Hello!
MK1 - RB 750 v 4.14
MK2 - RB 750GL v 5.9
Output MK1
[admin@MikroTik] /ip> ipsec export
jul/19/2012 14:26:21 by RouterOS 4.14
software id = CIWE-M88N
/ip ipsec proposal
set default auth-algorithms=null comment="" disabled=no enc-algorithms=null
lifetime=30m name=default pfs-group=modp1024
/ip ipsec peer
add address=31.45.246.10/32:500 auth-method=pre-shared-key comment=""
dh-group=modp1024 disabled=no dpd-interval=2m dpd-maximum-failures=5
enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=
md5 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=
test send-initial-contact=yes
/ip ipsec policy
add action=encrypt comment="" disabled=no dst-address=192.168.0.0/16:any
ipsec-protocols=esp level=require priority=0 proposal=default protocol=
all sa-dst-address=31.45.246.10 sa-src-address=77.237.123.214
src-address=192.168.157.0/24:any tunnel=yes
[admin@MikroTik] /ip> firewall export
jul/19/2012 14:28:08 by RouterOS 4.14
software id = CIWE-M88N
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="" connection-state=established
disabled=no
add action=accept chain=input comment="" disabled=no protocol=icmp
/ip firewall nat
add action=accept chain=srcnat comment="" disabled=no dst-address=
192.168.0.0/16 src-address=192.168.157.0/24
add action=masquerade chain=srcnat comment="" disabled=no out-interface=
ether1
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=77.237.123.214/30 network=77.237.123.212 broadcast=77.237.123.215
interface=ether1 actual-interface=ether1
1 address=192.168.157.1/24 network=192.168.157.0 broadcast=192.168.157.255
interface=ether2 actual-interface=ether2
route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=77.237.123.213
gateway-status=77.237.123.213 reachable ether1 distance=1 scope=30
target-scope=10
1 ADC dst-address=77.237.123.212/30 pref-src=77.237.123.214 gateway=ether1
gateway-status=ether1 reachable distance=0 scope=10
2 A S dst-address=192.168.100.0/24 gateway=77.237.123.213
gateway-status=77.237.123.213 reachable ether1 distance=1 scope=30
target-scope=10
3 ADC dst-address=192.168.157.0/24 pref-src=192.168.157.1 gateway=ether2
gateway-status=ether2 unreachable distance=0 scope=200
Output MK2
ipsec export
jul/19/2012 16:31:58 by RouterOS 5.9
software id = Q48L-B8IY
/ip ipsec proposal
set default auth-algorithms=null disabled=no enc-algorithms=null lifetime=30m
name=default pfs-group=modp1024
/ip ipsec peer
add address=77.237.123.214/32 auth-method=pre-shared-key dh-group=modp1024
disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des
exchange-mode=main generate-policy=no hash-algorithm=md5 lifebytes=0
lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=
obey secret=test send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.0.0/16 dst-port=any
ipsec-protocols=esp level=require priority=0 proposal=default protocol=
all sa-dst-address=77.237.123.214 sa-src-address=31.45.246.10
src-address=192.168.100.0/24 src-port=any tunnel=yes
firewall export
jul/19/2012 16:32:59 by RouterOS 5.9
software id = Q48L-B8IY
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input disabled=no in-interface=ether1-gateway
add action=accept chain=input connection-state=established disabled=no
add action=accept chain=input disabled=no protocol=icmp
/ip firewall nat
add action=accept chain=srcnat disabled=no dst-address=192.168.157.0/24
src-address=192.168.100.0/24
add action=masquerade chain=srcnat comment="default configuration" disabled=
no out-interface=ether1-gateway
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
address=192.168.100.1/24 network=192.168.100.0 interface=ether2-master-local actual-interface=ether2-master-local
1 address=31.45.246.10/29 network=31.45.246.8 interface=ether1-gateway actual-interface=ether1-gateway
route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=31.45.246.9 gateway-status=31.45.246.9 reachable ether1-gateway distance=1 scope=30 target-scope=10
1 ADC dst-address=31.45.246.8/29 pref-src=31.45.246.10 gateway=ether1-gateway gateway-status=ether1-gateway reachable distance=0 scope=10
2 ADC dst-address=192.168.100.0/24 pref-src=192.168.100.1 gateway=ether2-master-local gateway-status=ether2-master-local reachable distance=0 scope=10
3 A S dst-address=192.168.157.0/24 gateway=31.45.246.9 gateway-status=31.45.246.9 reachable ether1-gateway distance=1 scope=30 target-scope=10
Connection is established but cannot ping routers on private ip. Packet rejected. Sometimes IP SEC conects and sometimes not... don't know why is that. Log doesnt say much. When IP SEC connected local network (192.168.100.0) unusable, cannot ping devices on subnet. This is my configuration for now and if anyone can help me to fix it. I want to connect two small offices. Public IP is static and without NAT. I tried to follow lots of steps and guides from Internet but very hard to get it working! Please check my conf and give me some directions.
Thank you!
Ivan