IPSEC problem

Ersin494 · August 26, 2010, 9:58am

hey all,

first of all i never do this before. I want to create ipsec tunnel with mikrotik and cisco. Here is my network and configuration ;

Location 1

WAN IP : 4.4.4.4
NAT : 172.24.60.20
Local : 10.60.0.0 /21

Location 2

Wan IP : 5.5.5.5
Nat : 192.168.1.254 ( mikrotik )
Local : 192.168.100.0/24

Location 1 configuration (cisco),

IKE Session ( Faz 1 )
Encryption Algorithm AES-128
Hashing Algorithm MD5/HMAC-128
Diffie-Hellman Group Group 2 (1024-bit)
Authentication Mode Pre-Shared Keys
IKE Negotiation Mode Main
Rekey Time Interval 86400 seconds

IPSec Session ( Faz 2 )
Encryption Algorithm AES-128
Hashing Algorithm ESP/MD5/HMAC-128
Encapsulation Mode Tunnel
Rekey Time Interval 28800 seconds

Location 2 (Mikrotik 4.5 ) ,

Policy

Flags: X - disabled, D - dynamic, I - inactive
0 src-address=192.168.100.0/24:any dst-address=10.60.0.0/21:any protocol=all
action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=192.168.1.254 sa-dst-address=4.4.4.4 proposal=default
priority=0

Peer

0 address=4.4.4.4/32:500 auth-method=pre-shared-key
secret=“XXXXX” generate-policy=no exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=obey
hash-algorithm=md5 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d
lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1

Proposal

0 name=“default” auth-algorithms=md5 enc-algorithms=aes-128 lifetime=8h
pfs-group=modp1024

I cant see any remote peers and installed SAs

Anyone Help me about this configuration?

fewi · August 26, 2010, 1:47pm

Set the sa-src-address to the public IPs.

You also need to NAT exempt traffic between the internal networks on both sides.

Ersin494 · August 27, 2010, 2:47pm

new policy

Flags: X - disabled, D - dynamic, I - inactive
0 src-address=192.168.100.0/24:any dst-address=10.60.0.0/21:any protocol=all
action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=5.5.5.5 sa-dst-address=4.4.4.4

Nat

Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.100.0/24
dst-address=10.60.0.0/21

1 chain=srcnat action=masquerade

No changes…

fewi · August 27, 2010, 2:55pm

First, you have to EXEMPT the traffic from NAT.

/ip firewall nat
add chain=srcnat src-address=192.168.100.0/24 dst-address=10.60.0.0/21 action=accept

Equivalent configuration is necessary on the Cisco, how to do that depends on how you NAT there.

Also, it’s a bad idea to blindly masquerade, you should at least qualify with ‘out-interface=WAN-interface-name’.

Now that you’ve changed SA source and destination IP addresses, do you see remote peers and policies being established? What do the logs say when you turn on debugging?

Ersin494 · August 31, 2010, 11:07am

here is the new nat rule..

 0   chain=srcnat action=accept src-address=192.168.100.0/24 
     dst-address=10.60.0.0/21 

 1   chain=srcnat action=masquerade out-interface=ether1

and nothing change

and i cant see any ipsec on log..

fewi · August 31, 2010, 12:38pm

/system logging
add topic=ipsec action=echo

Then ping from the CLI, it’ll output a bunch of debugging text. Post it.

Ersin494 · August 31, 2010, 1:40pm

i already add ipsec and debug but there is no log..

i think ipsec session didnt start..

any idea?

psamsig · September 1, 2010, 7:04pm

If you want to trigger the tunnel from the box itself, you need to add a route, read http://forum.mikrotik.com/t/program-led-to-vpn-status-using-netwatch-and-scripting/31786/1