Hi all,
IPsec VPN secure channel between 2 sites, no connection.
The tutorial helped: http://gregsowell.com/?p=787
Did you allow in input chain protocol 500 and protocol esp on your mikrotik ? your proposal must be mirroring your lan as source another side lan dst address:
mkt:
src-add 169.24.xxx.0/24
dst-add 169.12.xxx.0/24
also you must exclude that traffic from NAT, put this command on the top of your NAT section
add action=accept chain=srcnat comment="" disabled=no dst-address=169.12.0.0/24 src-address=169.24.0.0/24
(put your real addresses)
activate ipsec loging to see what is happening
system logging add topics=ipsec action=memory
I didn’t do anything yet, that’s why I posted to this forum I need to create this VPN channel but I don’t know how to do it properly, what commands should I enter.
Really need your help.
The VPN is needed so that my users behind MIkrotik coulld work with one program that is placed on the other end (Server).
I found another [u]great tutorial[/u]…it sound easy but I have a few questions.
Where should I put these IP’s: 169.12.XXX.1 and 169.24.XXX.0/24 in the image below ? My subnet is 192.168.0.1
And the Peer IP addresses: 72.45.XX.XX and 72.88.XXX.XXX OR 166.222.XX.XXX ?
IPsec uses port 500, should I open it with Firewall → NAT or there is no need ?
Thank you.
No good connection…
Log:
12:59:56 ipsec IPsec-SA request for 69.22.XXX.XX queued due to no phase1 found.
12:59:56 ipsec initiate new phase 1 negotiation: 72.88.XXX.XXX[500]<=>69.22.XXX.XX[500]
12:59:56 ipsec begin Identity Protection mode.
12:59:57 ipsec received broken Microsoft ID: FRAGMENTATION
12:59:57 ipsec received Vendor ID: CISCO-UNITY
12:59:57 ipsec received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
12:59:57 ipsec received Vendor ID: DPD
12:59:57 ipsec ISAKMP-SA established 72.88.XXX.XXX[500]-69.22.XXX.XX[500] spi:369c291f103a7ab3:31e65c0b0b35ab84
12:59:58 ipsec initiate new phase 2 negotiation: 72.88.XXX.XXX[500]<=>69.22.XXX.XX[500]
12:59:58 ipsec fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
12:59:58 ipsec Message: '1p '.
12:59:58 ipsec ISAKMP-SA expired 72.88.XXX.XXX[500]-69.22.XXX.XX[500] spi:369c291f103a7ab3:31e65c0b0b35ab84
13:00:28 ipsec 69.22.XXX.XX give up to get IPsec-SA due to time up to wait.
13:00:28 ipsec IPsec-SA expired: ESP/Tunnel 69.22.XXX.XX[0]->72.88.XXX.XXX[0] spi=213091748(0xcb385a4)
13:00:29 ipsec ISAKMP-SA deleted 72.88.XXX.XXX[500]-69.22.XXX.XX[500] spi:369c291f103a7ab3:31e65c0b0b35ab84
My Mikrotik settings (IP 72.88.XXX.XXX):
/ip ipsec proposal
set default auth-algorithms=sha1 comment="" disabled=no enc-algorithms=aes-256 lifetime=1d name=default pfs-group=none
/ip ipsec peer
add address=69.22.XXX.XX/32:500 auth-method=pre-shared-key comment="" dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 enc-algorithm=aes-256 exchange-mode=main \
generate-policy=no hash-algorithm=sha1 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=d22daHBe0 send-initial-contact=yes
/ip ipsec policy
add action=encrypt comment="" disabled=no dst-address=152.12.100.1/32:any ipsec-protocols=esp level=require priority=0 proposal=default protocol=all sa-dst-address=69.22.XXX.XX \
sa-src-address=72.88.XXX.XXX src-address=152.21.XXX.0/24:any tunnel=yes
Why there is no connection ? Thank you.
in policy you put src-address=152.21.XXX.0/24 and dst-address=152.12.100.1/32 , on the cisco side must be mirror of that… also check proposals again for phase 2
in first post before editing you was talkin about 169.x.x.x networks, in the picture there are 192.168.x.x networks, now in last post another one (public)