ipsec can't configure because : is interpreted as ip6 address

grahamp · January 11, 2017, 7:38am

Help:
following the manual for ipsec tunnels, I reach the point
/ip ipsec peer
add address=192.168.80.1/32:500 auth-method=pre-shared-key secret=“test”

then there is an error saying IVP6 address expected, I guess because the : triggered it.
On looking at the GUI it shows the peer address but is redded, meaning it doesn’t like it.

the local address in the GUI dialogue box for peer also shows an IPV6 address is expected.

do I try to turn off the IPV6 somehow?

emils · January 11, 2017, 7:48am

Use “port” parameter instead of colon.

address=192.168.80.1/32 port=500

grahamp · January 11, 2017, 9:05am

OK, thanks, will do that.

grahamp · January 11, 2017, 7:28pm

port=500 syntax is accepted by router console, great.
However, when I get to adding an ipsec peer, a similar thing happens, which port=500 doesn’t fix.
/ip ipsec peer
add address=192.168.1.1/24 port=500 etc etc: the p in port shows as an error

Again, looking at the GUI, it appears that the router doesn’t like the address format and wants IPV6..because of the :

The gui doesn’t like the /24 network address for peer and is only happy when there is a simple address without the /24.

Upshot: no sa is established, although pinging both ways works and each router sees the remote peers and establish links between them.
(I have the routers directly connected now, using 192.168.1.2 and 192.168.1.1 as the gateways addresses.
I’ve spent a lot of time trying this over public internet but can’t afford to keep doing that, when no progress.)

grahamp · January 11, 2017, 9:18pm

downloading os 5.26 and 6.36.4 to see if they will allow it to work, meanwhile.

In the log I don’t see any ipsec errors, although when I had (wrongly) the lan addrass as local ip, in peer setup window, there was a phase one error on the ipsec log, which stopped when I corrected the local address by either not using one or using the wan address.

grahamp · January 11, 2017, 10:53pm

OK, sorted. My bad: It looks like you need to have a PC at each end to generate the legitimate traffic to set the SA’s.
Pinging between the routers to their respective LAN port isn’t enough.
Initially, when I had two PC’s hooked up, I didn’t have my setting right, then when the settings were corrected, I only had a single PC, figuring that pinging from the routers would be enough…

thanks for the help with the syntax

huntah · January 11, 2017, 11:13pm

Hi,

you can ping from MT to MT over IPSEC. YOu just need to spcify internal interface

ping interface=bridge-local 172.16.1.10

where bridge-local is my internal interface and 172.16.1.10 is server on the internal remote IPSEC site.