 ipsec IPSEC: ISAKMP-SA established 204.x.y.z[500]-99.x.y.z[500] spi:47e41b3a1bd2b89e:e79fdd2e11bfd272
17:38:09 ipsec IPSEC: initiate new phase 2 negotiation: 204.x.y.z[500]<=>99.x.y.z[500]
17:38:09 ipsec IPSEC: IPsec-SA established: ESP/Tunnel 99.x.y.z[0]->204.x.y.z[0] spi=34599208(0x20ff128)
17:38:09 ipsec IPSEC: IPsec-SA established: ESP/Tunnel 204.x.y.z[0]->99.x.y.z[0] spi=119021329(0x7181f11)
17:38:19 ipsec IPSEC: the packet is retransmitted by 99.x.y.z[500].
The Responder's (MikroTik#2) logs show:
17:38:08 ipsec IPSEC: respond new phase 1 negotiation: 99.x.y.z[500]<=>204.x.y.z[500]
17:38:08 ipsec IPSEC: begin Identity Protection mode.
17:38:08 ipsec IPSEC: received Vendor ID: DPD
17:38:08 ipsec IPSEC: ISAKMP-SA established 99.x.y.z[500]-204.x.t.z[500] spi:47e41b3a1bd2b89e:e79fdd2e11bfd272
17:38:09 ipsec IPSEC: respond new phase 2 negotiation: 99.x.y.z[500]<=>204.x.y.z[500]
17:38:19 ipsec IPSEC: pfkey UPDATE failed: No such file or directory
17:38:19 ipsec IPSEC: pfkey ADD failed: No such file or directory
17:38:39 ipsec IPSEC: 204.x.y.z give up to get IPsec-SA due to time up to wait.
17:38:39 ipsec IPSEC: IPsec-SA expired: ESP/Tunnel 204.x.y.z[0]->99.x.y.z[0] spi=119021329(0x7181f11
MikroTik#1 (204.x.y.z)
/ip ipsec peer print
address=99.x.y.z/32:500 auth-method=pre-shared-key secret="password" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-192 dh-group=modp1024 lifetime=8h lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1
/ip ipsec policy print
src-address=192.168.100.0/24:any dst-address=192.168.60.0/24:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=204.x.y.z sa-dst-address=99.x.y.z proposal=Test priority=0
/ip ipsec proposal print
name="Test" auth-algorithms=sha1 enc-algorithms=aes-128 lifetime=1h pfs-group=modp1024
/ip ipsec installed-sa print
1 E spi=0x9DEC98A src-address=99.x.y.z dst-address=204.x.y.z auth-algorithm=sha1 enc-algorithm=aes replay=4 state=mature auth-key="0a6139c33a5bfd0712453e7ba01de831013a3796" enc-key="943268ec03629c331a933b0872a4139c" add-lifetime=48m/1h use-lifetime=0s/0s lifebytes=0/0
3 E spi=0xDF49AEF src-address=204.x.y.z dst-address=99.x.y.z auth-algorithm=sha1 enc-algorithm=aes replay=4 state=mature auth-key="5f44b0f1aaf74da86b012d5c2bcb8295e12a371b" enc-key="3c54e431472208dcf4b007640dd925a1" add-lifetime=48m/1h use-lifetime=0s/0s lifebytes=0/0
MikroTik#2 (99.x.y.z)
/ip ipsec peer print
address=204.x.y.z/32:500 auth-method=pre-shared-key secret="password" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-192 dh-group=modp1024 lifetime=8h lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1
/ip ipsec policy print
src-address=192.168.60.0/24:any dst-address=192.168.100.0/24:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=99.x.y.z sa-dst-address=204.x.y.z proposal=Test priority=0
/ip ipsec proposal print
name="Test" auth-algorithms=sha1 enc-algorithms=aes-128 lifetime=1h pfs-group=modp1024
/ip ipsec installed-sa
0 E spi=0 src-address=99.x.y.z dst-address=204.x.y.z auth-algorithm=none enc-algorithm=none replay=0 state=larval add-lifetime=0s/30s use-lifetime=0s/0s lifebytes=0/0
1 E spi=0xDF49AEF src-address=204.x.y.z dst-address=99.x.y.z auth-algorithm=none enc-algorithm=none replay=0 state=larval add-lifetime=0s/30s use-lifetime=0s/0s lifebytes=0/0