IPSec for dynamic IPs (client) with and without NAT-T

FutureProof · January 24, 2010, 5:27am

Hi fellow MT users,

I managed to get IPSec with dynamic IPs working. But our requirements changed now to implement IPSec with dynamic IPs of which some ore behind a NAT firewall and some are not.
As far as my reading and testing goes, I can have only one IPSec Peer 0.0.0.0/0. That means, I can have either NAT Traversal on or off for that peer.
Did anyone come across this situation already and how was it resolved.
We’re running ROS4.5 on RB433 with static IP.

Many thanks,

Stefan

cdiggity · January 26, 2010, 5:02am

Can you post your configs that got IPSec with dynamic IP? I’ve been unable to achieve this. Then I will start to also work on the case where it is behind NAT firewall (perhaps this is why my IPSec with dynamic IP isn’t working right now..)

FutureProof · January 28, 2010, 7:55pm

I’ve got it working now but had to decrease Exchange Mode from “main” to “aggressive”. That actually means that the Exchange Mode is a little weaker but it seems the only way at this stage.

/ip ipsec peer add address=0.0.0.0/0:500 auth-method=pre-shared-key secret=“********”
generate-policy=yes exchange-mode=aggressive send-initial-contact=no
nat-traversal=yes proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des dh-group=modp1024 lifetime=8h lifebytes=0
dpd-interval=disable-dpd dpd-maximum-failures=1

/ip ipsec peer add address=0.0.0.0/0:500 auth-method=pre-shared-key secret=“**********”
generate-policy=yes exchange-mode=aggressive send-initial-contact=no
nat-traversal=no proposal-check=obey hash-algorithm=sha1
enc-algorithm=aes-256 dh-group=modp1024 lifetime=8h lifebytes=0
dpd-interval=disable-dpd dpd-maximum-failures=1

where as all other peers are with Exchange mode “main”:
/ip ipsec peer add address=1.2.3.4/32:500 auth-method=pre-shared-key
secret=“*************” generate-policy=no exchange-mode=main
send-initial-contact=yes nat-traversal=yes proposal-check=obey
hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 lifetime=8h
lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1

Any hints are appreciated.

/Stefan

cdiggity · January 28, 2010, 9:30pm

You’ve got the peers on both ends of the IPSEC tunnel set to generate policy? How does it know which subnets are on the other side of the tunnel, as this is usually specified in the policy.

thanks