We've been using the 450G and the RB1200 at our various locations to run a LAN-to-LAN tunnel from timeclocks to our home office concentrator. This seems to work as expected when we only have one timeclock at the location. We setup an IPsec policy with the following (for example):
Code: Select all
/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.148.0/24 dst-port=any \
ipsec-protocols=esp level=require priority=0 proposal=payroll protocol=\
all sa-dst-address=24.158.###.### sa-src-address=24.158.###.### src-address=\
10.150.24.245 src-port=any tunnel=yes
Code: Select all
# mar/21/2012 09:36:59 by RouterOS 5.2
# software id = E9ZC-AX7M
#
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=yes enc-algorithms=3des lifetime=30m \
name=default pfs-group=modp1024
add auth-algorithms=md5 disabled=no enc-algorithms=3des lifetime=1d name=\
payroll pfs-group=none
/ip ipsec peer
add address=24.158.###.###/32 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 enc-algorithm=\
3des exchange-mode=main generate-policy=yes hash-algorithm=md5 lifebytes=0 \
lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=\
obey secret=###### send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.148.0/24 dst-port=any \
ipsec-protocols=esp level=require priority=0 proposal=payroll protocol=all \
sa-dst-address=24.158.###.### sa-src-address=24.158.###.### src-address=\
10.150.24.245/29 src-port=any tunnel=yes
This behaved the same as before, but we are having reliability issues. Yesterday, it was up for 6 hours and then disconnected around midnight. It then refused to come back up until the policy was removed and re-created. Sometimes the tunnel does come back up (according the concentrator and the remote peers tab in Winbox), but the dynamic entries are not created, and the clocks are not accessible.
Are there any known issues with the RouterOS IPsec funcationality. I'm far from a VPN expert, but feel that something screwy is happening here. It seems odd that in order to get the functionality we need, we have to enter the configuration from the terminal.
Any help is greatly appreciated. Thanks!
[edited for grammar]