generic ipsec tunnels

kinglestat · November 11, 2005, 1:50pm

I have read the documentation ad naseum on ipsec and otherwise, but all examples refer to point-to-point links

I have a situation where I would like the microtik to have a generic setup for multiple ipsec tunnels to it from different manufactureres (eg SMC, Cisco, etc)

How to I create a generic setup on the microtik side, such that a link is created wthout knowing beforehand what the IP is going to be ?

mag · November 13, 2005, 12:37pm

if i understand you correctly, the MT has to be configured as vpn-server in ipsec aggressive-mode. a login with user-id (aka password) is possible then.

sorry to say, i havent’t configured this with MT yet, but it works using a few other systems.

kinglestat · November 13, 2005, 2:43pm

yes, what you say is right. That is the config I am looking for
do you have any suggestions ?

Tonda · November 13, 2005, 7:19pm

What is the problem? If you are able to create one point to point IPSec tunnel, then you are able to create more simillar tunnels by adding appropriate IPSec policies, NAT and routing rules.. I think there are also some examples of how to connect MT with other devices (Cisco) in manual..
What do you mean exactly by “generic” setup? Are your clients single computers or other computer networks? Can you be more specific please?

mag · November 14, 2005, 12:07pm

sorry, not at the moment, i am working on it.

kinglestat · November 15, 2005, 11:59am

I have done some testing and have manage to do some progress
I am using the MT l2pserver together with ispec, and MS win 2000 server as a client

MT

/ interface l2tp-server server
set enabled=yes max-mtu=1460 max-mru=1460 authentication=mschap2
default-profile=default-encryption

2 address=172.16.13.2/32:57307 secret=“JuveIsTheBest” generate-policy=yes
exchange-mode=main send-initial-contact=no proposal-check=claim
hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0

3 address=172.16.13.2/32:57307 secret=“JuveIsTheBest” generate-policy=yes
exchange-mode=main send-initial-contact=no proposal-check=claim
hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0

I src-address=192.168.0.0/23:any dst-address=192.168.2.0/24:any protocol=all
action=encrypt level=require ipsec-protocols=ah,esp tunnel=yes
sa-src-address=172.16.13.1 sa-dst-address=172.16.13.2 proposal=default
manual-sa=EHL dont-fragment=inherit

It seems that negotiation starts as from the log things seem to happen
but after it gives me phase 1 time out

Eugene · November 17, 2005, 5:21pm

For this setup you need working l2tp server and an entry in /ip ipsec peer with generate-policy=yes. No other configuration is needed.