How to connect to VPN with IPSec through Mikrotik 2.8

ota_bota · July 26, 2006, 10:48am

Hello,
I would need to advice in detail, how to set up mikrotik to allow me to connect to VPN with IPSec Shared key through mikrotik 2.8.

I tried to connect to another VPN from the same computer where they do not use IPSec Shared key and it worked. I also tried to connect to the VPN with IPSec Shared key from another network (where they do not use mikrotik) and it also worked.

So I think the IPSec key together with my mikrotik is problem.

when I check ip/firewall/source nat - all outgoing traffic is allowed.
when I check ip/firewall/connection during the try to connect, there was one connection udp port 500 “assured” and second connection ipsec “unreplied”.

what do i need to do??
Thank you for advices

fatonk · July 26, 2006, 12:27pm

Hello,

This IKE IPsec works for me fine, just no NAT has been used, the configuration is as follows:

A) #IPSec configuration in MikroTik with destination any#

ip ipsec peer add address=192.168.153.2/32 secret=test generate-policy=no exchange-mode=main send-initial-contact=yes proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0

ip ipsec proposal add name=test auth-algorithms=md5 enc-algorithms=3des lifetime=30m lifebytes=0 pfs-group=modp1024

ip ipsec policy add src-address=192.178.1.0/24:any dst-address=0.0.0.0/0 protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=192.168.29.4 sa-dst-address=192.168.2.2 proposal=test manual-sa=none dont-fragment=clear

B) #Check IPSec Configuration#

ip ipsec installed-sa print

0 E spi=0x5DFFD2A6 direction=out src-address=192.168.29.4 dst-address=192.168.2.2 auth-algorithm=md5 enc-algorithm=3des replay=4 state=dying
auth-key=“d77c73c39856631026d7f985e71467d3” enc-key=“0bf60229c6028f4fd5e46c930789e68bd7b53af848b0c846” add-lifetime=48m/1h use-lifetime=0s/0s
lifebytes=38252052/423624704 current-addtime=dec/05/2005 16:26:57 current-usetime=dec/05/2005 16:27:00 current-bytes=511584

1 E spi=0xE77FE10A direction=in src-address=192.168.2.2 dst-address=192.168.29.4 auth-algorithm=md5 enc-algorithm=3des replay=4 state=dying
auth-key=“110cbac6ace1ca0540e510da8b1a4f41” enc-key=“45e35cd86062cc7518a699b19e1bb3b52937bccffa10882f” add-lifetime=48m/1h use-lifetime=0s/0s
lifebytes=38252052/423624704 current-addtime=dec/05/2005 16:26:57 current-usetime=dec/05/2005 16:27:00 current-bytes=396920

C) #Troubleshooting IPSec#

ip ipsec installed-sa flush

Regards

ota_bota · July 26, 2006, 1:06pm

Thank you very much. I do not know if it works yet, I will try it on Monday. But thanks anyway