I'm attempting to set up the above as a client to a Cisco Site-to-site IPSec VPN. (I don't have control of the remote end). The route looks like this:
Code: Select all
Local LAN (192.168.1.0/22) ------ Local SA (86.x.y.z) -------- Remote SA (66.a.b.c) -------- remote LAN (10.0.0.0/24)
Code: Select all
/ip ipsec peer add \
address=66.a.b.c/32 port=500 auth-method=pre-shared-key secret="<secret>" generate-policy=no \
exchange-mode=main send-initial-contact=yes nat-traversal=no my-id-user-fqdn="" proposal-check=obey \
hash-algorithm=sha1 enc-algorithm=3des dh-group=modp768 lifetime=1d lifebytes=0 dpd-interval=2m \
dpd-maximum-failures=5 \
/ip ipsec proposal add \
name="prop" auth-algorithms=md5,sha1 enc-algorithms=3des,aes-128,aes-192,aes-256 lifetime=30m pfs-group=modp1024
/ip ipsec policy add \
src-address=192.168.1.0/22 src-port=any dst-address=10.0.0.0/24 dst-port=any protocol=all action=encrypt
level=require ipsec-protocols=esp tunnel=yes sa-src-address=86.x.y.x sa-dst-address=66.a.b.c
proposal=prop priority=0
Code: Select all
18:17:37 ipsec,debug suitable outbound SP found: 192.168.1.0/22[0] 10.0.0.0/24[0] proto=any dir=out
18:17:37 ipsec,debug suitable inbound SP found: 10.0.0.0/24[0] 192.168.1.0/22[0] proto=any dir=in
18:17:37 ipsec,debug new acquire 192.168.1.0/22[0] 10.0.0.0/24[0] proto=any dir=out
18:17:37 ipsec,debug,packet (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
18:17:37 ipsec,debug,packet (trns_id=3DES encklen=0 authtype=hmac-md5)
18:17:37 ipsec,debug,packet (trns_id=3DES encklen=0 authtype=hmac-sha)
18:17:37 ipsec,debug,packet (trns_id=AES encklen=128 authtype=hmac-md5)
18:17:37 ipsec,debug,packet (trns_id=AES encklen=128 authtype=hmac-sha)
18:17:37 ipsec,debug,packet (trns_id=AES encklen=192 authtype=hmac-md5)
18:17:37 ipsec,debug,packet (trns_id=AES encklen=192 authtype=hmac-sha)
18:17:37 ipsec,debug,packet (trns_id=AES encklen=256 authtype=hmac-md5)
18:17:37 ipsec,debug,packet (trns_id=AES encklen=256 authtype=hmac-sha)
18:17:37 ipsec,debug IPsec-SA request for 66.a.b.c queued due to no phase1 found.
18:17:37 ipsec,debug,packet ===
18:17:37 ipsec,debug initiate new phase 1 negotiation: 86.x.y.z[500]<=>66.a.b.c[500]
18:17:37 ipsec,debug begin Identity Protection mode.
18:17:37 ipsec,debug,packet new cookie:
18:17:37 ipsec,debug,packet 9cb90733bc4ab05d
18:17:37 ipsec,debug,packet add payload of len 52, next type 13
18:17:37 ipsec,debug,packet add payload of len 16, next type 0
18:17:37 ipsec,debug,packet 104 bytes from 86.x.y.z[500] to 66.a.b.c[500]
18:17:37 ipsec,debug,packet sockname 86.x.y.z[500]
18:17:37 ipsec,debug,packet send packet from 86.x.y.z[500]
18:17:37 ipsec,debug,packet send packet to 66.a.b.c[500]
18:17:37 ipsec,debug,packet src4 86.x.y.z[500]
18:17:37 ipsec,debug,packet dst4 66.a.b.c[500]
18:17:37 ipsec,debug,packet 1 times of -1 bytes message will be sent to 66.a.b.c[500]
18:17:37 ipsec,debug,packet 9cb90733 bc4ab05d 00000000 00000000 01100200 00000000 00000068 0d000038
18:17:37 ipsec,debug,packet 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004
18:17:37 ipsec,debug,packet 00015180 80010005 80030001 80020002 80040001 00000014 afcad713 68a1f1c9
18:17:37 ipsec,debug,packet 6b8696fc 77570100
18:17:37 ipsec,debug sendfromto failed
18:17:37 ipsec,debug,packet an undead schedule has been deleted.
18:17:37 ipsec,warning,critical failed to begin ipsec sa negotication.
There's no timeout, and all of the above happens near instantaneously. It will also repeat every 30 seconds for as long as there's traffic trying to route between the two LANs.
Can anyone tell me if this is a configuration issue or the sniffer isn't logging the packet for some reason?
Thanks,
Terry.