Hi ,
I am trying to establish a vpn tunnel between Mikrotik 4.1 and Cisco PIX:
The wan IP for the Mikrotik: 120.69.226.111 Wan IP for PIX :125.149.94.253
Internal IP Range : 192.168.20/23 ( Mikrotik ) 172.16.0.0/16 ( Cisco PIX)
I am able to see the tunnel established and i am able to ping the internal IP of Mikrotik from Cisco.
but when i try to connect the internal IP of the cisco from Mikrotik its not working.
Can any of you guys shed some light on this.
The following is the existing configuration i have.
/interface> pr
Flags: D - dynamic, X - disabled, R - running, S - slave
NAME TYPE MTU L2MTU
0 R wlan2 ether 1500 1600
1 R Local ether 1500
2 R wlan1 ether 1500
/ip address> pr
Flags: X - disabled, I - invalid, D - dynamic
ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.20.1/23 192.168.20.0 192.168.21.255 Local
1 210.135.61.226/30 210.135.61.224 210.135.61.227 wlan1
2 120.69.226.111/24 120.69.226.0 120.69.226.255 wlan2
3 210.135.61.233/29 210.135.61.232 210.135.61.239 Local
/ip firewall filter> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1
address-list=port scanners address-list-timeout=0s
1 ;;; Port scanners to list
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1
address-list=port scanners address-list-timeout=2w
2 ;;; NMAP FIN Stealth scan
chain=input action=add-src-to-address-list
tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w
3 ;;; SYN/FIN scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn
protocol=tcp address-list=port scanners address-list-timeout=2w
4 ;;; SYN/RST scan
chain=input action=add-src-to-address-list tcp-flags=syn,rst
protocol=tcp address-list=port scanners address-list-timeout=2w
5 ;;; FIN/PSH/URG scan
chain=input action=add-src-to-address-list
tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp
address-list=port scanners address-list-timeout=2w
6 ;;; ALL/ALL scan
chain=input action=add-src-to-address-list
tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp
address-list=port scanners address-list-timeout=2w
7 ;;; NMAP NULL scan
chain=input action=add-src-to-address-list
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w
8 ;;; dropping port scanners
chain=input action=drop src-address-list=port scanners
9 chain=input action=drop protocol=tcp dst-port=445
10 chain=forward action=drop protocol=tcp dst-port=445
11 chain=input action=drop protocol=udp dst-port=445
12 chain=forward action=drop protocol=udp dst-port=445
13 chain=input action=drop protocol=tcp dst-port=135-139
14 chain=forward action=drop protocol=tcp dst-port=135-139
15 chain=input action=drop protocol=udp dst-port=135-139
16 chain=forward action=drop protocol=udp dst-port=135-139
17 X chain=input action=drop dst-address=208.43.117.69
18 X chain=forward action=drop dst-address=208.43.117.69
19 chain=input action=drop dst-address=74.125.65.85
20 chain=forward action=drop dst-address=74.125.65.85
21 chain=input action=drop dst-address=74.125.113.85
22 chain=forward action=drop dst-address=74.125.113.85
23 chain=input action=drop dst-address=209.85.225.85
24 chain=forward action=drop dst-address=209.85.225.85
25 chain=forward action=accept protocol=ipsec-esp src-address=125.149.94.253
dst-address=120.69.226.111 in-interface=wlan2
26 chain=input action=accept protocol=ipsec-esp src-address=125.149.94.253
dst-address=120.69.226.111 in-interface=wlan2
27 chain=input action=accept protocol=ipsec-esp src-address=120.69.226.111
dst-address=125.149.94.253 in-interface=wlan2
28 chain=forward action=accept protocol=ipsec-esp src-address=120.69.226.11>
dst-address=125.149.94.253 in-interface=wlan2
29 chain=input action=drop src-address=0.0.0.0 dst-address=64.226.42.158
30 chain=input action=drop src-address=64.226.42.158 dst-address=0.0.0.0
31 chain=forward action=accept src-address=192.168.172.0/24
dst-address=192.168.21.0/24 in-interface=wlan2 out-interface=Local
32 chain=forward action=accept src-address=172.16.0.0/16
dst-address=192.168.21.0/24 in-interface=wlan2 out-interface=Local
33 chain=input action=accept src-address=192.168.20.0/23
dst-address=172.16.0.0/16 in-interface=Local
34 chain=forward action=accept src-address=192.168.20.0/23
dst-address=172.16.0.0/16 out-interface=wlan2
/ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=wlan1
1 chain=srcnat action=masquerade out-interface=wlan2
2 chain=srcnat action=accept src-address=192.168.20.0/23 dst-address=172.16.0.0/16
3 chain=srcnat action=accept src-address=120.69.226.111 dst-address=125.149.94.253
4 chain=dstnat action=accept src-address=120.69.226.111 dst-address=125.149.94.253
/ip ipsec proposal> pr
Flags: X - disabled
0 name=“default” auth-algorithms=sha1 enc-algorithms=aes-256 lifetime=8h pfs-group=modp1024
1 name=“ipsec” auth-algorithms=sha1 enc-algorithms=aes-256 lifetime=8h pfs-group=modp1024
/ip ipsec installed-sa> pr
Flags: A - AH, E - ESP, P - pfs
0 E spi=0x52E6E0A src-address=125.149.94.253 dst-address=120.69.226.111 auth-algorithm=sha1 enc-algorithm=aes replay=4 state=mature
auth-key=“76f1b991134dfeca0d8d309c57798756cab253c8” enc-key=“98cb07a528cf4acf74e8a94d08cdeacd5e9121a32cc4b348f7b5d94cd62db09e” addtime=nov/10/2009 19:53:54
add-lifetime=24m/30m usetime=nov/10/2009 19:53:56 use-lifetime=0s/0s current-bytes=528 lifebytes=0/0
1 E spi=0xBC4638E0 src-address=120.69.226.111 dst-address=125.149.94.253 auth-algorithm=sha1 enc-algorithm=aes replay=4 state=mature
auth-key=“7fda93f56d3a0b4466a97d56aca07b3bb19e36fe” enc-key=“bd348501b318ae45aa25585c4315866ecaf13b1627bf82bf5f3cce2e535f1174” add-lifetime=24m/30m
use-lifetime=0s/0s lifebytes=0/0
/ip ipsec peer> pr
Flags: X - disabled
0 address=125.149.94.253/32:500 auth-method=pre-shared-key secret=“tradu-hE8ETES-Er” generate-policy=yes exchange-mode=main send-initial-contact=yes nat-traversal=yes
proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1536 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1
/ip ipsec policy> pr
Flags: X - disabled, D - dynamic, I - inactive
0 D src-address=172.16.0.0/16:any dst-address=192.168.20.0/23:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=120.69.226.111
sa-dst-address=125.149.94.253 proposal=default priority=2
1 D src-address=172.16.0.0/16:any dst-address=192.168.20.0/23:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=120.69.226.111
sa-dst-address=125.149.94.253 proposal=default priority=2
2 D src-address=192.168.20.0/23:any dst-address=172.16.0.0/16:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=125.149.94.253
sa-dst-address=120.69.226.111 proposal=default priority=2
/ip ipsec statistics> pr
in-errors: 0
in-buffer-errors: 0
in-header-errors: 0
in-no-states: 1
in-state-protocol-errors: 0
in-state-mode-errors: 0
in-state-sequence-errors: 0
in-state-expired: 0
in-state-mismatches: 0
in-state-invalid: 0
in-template-mismatches: 840
in-no-policies: 0
in-policy-blocked: 0
in-policy-errors: 0
out-errors: 0
out-bundle-errors: 0
out-bundle-check-errors: 0
out-no-states: 250
out-state-protocol-errors: 0
out-state-mode-errors: 0
out-state-sequence-errors: 0
out-state-expired: 0
out-policy-blocked: 0
out-policy-dead: 0
out-policy-errors: 0