Hey all.
I am trying to connect RouterOS to VPN server, but it keeps giving me error 'failed to get proposal for policy.
I have VPN server vpn.opt.example.co.rw which is set up and working. I have a bunch of Rapsberry Pi which are connected to that VPN server and works totally fine.
I know and can see all the working configurations between VPN server(run on linux machine) and any of connected Raspberry Pi’s (linux machine), which are:
VPN(running strongSwan U5.4.0/K3.16.0-4-amd64):
cat ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="ike 1, knl 1, cfg 1"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
dpdaction=clear
dpddelay=10
conn mp_iap
left=%defaultroute
right=%any
leftsubnet=10.0.0.0/8,172.30.0.0/16
rightsourceip=10.10.0.0/16
leftfirewall=yes
auto=add
dpdaction=clear
dpddelay=20s
forceencaps=yes
compress=yes
conn iap-4-001
rightsourceip=10.10.4.1
rightid=iap-4-001@example.co.rw
also=mp_iap
conn iap-4-107
rightsourceip=10.10.4.107
rightid=iap-4-107@example.co.rw
also=mp_iap
cat ipsec.secrets
iap-4-001@example.co.rw : PSK WOOdexample
iap-4-107@example.co.rw : PSK WOOdexample
From Raspberry Pi iap-4-001 (running strongSwan U5.3.3/K4.9.35-v7+):
cat ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration files
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=%forever
keyexchange=ikev2
authby=secret
dpdaction=restart
dpddelay=10
conn office
left=%defaultroute
leftid=iap-4-001@example.co.rw
leftfirewall=yes
leftsourceip=%config
right=vpn.ops.example.co.rw
rightsubnet=10.0.0.0/8
auto=add
cat ipsec.secrets
: PSK WOOdexample
There two machine’s connection works perfectly. But when I try to configure RouterOS like:
[admin@MikroTik-gitaraga-router] > /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 TX* group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
1 T group=M src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=MeshPower VPN
template=yes
2 XI src-address=0.0.0.0/0 src-port=any dst-address=10.0.0.0/8 dst-port=any protocol=all
action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=0.0.0.0
sa-dst-address=46.101.50.333 proposal=MeshPower VPN ph2-count=0
[admin@MikroTik-gitaraga-router] > /ip ipsec policy group print
Flags: * - default
# NAME
0 * default
1 M
[admin@MikroTik-gitaraga-router] > /ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 address=vpn.ops.example.co.rw auth-method=pre-shared-key secret="WOOdexample"
generate-policy=no policy-template-group=M exchange-mode=ike2 send-initial-contact=yes
my-id=key-id:iap-4-107@example.co.rw hash-algorithm=sha1 enc-algorithm=3des
dh-group=modp1536 lifetime=1d dpd-interval=2m
[admin@MikroTik-gitaraga-router] > /ip ipsec proposal print
Flags: X - disabled, * - default
0 X* name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc
lifetime=1m pfs-group=none
1 name="MeshPower VPN" auth-algorithms=sha1 enc-algorithms=3des lifetime=1m pfs-group=modp1536
Checking RouterOS log file it shows me error:
“failed to get proposal for policy”
Please see full log here as pic here - https://ibb.co/fu1E4c
I was very hesitant about what encryption algorithms to choose when configuring routeros, but i have found some default values in strongswan docs - https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
Can anyone please help me to setup strongswan on Routeros?
