Hello All,
I have been trying to work out what I am doing wrong.
We are trying to connect a number of WinXP IPSec clients that are behind a NAT firewall. They are then connecting to a 2.8.17 MT router. We are able to successfully do this when not behind a NAT firewall.
I guess one of the first things I need to know is if MT 2.8.17 supports IPSec NAT-T (NAT traversal) ?
If it does, what special setup should I be using ?
When I run the following config and not behind a NAT box, I can connect and all is well. When I use the same config behind a NAT box I get the error “decrypted packed did not match”.
I have read through the forums and search all the docs I could find, yet no one is mentioning this particular error anywhere. I also can’t find any reference to NAT-T for the MT RouterOS.
Any help would be greatly appreciated.
oct/06/2004 12:04:14 received ISAKMP packet from 203.80.xxx.37:500, phase 1, Identity Protection
oct/06/2004 12:04:14 responding phase 1, starting mode Identity Protection (local 203.80.xxx.66:500)
(remote203.80.xxx.37:500) oct/06/2004 12:04:14 received ISAKMP packet from 203.80.xxx.37:500, phase 1, Identity Protection
oct/06/2004 12:04:14 received ISAKMP packet from 203.80.xxx.37:500, phase 1, Identity Protection
oct/06/2004 12:04:14 ISAKMP SA established (local 203.80.xxx.66:500) (remote 203.80.163.37:500)
oct/06/2004 12:04:14 received ISAKMP packet from 203.80.xxx.37:500, phase 2, Quick
oct/06/2004 12:04:14 responding phase 2 (src 203.80.xxx.66) (dst 203.80.163.37)
oct/06/2004 12:04:14 no policy found, creating one (remote unknown)
oct/06/2004 12:04:14 received ISAKMP packet from 203.80.xxx.37:500, phase 2, Quick
oct/06/2004 12:04:15 decrypted packed did not match policy
oct/06/2004 12:04:16 decrypted packed did not match policy
oct/06/2004 12:04:18 decrypted packed did not match policy
oct/06/2004 12:04:22 decrypted packed did not match policy
oct/06/2004 12:04:30 decrypted packed did not match policy
oct/06/2004 12:04:40 decrypted packed did not match policy
oct/06/2004 12:04:49 received ISAKMP packet from 203.80.xxx.37:500, phase 2, Informational
oct/06/2004 12:04:49 received ISAKMP packet from 203.80.xxx.37:500, phase 2, Informational
oct/06/2004 12:04:50 phase 1 deleted (local 203.80.xxx.66:500) (remote 203.80.163.37:500)
The config for IPSEC on the MT is:
/ ip ipsec policy
add src-address=203.80.xxx.66/32:1701 dst-address=192.168.1.121/32:1701 protocol=udp action=encrypt level=require \
ipsec-protocols=esp tunnel=yes sa-src-address=203.80.xxx.66 sa-dst-address=0.0.0.0 proposal=default manual-sa=none \
dont-fragment=clear disabled=yes
/ ip ipsec peer
add address=0.0.0.0/0:500 secret="blahblahblah" generate-policy=yes exchange-mode=main send-initial-contact=no \
proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 disabled=no
/ ip ipsec proposal
add name="default" auth-algorithms=md5,sha1 enc-algorithms=des,3des,aes-128,aes-192,aes-256 lifetime=30m lifebytes=0 \
pfs-group=modp1536 disabled=no