I’m trying to make an encrypted IPsec-only tunnel between two points. But I don’t know the correct settings for this.
I have:
Point-1 which have public IP-address accessible from internet.
Point-2 which have IP-address that is not accessible from internet - it is behind ISP NAT.
We asked ISP for a public IP, and they gave us a separate NAT router address which have unique public address and configured to translate incoming traffic from the internet to the Point-2 local IP.
ipsec1.png
What config we have for now:
We generated certificates for both sides.
We create “input” firewall rules to accept IPsec-esp and UDP ports 500 and 4500 on both sides.
Made proposals same for two points:
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-128-cbc
Made policies on both sides:
Point-1
/ip ipsec policy
add dst-address=70.70.70.70/32 sa-dst-address=70.70.70.70 sa-src-address=80.80.80.80 src-address=80.80.80.80/32 tunnel=yes
Point-2
/ip ipsec policy
add dst-address=80.80.80.80/32 sa-dst-address=80.80.80.80 sa-src-address=70.70.70.70 src-address=70.70.70.70/32 tunnel=yes
Made peers on both sides:
Point-1
/ip ipsec peer
add address=70.70.70.70/32 auth-method=rsa-signature certificate=Point1-cert dh-group=modp1024 disabled=yes enc-algorithm=aes-128 hash-algorithm=sha256 remote-certificate=Point2-cert send-initial-contact=no
Point-2
/ip ipsec peer
add address=80.80.80.80/32 auth-method=rsa-signature certificate=Point2-cert dh-group=modp1024 disabled=yes enc-algorithm=aes-128 hash-algorithm=sha256 remote-certificate=Point1-cert
And the result is:
PH2 phase stuck at msg1 sent and after some time peer reconnecting.
Is this even possible to connect these two?