IPSEC MT and NETGEAR

shamrock · November 8, 2005, 11:20pm

I have try to get the vpn up, but no luck…

Short description:

Lan1: 192.168.100.0/24 Wan1: 80.161.173.76
Lan2: 192.168.1.0/24 Wan2: 80.63.233.142

On Lan1: MT 2.9

/ interface ethernet
set ether1 name=“ether1” mtu=1500 mac-address=00:0C:42:04:15:41 arp=enabled
disable-running-check=yes auto-negotiation=yes full-duplex=yes cable-settings=default
speed=100Mbps comment=“” disabled=no
set Wan name=“Wan” mtu=1500 mac-address=00:0C:42:04:15:42 arp=enabled disable-running-check=yes
auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps comment=“”
disabled=no
set Lan name=“Lan” mtu=1500 mac-address=00:0C:42:04:15:43 arp=proxy-arp disable-running-check=yes
auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps comment=“”
disabled=no

/ ip ipsec policy
add src-address=0.0.0.0/0:any dst-address=192.168.1.0/24:any protocol=all action=encrypt
level=require ipsec-protocols=esp tunnel=yes sa-src-address=80.161.173.76
sa-dst-address=80.63.233.142 proposal=default manual-sa=none dont-fragment=set disabled=no
/ ip ipsec peer
add address=80.63.233.142/32:500 secret=“(secret)” generate-policy=yes exchange-mode=main
send-initial-contact=yes proposal-check=obey hash-algorithm=md5 enc-algorithm=3des
dh-group=modp1024 lifetime=1d lifebytes=0 disabled=no
/ ip ipsec proposal
add name=“default” auth-algorithms=md5 enc-algorithms=3des lifetime=30m lifebytes=0 pfs-group=none
disabled=no

/ ip firewall nat
add chain=srcnat out-interface=Wan src-address=192.168.100.0/24 dst-address=192.168.1.0/24
action=masquerade comment=" TEST IPSEC" disabled=yes
add chain=srcnat out-interface=Wan action=masquerade comment=" SRCNAT Laver masquerade
(Router)" disabled=no

/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=2m tcp-syn-received-timeout=1m tcp-established-timeout=5d
tcp-fin-wait-timeout=2m tcp-close-wait-timeout=1m tcp-last-ack-timeout=30s
tcp-time-wait-timeout=2m tcp-close-timeout=10s udp-timeout=30s udp-stream-timeout=3m
icmp-timeout=30s generic-timeout=10m
/ ip firewall filter
add chain=input connection-state=invalid action=drop comment=" INPUT Drop invalid connection
packets" disabled=no
add chain=input connection-state=established action=accept comment=“Allow established connections”
disabled=no
add chain=input connection-state=related action=accept comment=“Allow related connections”
disabled=no
add chain=input protocol=udp action=accept comment=“Allow UDP connections” disabled=no
add chain=input protocol=icmp action=accept comment=“Allow ICMP messages” disabled=no
add chain=input protocol=icmp action=accept comment=“Tillad ICMP Ping” disabled=no
add chain=input in-interface=Lan action=accept comment=“Tillad alt trafik fra lokal netvµrk”
disabled=no
add chain=input action=drop comment=“Reject and log everything else” disabled=no

On Lan2: Netgear

Local IPSec Identifier: 80.63.233.142
Remote IPSec Identifier: 80.161.173.76
Tunnel can be accessed from: a subnet of local address
Local LAN start IP Address: 192.168.1.0
Local LAN IP Subnetmask: 255.255.255.0

Tunnel can access: a subnet of local address
Remote LAN start IP Address: 192.168.100.0
Remote LAN IP Subnetmask: 255.255.255.0

Remote WAN IP: 80.161.173.76

Secure Association: Main Mode
Perfect Forward Secrecy: Enabled
Encryption Protocol: 3DES
PreShared Key: (secret)

Keylife: 28800
IKE Lifetime: 86400

The respond i get from the Netgear is :

Wed, 11/09/2005 01:08:50 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Wed, 11/09/2005 01:08:50 - FVS318 IKE:Peer Initialized IKE Main Mode
Wed, 11/09/2005 01:08:50 - FVS318 IKE:[Test Mikrotik] RX << MM_I1 : 80.161.173.76
Wed, 11/09/2005 01:08:50 - FVS318 IPsec:New State index:0, sno:2
Wed, 11/09/2005 01:08:50 - FVS318 IPsec:responding to Main Mode
Wed, 11/09/2005 01:08:50 - FVS318 IPsec:Oakley Transform 1 accepted
Wed, 11/09/2005 01:08:50 - FVS318 IKE:OAKLEY_PRESHARED_KEY/OAKLEY_3DES_CBC/MODP1024
Wed, 11/09/2005 01:08:50 - FVS318 IKE:[Test Mikrotik] TX >> MM_R1 : 80.161.173.76
Wed, 11/09/2005 01:08:50 - FVS318 IPsec:inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #2
Wed, 11/09/2005 01:08:50 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Wed, 11/09/2005 01:08:50 - FVS318 IKE:[Test Mikrotik] RX << MM_I2 : 80.161.173.76
Wed, 11/09/2005 01:08:50 - FVS318 IKE:[Test Mikrotik] TX >> MM_R2 : 80.161.173.76
Wed, 11/09/2005 01:08:50 - FVS318 IPsec:inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #2
Wed, 11/09/2005 01:08:52 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Wed, 11/09/2005 01:08:52 - FVS318 IPsec:loglog[3] *#hahaha… next payload type of ISAKMP Identification Payload has an unknown value: 116
Wed, 11/09/2005 01:08:52 - FVS318 IPsec:probable authentication (preshared secret) failure: malformed payload in packet
Wed, 11/09/2005 01:08:58 - FVS318 IPsec:handling event EVENT_RETRANSMIT for 50a1ad4c “Test Mikrotik” #2
Wed, 11/09/2005 01:08:58 - FVS318 IPsec:inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #2
Wed, 11/09/2005 01:09:00 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Wed, 11/09/2005 01:09:00 - FVS318 IPsec:loglog[3] *#hahaha… next payload type of ISAKMP Identification Payload has an unknown value: 116
Wed, 11/09/2005 01:09:00 - FVS318 IPsec:probable authentication (preshared secret) failure: malformed payload in packet
Wed, 11/09/2005 01:09:02 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Wed, 11/09/2005 01:09:02 - FVS318 IPsec:loglog[3] *#hahaha… next payload type of ISAKMP Identification Payload has an unknown value: 116
Wed, 11/09/2005 01:09:02 - FVS318 IPsec:probable authentication (preshared secret) failure: malformed payload in packet
Wed, 11/09/2005 01:09:12 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Wed, 11/09/2005 01:09:12 - FVS318 IPsec:loglog[3] *#hahaha… next payload type of ISAKMP Identification Payload has an unknown value: 116
Wed, 11/09/2005 01:09:12 - FVS318 IPsec:probable authentication (preshared secret) failure: malformed payload in packet
Wed, 11/09/2005 01:09:18 - FVS318 IPsec:handling event EVENT_RETRANSMIT for 50a1ad4c “Test Mikrotik” #2
Wed, 11/09/2005 01:09:18 - FVS318 IPsec:inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #2
Wed, 11/09/2005 01:09:20 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Wed, 11/09/2005 01:09:20 - FVS318 IPsec:loglog[3] *#hahaha… next payload type of ISAKMP Identification Payload has an unknown value: 116
Wed, 11/09/2005 01:09:20 - FVS318 IPsec:probable authentication (preshared secret) failure: malformed payload in packet
Wed, 11/09/2005 01:09:22 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Wed, 11/09/2005 01:09:22 - FVS318 IPsec:loglog[3] *#hahaha… next payload type of ISAKMP Identification Payload has an unknown value: 116
Wed, 11/09/2005 01:09:22 - FVS318 IPsec:probable authentication (preshared secret) failure: malformed payload in packet

End of Log ----------

NOW MY COMMENT…

In

/ ip ipsec policy
add src-address=0.0.0.0/0:any dst-address=192.168.1.0/24:any protocol=all action=encrypt
level=require ipsec-protocols=esp tunnel=yes sa-src-address=80.161.173.76
sa-dst-address=80.63.233.142 proposal=default manual-sa=none dont-fragment=set disabled=no

WHEN I CHANGE THE src-address=192.168.100.0/24, THE MT WILL NOT TRY TO MAKE THE IPSEC CONNECTION ???

WHEN I LOOK I THE GUI FOR IPSEC POLICY IT DISPLAY NO PHASE2 ???

PLEASE HELP…

REGARD BRIAN

Tonda · November 9, 2005, 2:01pm

First nat rule should have action=accept, not masquerade. I am also not sure whether to accept established connection is enough or it is necessary to allow incoming ISAKMP and IPSec packet explicitly.

andrewluck · November 9, 2005, 7:10pm

NAT-T isn’t supported on MT.

Regards

Andrew

Tonda · November 9, 2005, 8:44pm

Andrewluck, can you please explain your post? My post is based on Mikrotik manual part IPSec between two masquerading MT Routers..Action in first nat rule causes no natting (masquerading) to occur..

shamrock · November 9, 2005, 9:23pm

Hi

The first nat rules

add chain=srcnat out-interface=Wan src-address=192.168.100.0/24 dst-address=192.168.1.0/24
action=masquerade comment=" TEST IPSEC" disabled=yes

I have disabled, becurse I do not thing its the problem.

Brian

Tonda · November 9, 2005, 9:36pm

I think you are not right. Try to enable it and use action=accept. It is necessary not to modify outgoing packets, that are subject of IPSec encryption, addresses using masquerade. IPSec encrypted packet must have source and destination addresses unmodified. Look at Mikrotik manual part IPSec between two masquerading MT Routers…

shamrock · November 9, 2005, 11:13pm

I have now add follow lines in config:

0 ;;; TEST IPSEC SIGURD
chain=srcnat out-interface=Wan src-address=192.168.100.0/24
dst-address=192.168.1.0/24 action=accept

1 ;;; SRCNAT Laver masquerade (Router)
chain=srcnat out-interface=Wan action=masquerade

I can see there is one packets send in the MT

Is is possible that I have to make a rule for packets i recive from 192.168.1.0/24 ??

The log from NETGEAR

Thur, 11/10/2005 01:09:30 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Thur, 11/10/2005 01:09:30 - FVS318 IKE:Peer Initialized IKE Main Mode
Thur, 11/10/2005 01:09:30 - FVS318 IKE:[Test Mikrotik] RX << MM_I1 : 80.161.173.76
Thur, 11/10/2005 01:09:30 - FVS318 IPsec:New State index:0, sno:5
Thur, 11/10/2005 01:09:30 - FVS318 IPsec:responding to Main Mode
Thur, 11/10/2005 01:09:30 - FVS318 IPsec:Oakley Transform 1 accepted
Thur, 11/10/2005 01:09:30 - FVS318 IKE:OAKLEY_PRESHARED_KEY/OAKLEY_3DES_CBC/MODP1024
Thur, 11/10/2005 01:09:30 - FVS318 IKE:[Test Mikrotik] TX >> MM_R1 : 80.161.173.76
Thur, 11/10/2005 01:09:30 - FVS318 IPsec:inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #5
Thur, 11/10/2005 01:09:30 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Thur, 11/10/2005 01:09:30 - FVS318 IKE:[Test Mikrotik] RX << MM_I2 : 80.161.173.76
Thur, 11/10/2005 01:09:30 - FVS318 IKE:[Test Mikrotik] TX >> MM_R2 : 80.161.173.76
Thur, 11/10/2005 01:09:30 - FVS318 IPsec:inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #5
Thur, 11/10/2005 01:09:32 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Thur, 11/10/2005 01:09:32 - FVS318 IPsec:loglog[3] *#hahaha… next payload type of ISAKMP Identification Payload has an unknown value: 17
Thur, 11/10/2005 01:09:32 - FVS318 IPsec:probable authentication (preshared secret) failure: malformed payload in packet
Thur, 11/10/2005 01:09:38 - FVS318 IPsec:handling event EVENT_RETRANSMIT for 50a1ad4c “Test Mikrotik” #5
Thur, 11/10/2005 01:09:38 - FVS318 IPsec:inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #5
Thur, 11/10/2005 01:09:40 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Thur, 11/10/2005 01:09:40 - FVS318 IPsec:loglog[3] *#hahaha… next payload type of ISAKMP Identification Payload has an unknown value: 17
Thur, 11/10/2005 01:09:40 - FVS318 IPsec:probable authentication (preshared secret) failure: malformed payload in packet
Thur, 11/10/2005 01:09:42 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Thur, 11/10/2005 01:09:42 - FVS318 IPsec:loglog[3] *#hahaha… next payload type of ISAKMP Identification Payload has an unknown value: 17
Thur, 11/10/2005 01:09:42 - FVS318 IPsec:probable authentication (preshared secret) failure: malformed payload in packet
Thur, 11/10/2005 01:09:52 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Thur, 11/10/2005 01:09:52 - FVS318 IPsec:loglog[3] *#hahaha… next payload type of ISAKMP Identification Payload has an unknown value: 17
Thur, 11/10/2005 01:09:52 - FVS318 IPsec:probable authentication (preshared secret) failure: malformed payload in packet
Thur, 11/10/2005 01:09:58 - FVS318 IPsec:handling event EVENT_RETRANSMIT for 50a1ad4c “Test Mikrotik” #5
Thur, 11/10/2005 01:09:58 - FVS318 IPsec:inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #5
Thur, 11/10/2005 01:10:00 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Thur, 11/10/2005 01:10:00 - FVS318 IPsec:loglog[3] *#hahaha… next payload type of ISAKMP Identification Payload has an unknown value: 17
Thur, 11/10/2005 01:10:00 - FVS318 IPsec:probable authentication (preshared secret) failure: malformed payload in packet
Thur, 11/10/2005 01:10:02 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Thur, 11/10/2005 01:10:02 - FVS318 IPsec:loglog[3] *#hahaha… next payload type of ISAKMP Identification Payload has an unknown value: 17
Thur, 11/10/2005 01:10:02 - FVS318 IPsec:probable authentication (preshared secret) failure: malformed payload in packet
Thur, 11/10/2005 01:10:12 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Thur, 11/10/2005 01:10:12 - FVS318 IPsec:loglog[3] *#hahaha… next payload type of ISAKMP Identification Payload has an unknown value: 17
Thur, 11/10/2005 01:10:12 - FVS318 IPsec:probable authentication (preshared secret) failure: malformed payload in packet
Thur, 11/10/2005 01:10:22 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Thur, 11/10/2005 01:10:22 - FVS318 IPsec:loglog[3] *#hahaha… next payload type of ISAKMP Identification Payload has an unknown value: 17
Thur, 11/10/2005 01:10:22 - FVS318 IPsec:probable authentication (preshared secret) failure: malformed payload in packet

End of Log ----------

Its look like that it have acceptet phase1, but how to setup phase2 in mt ??

Regard Brian

shamrock · November 9, 2005, 11:30pm

I have here my log from the mt

23:28:03 ipsec,ike,info queuing SA request, phase 1 with peer 80.63.233.142
will be established first
23:28:03 ipsec,ike,info initiating phase 1, starting mode Identity Protection
(local 80.161.173.76:500) (remote unknown)
23:28:03 ipsec,info ipsec packet discarded: src=192.168.100.99 dst=
192.168.1.2
23:28:03 ipsec,ike,info received ISAKMP packet from 80.63.233.142:500, phase
1, Identity Protection
23:28:06 ipsec,ike,info received ISAKMP packet from 80.63.233.142:500, phase
1, Identity Protection
23:28:08 ipsec,info ipsec packet discarded: src=192.168.100.99 dst=
192.168.1.2
23:28:13 ipsec,info ipsec packet discarded: src=192.168.100.99 dst=
192.168.1.2
23:28:14 ipsec,ike,info retransmitted packet, ignoring (remote unknown)
23:28:19 ipsec,info ipsec packet discarded: src=192.168.100.99 dst=
192.168.1.2
23:28:34 ipsec,ike,info retransmitted packet, ignoring (remote unknown)
23:28:34 ipsec,ike,info dequeuing SA request to 80.63.233.142, phase 1 wait
timed out

Brian

Tonda · November 10, 2005, 10:22pm

Three questions:

Why do you have generate-policy in ipsec peer set to YES?
What exactly happens, when you set your ipsec policy src-address=192.168.100.0/24?
Have you tried to add rules, that allow access of ISAKMP and IPSec packets to your input chain?

shamrock · November 11, 2005, 12:24am

Responding:

Three questions:

Why do you have generate-policy in ipsec peer set to YES?

It is a fault, have change to NO

What exactly happens, when you set your ipsec policy src-address=192.168.100.0/24?

Have change ipsec policy src-address=192.168.100.0/24 and it will
generate vpn traffic to the NETGEAR.

The missing part was

add chain=srcnat out-interface=Wan src-address=192.168.100.0/24 dst-address=192.168.1.0/24
action=masquerade comment=" TEST IPSEC" disabled=no

Have you tried to add rules, that allow access of ISAKMP and IPSec packets to your input chain?

It should not be nessary to make thise rules, It looks like the NETGEAR accepc phase1.

NOW… HOW TO SETUP PHASE2 ???

Any help, please

Regard Brian

Tonda · November 11, 2005, 6:30am

What is this?

The missing part was

add chain=srcnat out-interface=Wan src-address=192.168.100.0/24 dst-> address=192.168.1.0/24
action=masquerade comment=" TEST IPSEC" disabled=no

action should be ACCEPT, not masquerade (see my previous posts)

Why do you think it is not necessary to make rules in input chain, that permit incoming ESP connections? ESP is using protocol number 50 and I am afraid, that acutal rules in your input chain do not cover this.

shamrock · November 11, 2005, 9:05am

Sorry, mark and paste missss,

0 ;;; TEST IPSEC SIGURD
chain=srcnat out-interface=Wan src-address=192.168.100.0/24
dst-address=192.168.1.0/24 action=accept

Have change the config to accept.

Why do you think it is not necessary to make rules in input chain,
that permit incoming ESP connections?
ESP is using protocol number 50 and I am afraid,
that acutal rules in your input chain do not cover this.

When I try to make vpn connection, I do not get drop packets in my firewall and I can not see in the Mikrotik documentation, I have to make these rules.

Tonda · November 11, 2005, 9:41am

Can you please post actual content of MT and Netgear log files after all changes we have made?

Do you think that MT will accept incoming ESP connection automatically without any filter rule? There are no exceptions, MT will do precisely what you tell him to do and nothing more.

shamrock · November 11, 2005, 12:46pm

Here you have the config and the log from Netgear.

short description:

Lan1: 192.168.100.0/24 Wan1: 80.161.173.76
Lan2: 192.168.1.0/24 Wan2: 80.63.233.142

On Lan1: MT 2.9

nov/11/2005 12:26:46 by RouterOS 2.9rc7

software id = 787C-3TT

/ interface ethernet
set ether1 name="ether1" mtu=1500 mac-address=00:0C:42:04:15:41 arp=enabled
disable-running-check=yes auto-negotiation=yes full-duplex=yes
cable-settings=default speed=100Mbps comment="" disabled=no
set Wan name="Wan" mtu=1500 mac-address=00:0C:42:04:15:42 arp=enabled
disable-running-check=yes auto-negotiation=yes full-duplex=yes
cable-settings=default speed=100Mbps comment="" disabled=no
set Lan name="Lan" mtu=1500 mac-address=00:0C:42:04:15:43 arp=proxy-arp
disable-running-check=yes auto-negotiation=yes full-duplex=yes
cable-settings=default speed=100Mbps comment="" disabled=no
/ interface bridge port
set ether1 bridge=none priority=128 path-cost=10
set Wan bridge=none priority=128 path-cost=10
set Lan bridge=none priority=128 path-cost=10
/ ip pool
add name="pool1" ranges=192.168.100.33-192.168.100.99
/ ip dhcp-client
add interface=Wan add-default-route=yes use-peer-dns=yes comment=""
disabled=no
/ ip dhcp-server
add name="server1" interface=Lan lease-time=3d address-pool=pool1
bootp-support=static disabled=no
/ ip dhcp-server config
set store-leases-disk=5m
/ ip dhcp-server lease
/ ip dhcp-server network
add address=192.168.100.0/24 gateway=192.168.100.10
dns-server=193.162.153.164,193.162.146.9 comment=""
/ ip ipsec policy
add src-address=192.168.100.0/24:any dst-address=192.168.1.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=80.161.173.76 sa-dst-address=80.63.233.142 proposal=default
manual-sa=none dont-fragment=set disabled=no
/ ip ipsec peer
add address=80.63.233.142/32:500 secret="(secret)" generate-policy=no
exchange-mode=main send-initial-contact=yes proposal-check=obey
hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0 disabled=no
/ ip ipsec proposal
add name="default" auth-algorithms=md5 enc-algorithms=3des lifetime=30m
lifebytes=0 pfs-group=none disabled=no
/ ip address
add address=192.168.100.10/24 network=192.168.100.0 broadcast=192.168.100.255
interface=Lan comment="" disabled=no
/ ip accounting
set enabled=no threshold=256
/ ip proxy
set enabled=no port=8080 parent-proxy=0.0.0.0:0 maximal-client-connecions=1000
maximal-server-connectons=1000
/ ip proxy access
add dst-port=23-25 action=deny comment="block telnet & spam e-mail relaying"
disabled=no
/ ip neighbor discovery
set ether1 discover=yes
set Wan discover=yes
set Lan discover=yes
/ ip route
/ ip firewall mangle
add chain=forward p2p=all-p2p action=mark-packet new-packet-mark=all-p2p
comment="P2P Trafik" disabled=no
add chain=forward src-address=192.168.100.33 packet-mark=all-p2p
action=mark-packet new-packet-mark=client1-p2p comment="Mark P2P for
brian" disabled=no
add chain=forward dst-address=192.168.100.33 packet-mark=all-p2p
action=mark-packet new-packet-mark=client1-p2p comment="" disabled=no
add chain=forward src-address=192.168.100.34 packet-mark=all-p2p
action=mark-packet new-packet-mark=client1-p2p comment="Mark P2P for uffe"
disabled=no
add chain=forward dst-address=192.168.100.34 packet-mark=all-p2p
action=mark-packet new-packet-mark=client1-p2p comment="" disabled=no
add chain=forward src-address=192.168.100.38 action=mark-packet
new-packet-mark=Ipvoice comment="Ip Voice Telefoni" disabled=no
add chain=forward dst-address=192.168.100.38 action=mark-packet
new-packet-mark=Ipvoice comment="" disabled=no
add chain=forward in-interface=Lan protocol=tcp dst-port=80
action=mark-connection new-connection-mark=http-con comment="HTTP Trafik"
disabled=no
add chain=forward in-interface=Wan connection-mark=http-con action=mark-packet
new-packet-mark=http comment="" disabled=no
/ ip firewall nat
add chain=srcnat out-interface=Wan src-address=192.168.100.0/24
dst-address=192.168.1.0/24 action=accept comment=" TEST IPSEC SIGURD"
disabled=no
add chain=srcnat out-interface=Wan action=masquerade comment=" SRCNAT Laver
masquerade (Router)" disabled=no
add chain=dstnat in-interface=Wan protocol=tcp dst-port=80 action=dst-nat
to-addresses=192.168.100.9 to-ports=80 comment=" DSTNAT SU/NAT HTTP"
disabled=no
add chain=dstnat in-interface=Wan protocol=tcp dst-port=21 action=dst-nat
to-addresses=192.168.100.9 to-ports=21 comment="SU/NAT FTP" disabled=no
add chain=dstnat in-interface=Wan protocol=tcp dst-port=110 action=dst-nat
to-addresses=192.168.100.9 to-ports=110 comment="SU/NAT POP3" disabled=no
add chain=dstnat in-interface=Wan protocol=tcp dst-port=25 action=dst-nat
to-addresses=192.168.100.9 to-ports=25 comment="SU/NAT SMTP" disabled=no
add chain=dstnat in-interface=Wan protocol=tcp dst-port=4662 action=dst-nat
to-addresses=192.168.100.99 to-ports=4662 comment="SU/NAT EMULE"
disabled=no
add chain=dstnat in-interface=Wan protocol=tcp dst-port=5500 action=dst-nat
to-addresses=192.168.100.99 to-ports=5500 comment="SU/NAT REAL VNC"
disabled=no
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=2m tcp-syn-received-timeout=1m
tcp-established-timeout=5d tcp-fin-wait-timeout=2m
tcp-close-wait-timeout=1m tcp-last-ack-timeout=30s
tcp-time-wait-timeout=2m tcp-close-timeout=10s udp-timeout=30s
udp-stream-timeout=3m icmp-timeout=30s generic-timeout=10m
/ ip firewall filter
add chain=input protocol=ipsec-esp action=accept comment=" INPUT ACCEPT
IPSEC" disabled=no
add chain=input protocol=tcp dst-port=137-139 action=drop comment=" INPUT
PORT 137-139 DROP" disabled=no
add chain=input protocol=tcp dst-port=445 action=drop comment="DROP PORT 445 "
disabled=no
add chain=input protocol=tcp dst-port=135 action=drop comment="DROP PORT 135"
disabled=no
add chain=input protocol=udp dst-port=135 action=drop comment="DROP UDP PORT
135" disabled=no
add chain=input connection-state=invalid action=drop comment=" INPUT Drop
invalid connection packets" disabled=no
add chain=input connection-state=established action=accept comment="Allow
established connections" disabled=no
add chain=input connection-state=related action=accept comment="Allow related
connections" disabled=no
add chain=input protocol=udp action=accept comment="Allow UDP connections"
disabled=no
add chain=input protocol=icmp action=accept comment="Allow ICMP messages"
disabled=no
add chain=input protocol=icmp action=accept comment="Tillad ICMP Ping"
disabled=no
add chain=input in-interface=Lan action=accept comment="Tillad alt trafik fra
lokal netvµrk" disabled=no
add chain=forward protocol=tcp dst-port=80 action=accept comment=" FORWARD
Allow HTTP" disabled=no
add chain=forward protocol=tcp dst-port=21 action=passthrough comment="ALLOW
FTP" disabled=no
add chain=forward protocol=tcp dst-port=110 action=accept comment="ALLOW POP3"
disabled=no
add chain=forward protocol=tcp dst-port=25 action=accept comment="ALLOW SMTP"
disabled=no
add chain=forward protocol=tcp dst-port=4662 action=accept comment="ALLOW
EMULE" disabled=no
add chain=forward protocol=tcp dst-port=5500 action=accept comment="ALLOW REAL
VNC" disabled=no
add chain=input protocol=tcp dst-port=1723 action=accept comment="ALLOW MS
PPTP1" disabled=no
add chain=input protocol=gre dst-port=47 action=accept comment="ALLOW MS
PPTP2" disabled=no
add chain=input action=drop comment="Reject and log everything else"
disabled=no
/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=yes
set quake3 disabled=no
set mms disabled=no
set gre disabled=yes
set pptp disabled=yes

On Lan2: Netgear

Local IPSec Identifier: 80.63.233.142
Remote IPSec Identifier: 80.161.173.76
Tunnel can be accessed from: a subnet of local address
Local LAN start IP Address: 192.168.1.0
Local LAN IP Subnetmask: 255.255.255.0

Tunnel can access: a subnet of local address
Remote LAN start IP Address: 192.168.100.0
Remote LAN IP Subnetmask: 255.255.255.0

Remote WAN IP: 80.161.173.76

Secure Association: Main Mode
Perfect Forward Secrecy: Enabled
Encryption Protocol: 3DES
PreShared Key: (secret)

Keylife: 28800
IKE Lifetime: 86400

The logfile from NETGEAR:

Fri, 11/11/2005 14:38:34 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Fri, 11/11/2005 14:38:34 - FVS318 IKE:Peer Initialized IKE Main Mode
Fri, 11/11/2005 14:38:34 - FVS318 IKE:[Test Mikrotik] RX << MM_I1 : 80.161.173.76
Fri, 11/11/2005 14:38:34 - FVS318 IPsec:New State index:0, sno:19
Fri, 11/11/2005 14:38:34 - FVS318 IPsec:responding to Main Mode
Fri, 11/11/2005 14:38:34 - FVS318 IPsec:Oakley Transform 1 accepted
Fri, 11/11/2005 14:38:34 - FVS318 IKE:OAKLEY_PRESHARED_KEY/OAKLEY_3DES_CBC/MODP1024
Fri, 11/11/2005 14:38:34 - FVS318 IKE:[Test Mikrotik] TX >> MM_R1 : 80.161.173.76
Fri, 11/11/2005 14:38:34 - FVS318 IPsec:inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #19
Fri, 11/11/2005 14:38:34 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Fri, 11/11/2005 14:38:34 - FVS318 IKE:[Test Mikrotik] RX << MM_I2 : 80.161.173.76
Fri, 11/11/2005 14:38:34 - FVS318 IKE:[Test Mikrotik] TX >> MM_R2 : 80.161.173.76
Fri, 11/11/2005 14:38:34 - FVS318 IPsec:inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #19
Fri, 11/11/2005 14:38:36 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Fri, 11/11/2005 14:38:36 - FVS318 IKE:[Test Mikrotik] RX << MM_I3 : 80.161.173.76
Fri, 11/11/2005 14:38:36 - FVS318 IPsec:Decoded Peer's ID is ID_IPV4_ADDR:192.168.100.99 and 192.168.100.99 in st
Fri, 11/11/2005 14:38:36 - FVS318 IKE:[Test Mikrotik] TX >> MM_R3 : 80.161.173.76
Fri, 11/11/2005 14:38:36 - FVS318 IPsec:inserting event EVENT_SA_EXPIRE, timeout in 3780 seconds for #19
Fri, 11/11/2005 14:38:36 - FVS318 IPsec:STATE_MAIN_R3: sent MR3, ISAKMP SA established
Fri, 11/11/2005 14:38:36 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Fri, 11/11/2005 14:38:36 - FVS318 IPsec:New State index:1, sno:20
Fri, 11/11/2005 14:38:36 - FVS318 IKE:[Test Mikrotik] RX << QM_I1 : 80.161.173.76
Fri, 11/11/2005 14:38:36 - FVS318 IPsec:cannot respond to IPsec SA request because no connection is known for 192.168.1.1/255.255.255.0-80.63.233.142=====80.161.173.76-19
Fri, 11/11/2005 14:38:50 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Fri, 11/11/2005 14:38:50 - FVS318 IPsec:loglog[3] *#byte 2 of ISAKMP Hash Payload must be zero, but is not
Fri, 11/11/2005 14:38:50 - FVS318 IPsec:malformed payload in packet
Fri, 11/11/2005 14:39:06 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Fri, 11/11/2005 14:39:06 - FVS318 IKE:[Test Mikrotik] RX << XCHG_INFO : 80.161.173.76
Fri, 11/11/2005 14:39:06 - FVS318 IPsec:Enter Process_DeleteSA() spi_len=16
Fri, 11/11/2005 14:39:06 - FVS318 IKE:RX << DELETE ISAKMP SA : 80.161.173.76 ,I-R=9c f2 27 f5 7b 7b 94 b1 e4 46 a6 d4 c9 ea 38 f3
Fri, 11/11/2005 14:39:06 - FVS318 IKE:[Test Mikrotik] ISAKMP SAs were Deleted!

End of Log ----------

Tonda · November 13, 2005, 9:20pm

And log from Mikrotik?

shamrock · November 13, 2005, 11:08pm

New config and new logs...

Short description:

Lan1: 192.168.100.0/24 Wan1: 80.161.173.76
Lan2: 192.168.1.0/24 Wan2: 80.63.233.142

On Lan1: MT 2.9

nov/13/2005 22:40:11 by RouterOS 2.9rc7

software id = 787C-3TT

/ interface ethernet
set ether1 name="ether1" mtu=1500 mac-address=00:0C:42:04:15:41 arp=enabled
disable-running-check=yes auto-negotiation=yes full-duplex=yes
cable-settings=default speed=100Mbps comment="" disabled=no
set Wan name="Wan" mtu=1500 mac-address=00:0C:42:04:15:42 arp=enabled
disable-running-check=yes auto-negotiation=yes full-duplex=yes
cable-settings=default speed=100Mbps comment="" disabled=no
set Lan name="Lan" mtu=1500 mac-address=00:0C:42:04:15:43 arp=proxy-arp
disable-running-check=yes auto-negotiation=yes full-duplex=yes
cable-settings=default speed=100Mbps comment="" disabled=no

/ interface bridge port
set ether1 bridge=none priority=128 path-cost=10
set Wan bridge=none priority=128 path-cost=10
set Lan bridge=none priority=128 path-cost=10

/ ip pool
add name="pool1" ranges=192.168.100.33-192.168.100.99
/ ip hotspot service-port

/ ip dhcp-client
add interface=Wan add-default-route=yes use-peer-dns=yes comment=""
disabled=no

/ ip dhcp-server
add name="server1" interface=Lan lease-time=3d address-pool=pool1
bootp-support=static disabled=no
/ ip dhcp-server config
set store-leases-disk=5m
/ ip dhcp-server lease
/ ip dhcp-server network
add address=192.168.100.0/24 gateway=192.168.100.10
dns-server=193.162.153.164,193.162.146.9 comment=""

/ ip ipsec policy
add src-address=192.168.100.0/24:any dst-address=192.168.1.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=80.161.173.76 sa-dst-address=80.63.233.142 proposal=default
manual-sa=none dont-fragment=clear disabled=no
/ ip ipsec peer
add address=80.63.233.142/32:500 secret="(SECRET)" generate-policy=no
exchange-mode=main send-initial-contact=yes proposal-check=obey
hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0 disabled=no

/ ip ipsec proposal
add name="default" auth-algorithms=md5 enc-algorithms=3des lifetime=30m
lifebytes=0 pfs-group=modp1024 disabled=no

/ ip dns
set primary-dns=194.239.134.83 secondary-dns=193.162.153.164
allow-remote-requests=no cache-size=2048KiB cache-max-ttl=1w

/ ip address
add address=192.168.100.10/24 network=192.168.100.0 broadcast=192.168.100.255
interface=Lan comment="" disabled=no

/ ip neighbor discovery
set ether1 discover=yes
set Wan discover=yes
set Lan discover=yes
/ ip route

/ ip firewall mangle
add chain=forward p2p=all-p2p action=mark-packet new-packet-mark=all-p2p
comment="P2P Trafik" disabled=no
add chain=forward src-address=192.168.100.33 packet-mark=all-p2p
action=mark-packet new-packet-mark=client1-p2p comment="Mark P2P for
brian" disabled=no
add chain=forward dst-address=192.168.100.33 packet-mark=all-p2p
action=mark-packet new-packet-mark=client1-p2p comment="" disabled=no
add chain=forward src-address=192.168.100.34 packet-mark=all-p2p
action=mark-packet new-packet-mark=client1-p2p comment="Mark P2P for uffe"
disabled=no
add chain=forward dst-address=192.168.100.34 packet-mark=all-p2p
action=mark-packet new-packet-mark=client1-p2p comment="" disabled=no
add chain=forward src-address=192.168.100.38 action=mark-packet
new-packet-mark=Ipvoice comment="Ip Voice Telefoni" disabled=no
add chain=forward dst-address=192.168.100.38 action=mark-packet
new-packet-mark=Ipvoice comment="" disabled=no
add chain=forward in-interface=Lan protocol=tcp dst-port=80
action=mark-connection new-connection-mark=http-con comment="HTTP Trafik"
disabled=no
add chain=forward in-interface=Wan connection-mark=http-con action=mark-packet
new-packet-mark=http comment="" disabled=no

/ ip firewall nat
add chain=srcnat out-interface=Wan src-address=192.168.100.0/24
dst-address=192.168.1.0/24 action=accept comment=" TEST IPSEC SIGURD"
disabled=no
add chain=srcnat out-interface=Wan action=masquerade comment=" SRCNAT Laver
masquerade (Router)" disabled=no
add chain=dstnat in-interface=Wan protocol=tcp dst-port=80 action=dst-nat
to-addresses=192.168.100.9 to-ports=80 comment=" DSTNAT SU/NAT HTTP"
disabled=no
add chain=dstnat in-interface=Wan protocol=tcp dst-port=21 action=dst-nat
to-addresses=192.168.100.9 to-ports=21 comment="SU/NAT FTP" disabled=no
add chain=dstnat in-interface=Wan protocol=tcp dst-port=110 action=dst-nat
to-addresses=192.168.100.9 to-ports=110 comment="SU/NAT POP3" disabled=no
add chain=dstnat in-interface=Wan protocol=tcp dst-port=25 action=dst-nat
to-addresses=192.168.100.9 to-ports=25 comment="SU/NAT SMTP" disabled=no
add chain=dstnat in-interface=Wan protocol=tcp dst-port=4662 action=dst-nat
to-addresses=192.168.100.99 to-ports=4662 comment="SU/NAT EMULE"
disabled=no
add chain=dstnat in-interface=Wan protocol=tcp dst-port=5500 action=dst-nat
to-addresses=192.168.100.99 to-ports=5500 comment="SU/NAT REAL VNC"
disabled=no

/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=2m tcp-syn-received-timeout=1m
tcp-established-timeout=5d tcp-fin-wait-timeout=2m
tcp-close-wait-timeout=1m tcp-last-ack-timeout=30s
tcp-time-wait-timeout=2m tcp-close-timeout=10s udp-timeout=30s
udp-stream-timeout=3m icmp-timeout=30s generic-timeout=10m

/ ip firewall filter
add chain=input protocol=ipsec-esp action=accept comment=" INPUT ACCEPT
IPSEC" disabled=no
add chain=input src-address=192.168.1.0/24 dst-address=192.168.100.0/24
action=accept comment=" INPUT ACCEPT IPSEC" disabled=no
add chain=input protocol=tcp dst-port=137-139 action=drop comment=" INPUT
PORT 137-139 DROP" disabled=no
add chain=input protocol=tcp dst-port=445 action=drop comment="DROP PORT 445 "
disabled=no
add chain=input protocol=tcp dst-port=135 action=drop comment="DROP PORT 135"
disabled=no
add chain=input protocol=udp dst-port=135 action=drop comment="DROP UDP PORT
135" disabled=no
add chain=input connection-state=invalid action=drop comment=" INPUT Drop
invalid connection packets" disabled=no
add chain=input connection-state=established action=accept comment="Allow
established connections" disabled=no
add chain=input connection-state=related action=accept comment="Allow related
connections" disabled=no
add chain=input protocol=udp action=accept comment="Allow UDP connections"
disabled=no
add chain=input protocol=icmp action=accept comment="Allow ICMP messages"
disabled=no
add chain=input in-interface=Lan action=accept comment="Tillad alt trafik fra
lokal netvµrk" disabled=no
add chain=forward protocol=tcp dst-port=80 action=accept comment=" FORWARD
Allow HTTP" disabled=no
add chain=forward protocol=tcp dst-port=21 action=passthrough comment="ALLOW
FTP" disabled=no
add chain=forward protocol=tcp dst-port=110 action=accept comment="ALLOW POP3"
disabled=no
add chain=forward protocol=tcp dst-port=25 action=accept comment="ALLOW SMTP"
disabled=no
add chain=forward protocol=tcp dst-port=4662 action=accept comment="ALLOW
EMULE" disabled=no
add chain=forward protocol=tcp dst-port=5500 action=accept comment="ALLOW REAL
VNC" disabled=no
add chain=input protocol=tcp dst-port=1723 action=accept comment="ALLOW MS
PPTP1" disabled=no
add chain=input protocol=gre dst-port=47 action=accept comment="ALLOW MS
PPTP2" disabled=no
add chain=input action=log log-prefix="" comment="Reject and log everything
else" disabled=yes
add chain=input action=drop comment="Reject and log everything else"
disabled=no

/ queue simple
add name="Ip Voice" dst-address=0.0.0.0/0 interface=Wan parent=none
packet-marks=Ipvoice priority=5 queue=default/default limit-at=0/0
max-limit=0/0 total-queue=default disabled=no
add name="http" dst-address=0.0.0.0/0 interface=Lan parent=none
packet-marks=http priority=8 queue=default/default limit-at=0/0
max-limit=0/0 total-queue=default disabled=no
add name="queue1" dst-address=0.0.0.0/0 interface=Lan parent=none
packet-marks=client1-p2p priority=8 queue=default/default limit-at=0/0
max-limit=40000/40000 total-queue=default disabled=no
add name="queue2" dst-address=0.0.0.0/0 interface=Lan parent=none
packet-marks=client1-p2p priority=8 queue=default/default limit-at=0/0
max-limit=512000/512000 total-queue=default disabled=no

On Lan2: Netgear

Local IPSec Identifier: 80.63.233.142
Remote IPSec Identifier: 80.161.173.76
Tunnel can be accessed from: a subnet of local address
Local LAN start IP Address: 192.168.1.0
Local LAN IP Subnetmask: 255.255.255.0

Tunnel can access: a subnet of local address
Remote LAN start IP Address: 192.168.100.0
Remote LAN IP Subnetmask: 255.255.255.0

Remote WAN IP: 80.161.173.76

Secure Association: Main Mode
Perfect Forward Secrecy: Enabled
Encryption Protocol: 3DES
PreShared Key: (secret)

Keylife: 28800
IKE Lifetime: 86400

The logfile from NETGEAR: (PING FROM LAN1 TO LAN2 BY LOCAL PC ON LAN1)

Mon, 11/14/2005 00:34:26 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Mon, 11/14/2005 00:34:26 - FVS318 IKE:Peer Initialized IKE Main Mode
Mon, 11/14/2005 00:34:26 - FVS318 IKE:[Test Mikrotik] RX << MM_I1 : 80.161.173.76
Mon, 11/14/2005 00:34:26 - FVS318 IPsec:New State index:0, sno:1
Mon, 11/14/2005 00:34:26 - FVS318 IPsec:responding to Main Mode
Mon, 11/14/2005 00:34:26 - FVS318 IPsec:Oakley Transform 1 accepted
Mon, 11/14/2005 00:34:26 - FVS318 IKE:OAKLEY_PRESHARED_KEY/OAKLEY_3DES_CBC/MODP1024
Mon, 11/14/2005 00:34:26 - FVS318 IKE:[Test Mikrotik] TX >> MM_R1 : 80.161.173.76
Mon, 11/14/2005 00:34:26 - FVS318 IPsec:inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
Mon, 11/14/2005 00:34:26 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Mon, 11/14/2005 00:34:26 - FVS318 IKE:[Test Mikrotik] RX << MM_I2 : 80.161.173.76
Mon, 11/14/2005 00:34:26 - FVS318 IKE:[Test Mikrotik] TX >> MM_R2 : 80.161.173.76
Mon, 11/14/2005 00:34:26 - FVS318 IPsec:inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
Mon, 11/14/2005 00:34:28 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Mon, 11/14/2005 00:34:28 - FVS318 IPsec:loglog[3] *#hahaha.... next payload type of ISAKMP Identification Payload has an unknown value: 192
Mon, 11/14/2005 00:34:28 - FVS318 IPsec:probable authentication (preshared secret) failure: malformed payload in packet
Mon, 11/14/2005 00:34:34 - FVS318 IPsec:handling event EVENT_RETRANSMIT for 50a1ad4c "Test Mikrotik" #1
Mon, 11/14/2005 00:34:34 - FVS318 IPsec:inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #1
Mon, 11/14/2005 00:34:36 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Mon, 11/14/2005 00:34:36 - FVS318 IPsec:loglog[3] *#hahaha.... next payload type of ISAKMP Identification Payload has an unknown value: 192
Mon, 11/14/2005 00:34:36 - FVS318 IPsec:probable authentication (preshared secret) failure: malformed payload in packet
Mon, 11/14/2005 00:34:38 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Mon, 11/14/2005 00:34:38 - FVS318 IPsec:loglog[3] *#hahaha.... next payload type of ISAKMP Identification Payload has an unknown value: 192
Mon, 11/14/2005 00:34:38 - FVS318 IPsec:probable authentication (preshared secret) failure: malformed payload in packet
Mon, 11/14/2005 00:34:48 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Mon, 11/14/2005 00:34:48 - FVS318 IPsec:loglog[3] *#hahaha.... next payload type of ISAKMP Identification Payload has an unknown value: 192
Mon, 11/14/2005 00:34:48 - FVS318 IPsec:probable authentication (preshared secret) failure: malformed payload in packet
Mon, 11/14/2005 00:34:54 - FVS318 IPsec:handling event EVENT_RETRANSMIT for 50a1ad4c "Test Mikrotik" #1
Mon, 11/14/2005 00:34:54 - FVS318 IPsec:inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #1
Mon, 11/14/2005 00:34:56 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Mon, 11/14/2005 00:34:56 - FVS318 IPsec:loglog[3] *#hahaha.... next payload type of ISAKMP Identification Payload has an unknown value: 192
Mon, 11/14/2005 00:34:56 - FVS318 IPsec:probable authentication (preshared secret) failure: malformed payload in packet
Mon, 11/14/2005 00:34:58 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Mon, 11/14/2005 00:34:58 - FVS318 IPsec:loglog[3] *#hahaha.... next payload type of ISAKMP Identification Payload has an unknown value: 192
Mon, 11/14/2005 00:34:58 - FVS318 IPsec:probable authentication (preshared secret) failure: malformed payload in packet
Mon, 11/14/2005 00:35:08 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Mon, 11/14/2005 00:35:08 - FVS318 IPsec:loglog[3] *#hahaha.... next payload type of ISAKMP Identification Payload has an unknown value: 192
Mon, 11/14/2005 00:35:08 - FVS318 IPsec:probable authentication (preshared secret) failure: malformed payload in packet
Mon, 11/14/2005 00:35:18 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Mon, 11/14/2005 00:35:18 - FVS318 IPsec:loglog[3] *#hahaha.... next payload type of ISAKMP Identification Payload has an unknown value: 192
Mon, 11/14/2005 00:35:18 - FVS318 IPsec:probable authentication (preshared secret) failure: malformed payload in packet
Mon, 11/14/2005 00:35:34 - FVS318 IPsec:handling event EVENT_RETRANSMIT for 50a1ad4c "Test Mikrotik" #1
Mon, 11/14/2005 00:35:34 - FVS318 IPsec:max number of retransmissions (2) reached STATE_MAIN_R2

End of Log ----------

The logfile from MT

22:34:31 ipsec,ike,info queuing SA request, phase 1 with peer 80.63.233.142
will be established first
22:34:31 ipsec,ike,info initiating phase 1, starting mode Identity Protection
(local 80.161.173.76:500) (remote unknown)
22:34:31 ipsec,info ipsec packet discarded: src=192.168.100.99 dst=
192.168.1.2
22:34:31 ipsec,ike,info received ISAKMP packet from 80.63.233.142:500, phase
1, Identity Protection
22:34:34 ipsec,ike,info received ISAKMP packet from 80.63.233.142:500, phase
1, Identity Protection
22:34:36 ipsec,info ipsec packet discarded: src=192.168.100.99 dst=
192.168.1.2
22:34:41 ipsec,info ipsec packet discarded: src=192.168.100.99 dst=
192.168.1.2
22:34:42 ipsec,ike,info retransmitted packet, ignoring (remote unknown)
22:34:47 ipsec,info ipsec packet discarded: src=192.168.100.99 dst=
192.168.1.2
22:35:02 ipsec,ike,info retransmitted packet, ignoring (remote unknown)
22:35:02 ipsec,ike,info dequeuing SA request to 80.63.233.142, phase 1 wait
timed out
22:35:34 ipsec,ike,info phase 1 negotiation timed out

The logfile from MT (PING FROM LAN2 TO LAN1 FROM LOCAL PC ON LAN2)

22:53:46 ipsec,ike,info received ISAKMP packet from 80.63.233.142:500, phase
1, Identity Protection
22:53:46 ipsec,ike,info responding phase 1, starting mode Identity Protection
(local 80.161.173.76:500) (remote80.63.233.142:500)
22:53:47 ipsec,ike,info received ISAKMP packet from 80.63.233.142:500, phase
1, Identity Protection
22:53:49 ipsec,ike,info received ISAKMP packet from 80.63.233.142:500, phase
1, Identity Protection
22:53:57 ipsec,ike,info received ISAKMP packet from 80.63.233.142:500, phase
1, Identity Protection
22:54:16 ipsec,ike,info received ISAKMP packet from 80.63.233.142:500, phase
1, Identity Protection
22:54:16 ipsec,ike,info responding phase 1, starting mode Identity Protection
(local 80.161.173.76:500) (remote80.63.233.142:500)
22:54:17 ipsec,ike,info received ISAKMP packet from 80.63.233.142:500, phase
1, Identity Protection
22:54:18 ipsec,ike,info received ISAKMP packet from 80.63.233.142:500, phase
1, Identity Protection
22:54:19 ipsec,ike,info received ISAKMP packet from 80.63.233.142:500, phase
1, Identity Protection
22:54:27 ipsec,ike,info received ISAKMP packet from 80.63.233.142:500, phase
1, Identity Protection
22:54:47 ipsec,ike,info received ISAKMP packet from 80.63.233.142:500, phase
1, Identity Protection
22:54:48 ipsec,ike,info phase 1 negotiation timed out

The logfile from Netgear (PING FROM LAN2 TO LAN1 FROM LOCAL PC ON LAN2)

Mon, 11/14/2005 01:03:30 - FVS318 IPsec:call ipsecdoi_initiate
Mon, 11/14/2005 01:03:30 - FVS318 IPsec:New State index:0, sno:6
Mon, 11/14/2005 01:03:30 - FVS318 IPsec:Initiating Main Mode
Mon, 11/14/2005 01:03:30 - FVS318 IKE:[Test Mikrotik] Initializing IKE Main Mode
Mon, 11/14/2005 01:03:30 - FVS318 IKE:[Test Mikrotik] TX >> MM_I1 : 80.161.173.76
Mon, 11/14/2005 01:03:30 - FVS318 IPsec:inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #6
Mon, 11/14/2005 01:03:30 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Mon, 11/14/2005 01:03:30 - FVS318 IKE:[Test Mikrotik] RX << MM_R1 : 80.161.173.76
Mon, 11/14/2005 01:03:30 - FVS318 IPsec:Oakley Transform 3 accepted
Mon, 11/14/2005 01:03:30 - FVS318 IKE:OAKLEY_PRESHARED_KEY/OAKLEY_3DES_CBC/MODP1024
Mon, 11/14/2005 01:03:30 - FVS318 IKE:[Test Mikrotik] TX >> MM_I2 : 80.161.173.76
Mon, 11/14/2005 01:03:30 - FVS318 IPsec:inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #6
Mon, 11/14/2005 01:03:32 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Mon, 11/14/2005 01:03:32 - FVS318 IKE:[Test Mikrotik] RX << MM_R2 : 80.161.173.76
Mon, 11/14/2005 01:03:32 - FVS318 IKE:[Test Mikrotik] TX >> MM_I3 : 80.161.173.76
Mon, 11/14/2005 01:03:32 - FVS318 IPsec:inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #6
Mon, 11/14/2005 01:03:40 - FVS318 IPsec:handling event EVENT_RETRANSMIT for 50a1ad4c "Test Mikrotik" #6
Mon, 11/14/2005 01:03:40 - FVS318 IPsec:inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #6
Mon, 11/14/2005 01:03:42 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Mon, 11/14/2005 01:03:42 - FVS318 IPsec:loglog[3] discarding duplicate packet; already STATE_MAIN_I3
Mon, 11/14/2005 01:03:52 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Mon, 11/14/2005 01:03:52 - FVS318 IPsec:loglog[3] discarding duplicate packet; already STATE_MAIN_I3
Mon, 11/14/2005 01:04:00 - FVS318 IPsec:handling event EVENT_RETRANSMIT for 50a1ad4c "Test Mikrotik" #6
Mon, 11/14/2005 01:04:00 - FVS318 IPsec:inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #6
Mon, 11/14/2005 01:04:02 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Mon, 11/14/2005 01:04:02 - FVS318 IPsec:loglog[3] discarding duplicate packet; already STATE_MAIN_I3
Mon, 11/14/2005 01:04:12 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Mon, 11/14/2005 01:04:12 - FVS318 IPsec:loglog[3] discarding duplicate packet; already STATE_MAIN_I3
Mon, 11/14/2005 01:04:22 - FVS318 IPsec:Receive Packet address:0x1397478 from 80.161.173.76
Mon, 11/14/2005 01:04:22 - FVS318 IPsec:loglog[3] discarding duplicate packet; already STATE_MAIN_I3
Mon, 11/14/2005 01:04:40 - FVS318 IPsec:handling event EVENT_RETRANSMIT for 50a1ad4c "Test Mikrotik" #6
Mon, 11/14/2005 01:04:40 - FVS318 IPsec:max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first enc

End of Log ----------

REGARD BRIAN

Tonda · November 13, 2005, 11:34pm

I am afraid both devices are not able to negotiate IPSec connection together..I am not able to tell you exactly what is wrong. I think you can try to use second MT instead of Netgear with same configuration as your first MT. It helps suspend the possibility of wrong MT configuration. When you will be able to create tunnel between your 2 Mikrotiks, problem is definitely in Netgear (some devices are compatible, but some of them are more comaptible then others)…