Hello all,
I configured my first S2S IPSec tunnel on our RB1000 ROS 3.22 to a customer Cisco ASA.
From the customer I got one IP to NAT to my server-IP and I have to reach 2 hosts and maybe later different client-subnets through the IPSec-tunnel and vice versa.
So I configured src-nat to hide my server-IP behind the private customer IP, in case my server tries to reach the 2 customer servers.
Further I configured 2 IPSec-policies, one for each server-ip on customer-site, because I don’t have any influence to the customers cisco and there are 2 hosts (/32) configured for the tunnel.
/ip ipsec> policy print
Flags: X - disabled, D - dynamic, I - inactive
0 src-address=192.x.x.x/32:any dst-address=172.x.x.x/32:any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=212.x.x.x sa-dst-address=194.x.x.x
proposal=cust-prop priority=0
1 src-address=192.x.x.x/32:any dst-address=172.y.y.y/32:any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=212.x.x.x sa-dst-address=194.x.x.x
proposal=cust-prop priority=0
If I now ping one remote server ip, the tunnel (phase1 and phase2) is established and I get an icmp reply.
But if I ping the second server ip I don’t get any answer and I see:
/ip ipsec policy> print stats
0 ph2-state=established
1 ph2-state=no-phase2
If I try to ping the second server-ip after I flush installed SAs, I got a icmp reply from these server and no reply from the first one.
How do I have to configure the policy to reach both destination IPs and later client-subnets?
Tunnelconfiguration:
/ip ipsec> peer print
Flags: X - disabled
0 address=194.x.x.x/32:500 auth-method=pre-shared-key
secret=“xxxxxxxx” generate-policy=no exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=obey
hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 lifetime=4h
lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1
/ip ipsec> proposal print
Flags: X - disabled
0 name=“default” auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024
1 name=“cust-prop” auth-algorithms=sha1 enc-algorithms=aes-256
lifetime=4h pfs-group=none
/ip ipsec> remote-peers print
0 local-address=212.x.x.x remote-address=194.x.x.x state=established
side=initiator established=9m2s
Thanks in advance for any clue.
Thomas