The problem with the mikrotik is that you can't add an ipsec policy that has a dynamic endpoint:
Code: Select all
[admin@MikroTik] /ip ipsec policy> add src-address=x.x.x.x/32 src-port=1701 dst-address=0.0.0.0/0 dst-port=1701 protocol=udp action=encrypt level=require ipsec-protocols=esp tunnel=no sa-src-address=x.x.x.x sa-dst-address=0.0.0.0/0 proposal=default priority=1
invalid value for argument ip
Code: Select all
[admin@MikroTik] /ip ipsec installed-sa> print
Flags: A - AH, E - ESP, P - pfs
0 E spi=0x36733D4 src-address=x.x.x.x dst-address=166.147.93.225 auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature
auth-key="0387a82de70a46a32750b5b58629906cb7c96154" enc-key="53205926fb782cd55b4035ef36d7369b78a55a22c4382d44" add-lifetime=48m/1h
use-lifetime=0s/0s lifebytes=0/0
1 E spi=0x77BEE75 src-address=166.147.93.225 dst-address=x.x.x.x auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature
auth-key="2ac9425dee01fd861f083912d84820836d84278c" enc-key="b684bf0bbbe426ec8065dbae1b5f8516943cf989f68e5fb2" addtime=jun/11/2012 13:21:23
add-lifetime=48m/1h usetime=jun/11/2012 13:21:23 use-lifetime=0s/0s current-bytes=158 lifebytes=0/0
[admin@MikroTik] /ip ipsec> policy print
Flags: X - disabled, D - dynamic, I - inactive
1 D src-address=10.41.150.188/32 src-port=any dst-address=x.x.x.x/32 dst-port=any protocol=udp action=encrypt level=require
ipsec-protocols=esp tunnel=no sa-src-address=10.41.150.188 sa-dst-address=x.x.x.x proposal=default priority=2
1. I removed my public ip.
2. I have another policy that is static for my site to site vpn that I omitted.
3. The address that brought up the ipsec tunnel is a public address, but the policy is added for the nat address. Of course my router has no idea how to get to that address and thus none of the packets match the policy.
I do have nat traversal enabled:
Code: Select all
add address=0.0.0.0/0 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=10s dpd-maximum-failures=5 enc-algorithm=3des \
exchange-mode=main-l2tp generate-policy=yes hash-algorithm=sha1 lifetime=1d my-id-user-fqdn="" nat-traversal=yes port=500 secret=\
password send-initial-contact=yes
Thanks,
schu