Hello,
I have a RB751U-2HnD at home and a Sonicwall TZ100 at the office. I have a site to site IPSEC tunnel set up and working between them. They each have there own subnet.
The way I got it to work was allowing the Sonicwall to initiate the connection and then having the Routerboard auto generate the policy from the Sonicwall. When I started looking at these auto generated polices I noticed that the SA-SRC-ADDRESS is swapped with the SA-DST-ADDRESS from what I read from the WIKI and it is working fine. Can anyone let me know why this is?
Here are the relevant configuration of the routerboard.
Home and Sonicwall represent the public IPs of each router
HomeNet and SonicwallNet are the local private subnets of each
/ip ipsec peer print
Flags: X - disabled
0 address=xxxSonicwallxxx port=500 auth-method=pre-shared-key
secret="XXXXXXXXX" generate-policy=yes exchange-mode=main
send-initial-contact=no nat-traversal=yes my-id-user-fqdn=""
proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256
dh-group=modp1024 lifetime=1h lifebytes=0 dpd-interval=2m
dpd-maximum-failures=5
/ip ipsec policy print
Flags: X - disabled, D - dynamic, I - inactive
1 D src-address=SonicwallNet src-port=any dst-address=HomeNet
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=Home
sa-dst-address=Sonicwall proposal=default priority=2
2 D src-address=SonicwallNet src-port=any dst-address=HomeNet
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=Home
sa-dst-address=Sonicwall proposal=default priority=2
2 D src-address=HomeNet src-port=any dst-address=SonicwallNet
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=Sonicwall
sa-dst-address=Home proposal=default priority=2
/ip ipsec proposal print
Flags: X - disabled
0 name="default" auth-algorithms=sha1 enc-algorithms=aes-256 lifetime=8h
pfs-group=modp1024
/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=HomeNet
dst-address=SonicwallNet
1 ;;; default configuration
chain=srcnat action=masquerade out-interface=ether1-gateway