Trying to establish IKEv2 IPSec tunnel, where USG40W is as Remote Access (Server Role), this site has public IP
routerBoard dont has public IP and is behind NAT other router and should be the initiator.
I did set IKEv2 on USG gateway settings
as well as exchange-mode=ike2 on Mikrotik.
What I am confused of is: phase 1 cannot be established, in the logs I can see
“peer is IKEv1” - on routerBoard
“Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA256 PRF, HMAC-SHA256-128, 1536 bit MODP; ).” - on USG
Seems that routerBoard sends protocol IKEv1, it should initiate the communication because of dynamic IP,
but why there is IKE(1), when the settings are as follows:
[admin@MikroTik] /ip ipsec peer> print
Flags: X - disabled, D - dynamic, R - responder
0 R address=::/0 passive=yes profile=defaultPEER auth-method=pre-shared-key secret=“PocSHarKey133” generate-policy=no
policy-template-group=default exchange-mode=ike2 send-initial-contact=yes
and also l2tp-clinet
[admin@MikroTik] > /interface l2tp-client print
Flags: X - disabled, R - running
0 X name=“l2tp-out1” max-mtu=1450 max-mru=1450 mrru=disabled connect-to=RRR.RR.RRR.RRR user=“JS” password=“USGqwe12”
profile=default-encryption keepalive-timeout=disabled use-ipsec=yes ipsec-secret=“PocSHarKey133” allow-fast-path=no
add-default-route=no dial-on-demand=no allow=“”
where RRR.RR.RRR.RRR is public IP of USG server site.
I am quite new with MikroTik, did I messed up something or is it some type of issue?
You can clearly see the “R” flag (responder) next to your IPsec peer configuration. It means that the router will not initiate the connection but will wait for the other side to initiate it. If you want RouterOS to act as an initiator, you must use /32 address in your peer configuration.
Thank you for the reply.
In the ip ipsec peer address field I puted RRR.RR.RRR.RRR/32 what is public IP of remote site,
but after that I still have “R” flag and the tunnel don’t establish, more on that I don’t see any communication attempt on the Zyxel side.
What else could be wrong and the address you mentioned should be public address of VPN server?
Thank you a lot !!!
The meaning of the address for the initialization I did not understand from the manual.
The tunnel works, but let me ask one more beginners question:
In WinBox on the IPsec window, Policies tab, I can from time to time see “No Phase 2” dynamic policy item
and on the Zyxel I have still “Local Traffic selector mismatch”, “IPsec SA [Responder] negotiation failed”.
I noticed this two messages when trying to established IKEv1 tunnel (I did mention in another post to the forum “ipsec IKEv1 to Zyxel USG” ).
Could be amende somehow with MikroTik or should I care with Zyxel USG?
I will answer myself.
The responsible for the strange messages I asked (Traffic selector mismatch) was the PPP /interface l2tp-client.
It was my misunderstanding. If it is not enabled, the logs on USG are clear and the IKEv2 tunnel is stable.
Hope could be helpfull for somebody next time.