IPsec Site-To-Site VPN EdgeRouter to MikroTik

ullbergm · July 16, 2017, 8:41am

I’m having some trouble getting phase two to work between an edgerouter and a MikroTik router and I could use some pointers.

Phase one connects but it can’t establish phase 2.

Any help would be much appreciated.

Edge router config:

set vpn ipsec esp-group FOO2 compression disable
set vpn ipsec esp-group FOO2 lifetime 3600
set vpn ipsec esp-group FOO2 mode tunnel
set vpn ipsec esp-group FOO2 pfs disable
set vpn ipsec esp-group FOO2 proposal 1 encryption aes256
set vpn ipsec esp-group FOO2 proposal 1 hash sha1
set vpn ipsec ike-group FOO2 ikev2-reauth no
set vpn ipsec ike-group FOO2 key-exchange ikev1
set vpn ipsec ike-group FOO2 lifetime 28800
set vpn ipsec ike-group FOO2 proposal 1 dh-group 14
set vpn ipsec ike-group FOO2 proposal 1 encryption aes256
set vpn ipsec ike-group FOO2 proposal 1 hash sha1

set vpn ipsec site-to-site peer remote-site.name authentication mode pre-shared-secret
set vpn ipsec site-to-site peer remote-site.name authentication pre-shared-secret secretkey
set vpn ipsec site-to-site peer remote-site.name connection-type initiate
set vpn ipsec site-to-site peer remote-site.name description remote-site
set vpn ipsec site-to-site peer remote-site.name dhcp-interface eth0
set vpn ipsec site-to-site peer remote-site.name ike-group FOO2
set vpn ipsec site-to-site peer remote-site.name ikev2-reauth inherit
set vpn ipsec site-to-site peer remote-site.name tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer remote-site.name tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer remote-site.name tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer remote-site.name tunnel 1 local prefix 192.168.0.0/24
set vpn ipsec site-to-site peer remote-site.name tunnel 1 remote prefix 192.168.1.0/24

MikroTik config

peer

address=1.1.1.1/32 auth-method=pre-shared-key secret=“secretkey” generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=yes
proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=ec2n185,ec2n155,modp8192,modp6144,modp4096,modp3072,modp2048,modp1536,modp1024,modp768 lifetime=1d
dpd-interval=2m dpd-maximum-failures=5

policy

src-address=192.168.1.0/24 src-port=any dst-address=192.168.0.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=2.2.2.2
sa-dst-address=1.1.1.1 proposal=default priority=0 ph2-count=0

stshaw · July 16, 2017, 3:50pm

I have an IPSEC VPN working between a Mikrotik RB750gr3 and an ER, so it’s possible.

Phase 2 is covered by the IPSEC Proposal on the Mikrotik. You didn’t post that, so maybe you didn’t set one up. Settings must match the ER, of course.

My Mikrotik defaults to PFS enabled, using modp1024. You have PFS disabled on the ER. Try to enable PFS on the ER as well.

ullbergm · July 16, 2017, 7:04pm

Thanks!

I was able to get it to work finally.

stshaw · July 16, 2017, 7:39pm

Good to hear you got it working. It can be tricky!