I am having a problem getting a ipsec tunnel working correctly between a Cisco 827 router and a Mikrotik router. Here are my configs to start.
Mikrotik Config
ip ipsec> proposal print
Flags: X - disabled
0 name="Default" auth-algorithms=sha1 enc-algorithms=3des lifetime=6h
lifebytes=0 pfs-group=modp1024
1 name="ipsec" auth-algorithms=sha1 enc-algorithms=3des lifetime=6h
lifebytes=0 pfs-group=modp1024
policy print
Flags: X - disabled, D - dynamic, I - invalid
0 src-address=206.132.x.x/32:any dst-address=76.221.x.x/32:any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=no
sa-src-address=206.132.x.x sa-dst-address=76.221.x.x
proposal=ipsec manual-sa=none dont-fragment=clear
peer print
Flags: X - disabled
0 address=76.221.x.x/32:500 secret="key here" generate-policy=no
exchange-mode=main send-initial-contact=yes proposal-check=obey
hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=6h
lifebytes=0
ipip print
Flags: X - disabled, R - running
# NAME MTU LOCAL-ADDRESS REMOTE-ADDRESS
0 R Tunnel0 1480 206.132.x.x 76.221.x.x
Cisco Config
Using 3887 out of 131072 bytes
!
version 12.3
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 360
crypto isakmp key "key here" address 0.0.0.0 0.0.0.0
crypto ipsec transform-set bm ah-sha-hmac esp-3des
!
crypto ipsec profile P1
set security-association lifetime seconds 360
set transform-set bm
!
interface Tunnel0
ip address 192.168.149.1 255.255.255.252
load-interval 30
tunnel source Dialer1
tunnel destination 206.132.x.x
tunnel protection ipsec profile P1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.9.0 255.255.255.0 Tunnel0
When I try to ping 192.168.9.3 from the Cisco box I get the following in the log on the Mikrotik and my pings always timeout. I also cannot ping 192.168.149.2 from the Cisco either.
15:32:43 ipsec,ike,info received ISAKMP packet from 76.221.x.x:500, phase
1, Identity Protection
15:32:43 ipsec,ike,info responding phase 1, starting mode Identity Protection
(local 206.132.x.x:500) (remote76.221.x.x:500)
15:32:43 ipsec,ike,info received ISAKMP packet from 76.221.x.x:500, phase
1, Identity Protection
15:32:44 ipsec,ike,info received ISAKMP packet from 76.221.x.x:500, phase
1, Identity Protection
15:32:44 ipsec,ike,info Initial-Contact Notification payload, ignoring
(remote unknown)
15:32:44 ipsec,ike,info ISAKMP SA established (local 206.132.x.x:500)
(remote 76.221.x.x:500)
15:32:44 ipsec,ike,info received ISAKMP packet from 76.221.x.x:500, phase
2, Quick
15:32:44 ipsec,ike,info responding phase 2 (src 206.132.x.x) (dst
76.221.x.x)
15:32:44 ipsec,ike,info no acceptable proposal found (remote unknown)
15:32:44 ipsec,ike,info failed to pre-process packet (remote unknown)
15:32:44 ipsec,ike,info received ISAKMP packet from 76.221.x.x:500, phase
2, Informational
15:32:45 ipsec,ike,info phase 1 deleted (local 206.132.x.x:500) (remote
76.221.x.x:500)
Can anyone shed some light on what to do? Thanks