Hi everyone. from a customer I have to configure an ipsec tunnel to an external company, which will be necessary for the supplied server to reach the resources in the remote office.
The data provided by the company are:
Phase 1 (IKE SA)
Peer IP address: 1.2.3.4
IP Customer: 4.5.6.7
IKE mode: IKEv1 Main Mode
Autentication Method: Pre-shared-key
Peer Identity: IP Address
16 byte Pre-shared key:dsihgsdijchiwdciewncjibdijhb12iurbdfeijrcbiu23dbu23fdbu3iwdb3uidbu3idb3uiod
DH group: 2048bit
Encryption Algorithm: aes128cbc
Hash Algorithm: sha256
Phase 2 (IPsec SA)
IP address Company: 10.5.0.0/16
IP address Customer: 172.16.104.0/21
IPsec SA Estabilishment Method: IKEv1
IPsec lifetime: 3600 seconds
Perfect Forward Secrecy: yes
IPsec Transform Set-mode: Tunnel
IPsec Transform Set-Encryption Transform: ESP-AES-128GMC
IPsec Transform Set-Authentication Transform: ESP-SHA256-HMAC
In the mikrotik router I entered the configuration like this:
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-128 hash-algorithm=sha256 name=profile_edok
/ip ipsec peer
add address=1.2.3.4/32 name=peer-edok profile=profile_edok
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-128-cbc,aes-128-gcm lifetime=1h name=\
proposal-edok
/ip ipsec identity
add my-id=address:5.6.7.8 peer=peer-edok remote-id=auto secret=\
dsihgsdijchiwdciewncjibdijhb12iurbdfeijrcbiu23dbu23fdbu3iwdb3uidbu3idb3uio
/ip ipsec policy
add dst-address=10.5.0.0/16 peer=peer-edok src-address=172.16.104.0/21 tunnel=yes
where am i wrong? I state that my LAN is 192.168.0.0/21 and I have to introduce myself with ip 172.16.104.0/21
so I created a nat like this:
/ip firewall nat
add action=src-nat chain=srcnat src-address=192.168.0.0/21 to-addresses=\
172.16.104.0/21
would this be correct?