Hi - I’m having trouble getting two routerboards talking to each other over an IPsec encrypted connection.
The first board has an address of 10.50.3.131/25, and the second has 10.50.2.6/30. They’re connected through a Linux PC acting as a router, with addresses of 10.50.3.129/25 and 10.50.2.5/30. Without IPsec policies in place, they can communicate with each other, so I know the routing is working.
I’ve configured IPsec on each machine like so:
/ip ipsec proposal
add auth-algorithms=md5 disabled=no enc-algorithms=aes-128 lifetime=30m \
name="default" pfs-group=modp1024
/ip ipsec peer
add address=10.50.2.6/32:500 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no enc-algorithm=aes-128 exchange-mode=main generate-policy=no \
hash-algorithm=md5 lifebytes=0 lifetime=1d nat-traversal=no \
proposal-check=obey secret="abc" send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=10.50.2.6/32:any ipsec-protocols=esp \
level=require manual-sa=none priority=0 proposal=default protocol=all \
sa-dst-address=10.50.2.6 sa-src-address=10.50.3.131 \
src-address=10.50.3.131/32:any tunnel=no
/ip ipsec proposal
add auth-algorithms=md5 disabled=no enc-algorithms=aes-128 lifetime=30m \
name="default" pfs-group=modp1024
/ip ipsec peer
add address=10.50.3.131/32:500 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no enc-algorithm=aes-128 exchange-mode=main generate-policy=no \
hash-algorithm=md5 lifebytes=0 lifetime=1d nat-traversal=no \
proposal-check=obey secret="abc" send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=10.50.3.131/32:any \
ipsec-protocols=esp level=require manual-sa=none priority=0 proposal=default \
protocol=all sa-dst-address=10.50.3.131 sa-src-address=10.50.2.6 \
src-address=10.50.2.6/32:any tunnel=no
I’m dumping the traffic on the Linux router, and there isn’t even any ISAKMP attempt being made in either direction.
Any idea what I’m doing wrong?
Edit: RouterOS is 3.2 on both boards. The first is an RB150, the second is an RB600.