i am new to ipsec so please never mind about newbie question. I have a mikrotik router on one end and netgear router on another end.
in policy i define source and destination address (office LAN and remote office LAN)
in policy action i define SA Src and SA Dst i defined source and destination router public IP.
Peer setting is fine as log shows link is established.
i also created the NAT rule as define for src-nat in the document.
now the problem i face is i can not see any new route in routing table.
i can not ping the remote network, (of course it is due to no route) but how can i get the dynamic route from this tunnel
normally all VPN servers like pptp, l2tp, openvpn etc has their interface dynamically created with pool assigned to tunnel when tunnel established. however in this case tunnel is established but no interface has been create not tunnel ip has been assigned. i can not see any option to assign the ip pool to ipsec tunnel. i dont know if this is default behaviour or a error. please correct me if i am wrong.
now i do not know how should i add manual route because no interface is there nor pool ip. please guide.
Any guide or suggestion will be highly appreciated.
Thanks,
MYK
There will be no route visible if you do ipsec, only if you do iptunnel and then you have to add it.
Under your IPSEC Policy, under action tab, you should have tunnel selected.
Have a look under Installed SA’s, do you see the key’s exchanged? there should be 2 lines in there, with the source and destination wan ip’s and if you open them up, you should see encryption keys in there.
If they are there, try to do a ping from the router first, but remember you have to specify src-address, or the ping will not work to the remote wan, because you will try to ping from your wan ip to the lan ip on the remote side, if you use src-address=“router lan ip” the router will ping with it’s lan as the source and so the ipsec policy will see that it is meant to encrypt and tunnel the traffic.
IPSEC works in 2 steps.
the first is the peer, you can confirm this part is ok by checking that the remote peers tab has an established peer.
If that is ok, you have to look at phase 2, you can confirm phase 2 worked, by confirming under installed sa’s that you have the key exchange.
Make sure you have a key for both directions src local, wan remote, and wan local src remote. Make sure the encryption key is not just 0, it should be a long string of characters.
If that is all good, we have to look at the src nat rule you have, or any firewall rules that might be affecting it.