Community discussions

MikroTik App
 
aluminumpork
just joined
Topic Author
Posts: 17
Joined: Mon Aug 15, 2011 9:27 pm

IPsec subnet tunnel to Cisco VPN Concentrator issues

Wed Mar 21, 2012 4:42 pm

Hello all!

We've been using the 450G and the RB1200 at our various locations to run a LAN-to-LAN tunnel from timeclocks to our home office concentrator. This seems to work as expected when we only have one timeclock at the location. We setup an IPsec policy with the following (for example):
/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.148.0/24 dst-port=any \
    ipsec-protocols=esp level=require priority=0 proposal=payroll protocol=\
    all sa-dst-address=24.158.###.### sa-src-address=24.158.###.### src-address=\
    10.150.24.245 src-port=any tunnel=yes
This works fine, and has worked fine for months now. The issue has arisen at locations where we have two or more timeclocks that need to be included in the tunnel. The first issue appears to be in the Winbox GUI. The src-address field does not allow an IP address in CIDR notation to be entered. We found that we have to set the src-address from the terminal. When we do this, the tunnel comes up and a bunch of dynamic policies are created. Regardless, everything we wanted to include in the tunnel works great. This was until our most recent install of a RB1200. The location has three clocks and the configuration we used goes as follows:
# mar/21/2012 09:36:59 by RouterOS 5.2
# software id = E9ZC-AX7M
#
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=yes enc-algorithms=3des lifetime=30m \
    name=default pfs-group=modp1024
add auth-algorithms=md5 disabled=no enc-algorithms=3des lifetime=1d name=\
    payroll pfs-group=none
/ip ipsec peer
add address=24.158.###.###/32 auth-method=pre-shared-key dh-group=modp1024 \
    disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 enc-algorithm=\
    3des exchange-mode=main generate-policy=yes hash-algorithm=md5 lifebytes=0 \
    lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=\
    obey secret=###### send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.148.0/24 dst-port=any \
    ipsec-protocols=esp level=require priority=0 proposal=payroll protocol=all \
    sa-dst-address=24.158.###.### sa-src-address=24.158.###.### src-address=\
    10.150.24.245/29 src-port=any tunnel=yes
** Note that I've obfuscated the public IPs

This behaved the same as before, but we are having reliability issues. Yesterday, it was up for 6 hours and then disconnected around midnight. It then refused to come back up until the policy was removed and re-created. Sometimes the tunnel does come back up (according the concentrator and the remote peers tab in Winbox), but the dynamic entries are not created, and the clocks are not accessible.

Are there any known issues with the RouterOS IPsec funcationality. I'm far from a VPN expert, but feel that something screwy is happening here. It seems odd that in order to get the functionality we need, we have to enter the configuration from the terminal.

Any help is greatly appreciated. Thanks!

[edited for grammar]
 
aluminumpork
just joined
Topic Author
Posts: 17
Joined: Mon Aug 15, 2011 9:27 pm

Re: IPsec subnet tunnel to Cisco VPN Concentrator issues

Wed Mar 21, 2012 4:52 pm

Well, I didn't notice the stickied thread directly related to this issue. It appears that I am blind. My apologies.

Who is online

Users browsing this forum: Amazon [Bot], apitsos, menyarito, synchro and 46 guests