equipement:
RB2011UiAS-2HnD, 6.43.12 firmware
Zyxel USG40W V4.33 firmware
IKEv1 ipsec tunnel to USG device can be established, but is unstable and regularly breaks after about 20s.
In the IKE log of USG device, I can read “[ID] : Tunnel [MikroTik_JS] Phase 2 Local policy mismatch”
and “[SA] : No proposal chosen”, both messages send from USG to MikroTik.
In the debug log there is more specific message “Local Traffic Selector mismatch”.
Log messages on MikroTik are for me much harder to understand, please advice where to find some explanation
or advice what exactely to catch.
When configuring ipsec tunnels with Zyxel devices on both side at previous cases, I did not care about traffic selectors
and all tunnels works as expected.
USG device is behind NAT but that site has public IP.
MikroTik device is behind NAT and its IP is dynamic.
configurations are:
[admin@MikroTik] > /ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 R ;;; Unsafe configuration, suggestion to use certificates
address=::/0 passive=yes profile=defaultPEER auth-method=pre-shared-key secret=“PocSHarKey133” generate-policy=no
policy-template-group=default exchange-mode=main send-initial-contact=yes
1 DR ;;; This entry is unreachable
;;; Unsafe configuration, suggestion to use certificates
address=::/0 passive=yes profile=defaultPEER auth-method=pre-shared-key secret=“” generate-policy=port-strict
policy-template-group=default exchange-mode=main-l2tp send-initial-contact=yes
[admin@MikroTik] > /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes
1 src-address=0.0.0.0/0 src-port=any dst-address=192.168.4.0/24 dst-port=any protocol=all action=encrypt level=unique
ipsec-protocols=esp tunnel=yes sa-src-address=192.168.111.34 sa-dst-address=RRR.RR.RRR.RRR proposal=default
ph2-count=0
wwhere RRR.RR.RRR.RRR is public IP of Zyxel site
[admin@MikroTik] > /interface l2tp-client print
Flags: X - disabled, R - running
0 X name=“l2tp-out1” max-mtu=1450 max-mru=1450 mrru=disabled connect-to=RRR.RR.RRR.RRR user=“JS” password=“USGqwe12”
profile=default-encryption keepalive-timeout=disabled use-ipsec=yes ipsec-secret=“PocSHarKey133” allow-fast-path=no
add-default-route=no dial-on-demand=no allow=“”
How to amend the configurations on MikroTik side the tunnel became stable?
Should i try to contact support@mikrotik.com, because I am in the 30 days period after purchase of routerBoard
and the distributor just gave me the link to this forum?
Please help.