ok hi. I am having phase 2 issues between RouterOS and racoon. I am including my configurations below. I am not getting any error but the tunnel is not routing. Any ideas?
RouterOS Configuration
# nov/01/2019 15:24:10 by RouterOS 6.44.5
# software id = K09T-BU80
#
# model = RB4011iGS+
#
/ip ipsec peer
add address=[REMOTE SERVER IP]/32 name=Office1
/ip ipsec policy group
add name=group1
/ip ipsec profile
add dh-group=ecp384,ecp521,ec2n185,ec2n155,modp8192,modp6144,modp4096,modp3072,modp2048,modp1536,modp1024,modp768 enc-algorithm=aes-256,camellia-256,aes-192,camellia-192,aes-128,camellia-128,3des,blowfish hash-algorithm=md5 lifetime=8h name=200PAUL nat-traversal=no
/ip ipsec peer
add address=[REMOTE SERVER IP]/32 name=OFFICE2 profile=OFFICE2-PROFILE
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1,md5 enc-algorithms=aes-256-cbc,aes-256-gcm
add auth-algorithms=sha512,sha256,sha1,md5 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,camellia-256,aes-192-cbc,aes-192-ctr,aes-192-gcm,camellia-192,aes-128-cbc,aes-128-ctr,aes-128-gcm,camellia-128,3des,blowfish,twofish,des lifetime=10h name=OFFICE2-PLOICY
/ip address
add address=[LOCAL LAN IP]/24 interface=bridge-nat network=[LOCAL LAN NETWORK]
add address=[LOCAL EXTERNAL IP]/26 interface=bridge network=[LOCAL EXTERNAL NETWORK]
/ip ipsec identity
add peer=OFFICE2 secret=[ITS A SECRET]
/ip ipsec policy
set 0 comment="default, do not remove" disabled=yes
add comment=[STREET ADDRESS] dst-address=10.7.0.0/16 proposal=OFFICE2-POLICY sa-dst-address=[REMOTE SERVER IP] sa-src-address=[LOCAL EXTERNAL IP] src-address=[LOCAL LAN NETWORK]/24 tunnel=yes
/ip route
add distance=1 gateway=[LOCAL GATEWAY]
add distance=1 dst-address=[REMOTE LAN NETWORK]/16 gateway=[LAN IP ON REMOTE SERVER]
Racoon Config
path pre_shared_key "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file
log debug; #log verbosity setting: set to 'notify' when testing and debugging is complete
padding # options are not to be changed
{
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
timer # timing options. change as needed
{
counter 5;
interval 20 sec;
persend 1;
# natt_keepalive 15 sec;
phase1 30 sec;
phase2 15 sec;
}
listen # address [port] that racoon will listen on
{
isakmp [LOCAL EXTERNAL IP] [500];
isakmp_natt [LOCAL EXTERNAL IP] [4500];
}
remote [MIKROTIK EXTERNAL IP] [500]
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier address [LOCAL EXTERNAL IP];
peers_identifier address [MIKROTIK EXTERAL IP];
lifetime time 8 hour;
passive off;
proposal_check obey;
# nat_traversal off;
generate_policy off;
proposal {
encryption_algorithm blowfish;
hash_algorithm md5;
authentication_method pre_shared_key;
lifetime time 30 sec;
dh_group 1;
}
}
sainfo (address [LOCAL LAN NETWORK]/16 any address [MIKROTIK LAN NETWORK]/24 any) # address $network/$netmask $type address $network/$netmask $type ( $type being any or esp)
{ # $network must be the two internal networks you are joining.
pfs_group 1;
pfs_group modp1024;
lifetime time 36000 sec;
encryption_algorithm blowfish,3des;
authentication_algorithm hmac_md5,hmac_sha1;
compression_algorithm deflate;
}
sainfo (address [MIKROTIK LAN NETWORK]/24 any address [LOCAL LAN NETWORK]/16 any)
{ # $network must be the two internal networks you are joining.
pfs_group 1;
pfs_group modp1024;
lifetime time 36000 sec;
encryption_algorithm blowfish,3des;
authentication_algorithm hmac_md5,hmac_sha1;
compression_algorithm deflate;
}