Hello all!
Great to see many of you at the MUM last week... I have a quick question which I'm hoping someone could solve. I'm trying to connect my new RB751 to our existing VPN device at the core using IPSec so I created a new standard config at the core but when I've come to the RB there are a number of options which are different and also it's not quite so easy to understand so I was hoping to get some pointers!
192.168.88.0/24 --RB-- 81.168.73.xxx ----- 80.93.168.xxx --NG-- 172.16.0.0/16
Here's what I've set up on the FVS336GV2:
IKE
Direction: Responder
Exchange Mode: Main
Local Identifier: 80.93.168.xxx
Encryption Alg: 3DES
Authen Alg: SHA-1
Authen Method: PSK
PSK: ******
DH Group: 2 (1024 Bit)
SA-Lifetime: 28800
DPD: Yes
Detection Period: 10sec
Reconnect After: 3
VPN Policy
Remote Endpoint: 81.168.73.xxx
Enable Netbios: Yes
Enable Keepalive: No
Local IP: Subnet
Start IP: 172.16.0.0/16
Remote IP: Subnet
Start IP: 192.168.88.0/16
SA Lifetime: 3600sec
Encryption Alg: 3DES
Integrity Alg: SHA-1
PFS: Yes G2 (1024b)
RB751
[admin@MT-Pulborough] /ip ipsec policy> print
0 src-address=192.168.88.0/24 src-port=any dst-address=172.16.0.0/16 dst-port=any protocol=ip-sec action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=81.168.73.xxx sa-dst-address=80.93.168.xxx proposal=default priority=0
[admin@MT-Pulborough] /ip ipsec peer> print
0 address=80.93.168.xxx/32 port=500 auth-method=pre-shared-key secret="*****" generate-policy=yes exchange-mode=main send-initial-contact=yes nat-traversal=yes my-id-user-fqdn="81.168.73.xxx" proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=10s dpd-maximum-failures=3
[admin@MT-Pulborough] /ip ipsec proposal> print
0 * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1024
[admin@MT-Pulborough] /ip firewall nat> print
0 chain=srcnat action=accept src-address=192.168.88.0/24 dst-address=172.16.0.0/16
Any help would be greatfully received and I know it's quite likely that there's something blindingly obvious but... isn't that usually the problem with VPN tunnels?!?!
Adam