Hi,
i'm a absolutly IP Sec noob, but have to install a site2site connection from my mikrotik to a juniper.
We need to access a specified ip/port on the remote site.

The IPSEC Connection seems to be up, but i'm unable to access the other side.
I guess i need a additional route, for our LAN to access on the other side (or something like this).

May could you check my config?

this is what we got from "the other side":
Supplier: Juniper
Type: SRX
Model: 340
OS: Junos: 15.1X49-D50.3
Public IP Peer address: 193.123.456.145

IKE Proposal Prameters
Authentication Mode: Preshared keys
Preshared Key: mysecret
Authentication Algorithm: SHA1
Encryption Algorithm: AES256
Diffie-Hellman Group: Group 5
Time Lifetime: 86400

IPSEC Parameters
Authentication Algorithm: SHA-256
Encryption Algorithm: AES256
Encapsulation Mode: Tunnel (LAN to LAN)
Perfect Forward Secrecy: Disabled
Time Lifetime: 3600

Network Address / Netmask (Juniper): 192.168.1.33/32
Network Address / Netmask (our network): 192.168.0.10/24

This is my config
[admin@MikroTik] > /ip ipsec export

/ip ipsec peer
add address=193.123.456.145/32 exchange-mode=ike2 name=vpn
/ip ipsec profile
set [ find default=yes ] dh-group=modp1536 enc-algorithm=aes-256 name=vpn
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm pfs-group=modp1536
/ip ipsec identity
add peer=vpn secret=mysecret
/ip ipsec policy
set 0 dst-address=192.168.1.33/32 src-address=192.168.0.0/24

i enabled the ipsec debug log, but it seems to be fine. I see only this as a "notify"

21:32:33 ipsec processing payloads: NOTIFY
21:32:33 ipsec notify: TS_UNACCEPTABLE
21:32:33 ipsec notify: SET_WINDOW_SIZE
21:32:33 ipsec ike auth: initiator finish

Thanks a lot for you help!
Patrick

You have PFS disabled for Juniper, but enabled for RouterOS (pfs-group=modp1536 in proposal).

Very cool, thank you!
i set the PFS-Group to “none”

but i still see this:
20:26:54 ipsec processing payloads: NOTIFY
20:26:54 ipsec notify: NAT_DETECTION_SOURCE_IP
20:26:54 ipsec notify: NAT_DETECTION_DESTINATION_IP
20:26:54 ipsec notify: unknown 40002
→ “unknown 40002” isnt very specific :-/


20:26:54 ipsec processing payloads: NOTIFY
20:26:54 ipsec notify: TS_UNACCEPTABLE
20:26:54 ipsec notify: SET_WINDOW_SIZE
20:26:54 ipsec got error: TS_UNACCEPTABLE

i googled a lot, but cant find any useful infos about the windows size (except the RFC about that).

may you have an further tips for me?

here is the full log:

20:26:54 ipsec ike2 starting for: 193.123.456.145 
20:26:54 ipsec adding notify: NAT_DETECTION_DESTINATION_IP 
20:26:54 ipsec adding notify: NAT_DETECTION_SOURCE_IP 
20:26:54 ipsec adding payload: NONCE 
20:26:54 ipsec adding payload: KE 
20:26:54 ipsec adding payload: SA 
20:26:54 ipsec <- ike2 request, exchange: SA_INIT:0 193.123.456.145[4500] 96a642f9b16ccba3:0000000000000000 
20:26:54 ipsec -> ike2 reply, exchange: SA_INIT:0 193.123.456.145[4500] 96a642f9b16ccba3:58bed30830f71fca 
20:26:54 ipsec ike2 initialize recv 
20:26:54 ipsec payload seen: SA 
20:26:54 ipsec payload seen: KE 
20:26:54 ipsec payload seen: NONCE 
20:26:54 ipsec payload seen: NOTIFY 
20:26:54 ipsec payload seen: NOTIFY 
20:26:54 ipsec payload seen: NOTIFY 
20:26:54 ipsec payload seen: VID 
20:26:54 ipsec processing payload: NONCE 
20:26:54 ipsec processing payload: SA 
20:26:54 ipsec IKE Protocol: IKE 
20:26:54 ipsec  proposal #1 
20:26:54 ipsec   enc: aes256-cbc 
20:26:54 ipsec   prf: hmac-sha1 
20:26:54 ipsec   auth: sha1 
20:26:54 ipsec   dh: modp1536 
20:26:54 ipsec matched proposal: 
20:26:54 ipsec  proposal #1 
20:26:54 ipsec   enc: aes256-cbc 
20:26:54 ipsec   prf: hmac-sha1 
20:26:54 ipsec   auth: sha1 
20:26:54 ipsec   dh: modp1536 
20:26:54 ipsec processing payload: KE 
20:26:54 ipsec,info new ike2 SA (I): 84.123.456.164[4500]-193.123.456.145[4500] spi:96a642f9b16ccba3:58bed30830f71fca 
20:26:54 ipsec processing payloads: NOTIFY 
20:26:54 ipsec   notify: NAT_DETECTION_SOURCE_IP 
20:26:54 ipsec   notify: NAT_DETECTION_DESTINATION_IP 
20:26:54 ipsec   notify: unknown 40002 
20:26:54 ipsec init child 
20:26:54 ipsec init child continue 
20:26:54 ipsec offering proto: 3 
20:26:54 ipsec  proposal #1 
20:26:54 ipsec   enc: aes256-cbc 
20:26:54 ipsec   enc: aes256-ctr 
20:26:54 ipsec   enc: aes256-gcm 
20:26:54 ipsec   auth: sha1 
20:26:54 ipsec ID_I (ADDR4): 84.123.456.164 
20:26:54 ipsec adding payload: ID_I 
20:26:54 ipsec processing payload: NONCE 
20:26:54 ipsec adding payload: AUTH 
20:26:54 ipsec adding notify: INITIAL_CONTACT 
20:26:54 ipsec adding payload: SA 
20:26:54 ipsec initiator selector: 84.123.456.164 
20:26:54 ipsec adding payload: TS_I 
20:26:54 ipsec responder selector: 193.123.456.145 
20:26:54 ipsec adding payload: TS_R 
20:26:54 ipsec adding notify: USE_TRANSPORT_MODE 
20:26:54 ipsec <- ike2 request, exchange: AUTH:1 193.123.456.145[4500] 96a642f9b16ccba3:58bed30830f71fca 
20:26:54 ipsec -> ike2 reply, exchange: AUTH:1 193.123.456.145[4500] 96a642f9b16ccba3:58bed30830f71fca 
20:26:54 ipsec payload seen: ENC 
20:26:54 ipsec processing payload: ENC 
20:26:54 ipsec payload seen: ID_R 
20:26:54 ipsec payload seen: AUTH 
20:26:54 ipsec payload seen: NOTIFY 
20:26:54 ipsec payload seen: NOTIFY 
20:26:54 ipsec processing payloads: NOTIFY 
20:26:54 ipsec   notify: TS_UNACCEPTABLE 
20:26:54 ipsec   notify: SET_WINDOW_SIZE 
20:26:54 ipsec ike auth: initiator finish 
20:26:54 ipsec processing payload: ID_R 
20:26:54 ipsec ID_R (ADDR4): 193.123.456.145 
20:26:54 ipsec processing payload: AUTH 
20:26:54 ipsec requested auth method: SKEY 
20:26:54 ipsec,info,account peer authorized: 84.123.456.164[4500]-193.123.456.145[4500] spi:96a642f9b16ccba3:58bed30830f71fca 
20:26:54 ipsec processing payloads: NOTIFY 
20:26:54 ipsec   notify: TS_UNACCEPTABLE 
20:26:54 ipsec   notify: SET_WINDOW_SIZE 
20:26:54 ipsec got error: TS_UNACCEPTABLE 
20:28:54 ipsec sending dpd packet 
20:28:54 ipsec <- ike2 request, exchange: INFORMATIONAL:2 193.123.456.145[4500] 96a642f9b16ccba3:58bed30830f71fca 
20:28:54 ipsec -> ike2 reply, exchange: INFORMATIONAL:2 193.123.456.145[4500] 96a642f9b16ccba3:58bed30830f71fca 
20:28:54 ipsec payload seen: ENC 
20:28:54 ipsec processing payload: ENC 
20:28:54 ipsec respond: info 
20:30:54 ipsec sending dpd packet 
20:30:54 ipsec <- ike2 request, exchange: INFORMATIONAL:3 193.123.456.145[4500] 96a642f9b16ccba3:58bed30830f71fca 
20:30:54 ipsec -> ike2 reply, exchange: INFORMATIONAL:3 193.123.456.145[4500] 96a642f9b16ccba3:58bed30830f71fca 
20:30:54 ipsec payload seen: ENC 
20:30:54 ipsec processing payload: ENC 
20:30:54 ipsec respond: info 
20:32:54 ipsec sending dpd packet 
20:32:54 ipsec <- ike2 request, exchange: INFORMATIONAL:4 193.123.456.145[4500] 96a642f9b16ccba3:58bed30830f71fca 
20:32:54 ipsec -> ike2 reply, exchange: INFORMATIONAL:4 193.123.456.145[4500] 96a642f9b16ccba3:58bed30830f71fca 
20:32:54 ipsec payload seen: ENC 
20:32:54 ipsec processing payload: ENC 
20:32:54 ipsec respond: info 
20:34:54 ipsec sending dpd packet 
20:34:54 ipsec <- ike2 request, exchange: INFORMATIONAL:5 193.123.456.145[4500] 96a642f9b16ccba3:58bed30830f71fca 
20:34:54 ipsec -> ike2 reply, exchange: INFORMATIONAL:5 193.123.456.145[4500] 96a642f9b16ccba3:58bed30830f71fca 
20:34:54 ipsec payload seen: ENC 
20:34:54 ipsec processing payload: ENC 
20:34:54 ipsec respond: info

I don’t like this part of your configuration export:

/ip ipsec policy
set 0 dst-address=192.168.1.33/32 src-address=192.168.0.0/24

The thing is that if set is used in RouterOS configuration export, it always means a modification of parameters of some element in the configuration which exists by default. In the particular case of the /ip ipsec policy table, the only element which exists by default is a default policy template. Policy templates are used when the actual policy has to be generated dynamically. But your only /ip ipsec identity row doesn’t ask for dynamic policy generation. If no policy is linked to a peer and the identity row doesn’t order that a policy was generated, RouterOS automatically generates a transport mode policy with local peer’s own address as src-address and remote peer’s address as dst-address and asks the remote peer for such a policy; as the Juniper side configuration doesn’t foresee such one, it responds with TS_UNACCEPTABLE. (TS = Traffic Selector, a tuple of source and destination addresses, and optionally IP protocol and ports to be diverted to the Security Association constituted by the policy).

So you have to add the policy rather than modifying the default template:
/ip ipsec policy add dst-address=192.168.1.33/32 src-address=192.168.0.0/24 tunnel=yes peer=vpn

To reset the default template to its original values, you can use /ip ipsec policy set 0 src-address=::/0 dst-address=::/0, but it is not mandatory to make the connection to the Juniper work.

thanks a lot for our explanaition!
i resetted the default value and added a new one.
i also found a missconfiguration in my proposal (sha1 instead of sha256).

here is my full log:

22:57:02 ipsec <- ike2 request, exchange: INFORMATIONAL:5 193.123.456.145[4500] 44587501d57eb463:1a988d7f76745035 
22:57:02 system,info ipsec peer peer-vpn changed by admin 
22:57:02 ipsec -> ike2 reply, exchange: INFORMATIONAL:5 193.123.456.145[4500] 44587501d57eb463:1a988d7f76745035 
22:57:02 ipsec SPI 63b47ed501755844 not registered for 193.123.456.145[4500] 
22:57:23 system,info ipsec peer peer-vpn changed by admin 
22:57:23 ipsec ike2 starting for: 193.123.456.145 
22:57:23 ipsec adding payload: NONCE 
22:57:23 ipsec adding payload: KE 
22:57:23 ipsec adding payload: SA 
22:57:23 ipsec <- ike2 request, exchange: SA_INIT:0 193.123.456.145[4500] 1994433b2c7f4b12:0000000000000000 
22:57:23 ipsec -> ike2 reply, exchange: SA_INIT:0 193.123.456.145[4500] 1994433b2c7f4b12:7740abd74a195127 
22:57:23 ipsec ike2 initialize recv 
22:57:23 ipsec payload seen: SA 
22:57:23 ipsec payload seen: KE 
22:57:23 ipsec payload seen: NONCE 
22:57:23 ipsec payload seen: NOTIFY 
22:57:23 ipsec payload seen: VID 
22:57:23 ipsec processing payload: NONCE 
22:57:23 ipsec processing payload: SA 
22:57:23 ipsec IKE Protocol: IKE 
22:57:23 ipsec  proposal #1 
22:57:23 ipsec   enc: aes256-cbc 
22:57:23 ipsec   prf: hmac-sha1 
22:57:23 ipsec   auth: sha1 
22:57:23 ipsec   dh: modp1536 
22:57:23 ipsec matched proposal: 
22:57:23 ipsec  proposal #1 
22:57:23 ipsec   enc: aes256-cbc 
22:57:23 ipsec   prf: hmac-sha1 
22:57:23 ipsec   auth: sha1 
22:57:23 ipsec   dh: modp1536 
22:57:23 ipsec processing payload: KE 
22:57:23 ipsec,info new ike2 SA (I): 84.123.456.164[4500]-193.123.456.145[4500] spi:1994433b2c7f4b12:7740abd74a195127 
22:57:23 ipsec processing payloads: NOTIFY 
22:57:23 ipsec   notify: unknown 40002 
22:57:23 ipsec init child for policy: 192.168.0.0/24 <=> 192.168.1.33 
22:57:23 ipsec init child continue 
22:57:23 ipsec offering proto: 3 
22:57:23 ipsec  proposal #1 
22:57:23 ipsec   enc: aes256-cbc 
22:57:23 ipsec   enc: aes256-ctr 
22:57:23 ipsec   enc: aes256-gcm 
22:57:23 ipsec   auth: sha256 
22:57:23 ipsec ID_I (ADDR4): 84.123.456.164 
22:57:23 ipsec adding payload: ID_I 
22:57:23 ipsec processing payload: NONCE 
22:57:23 ipsec adding payload: AUTH 
22:57:23 ipsec adding notify: INITIAL_CONTACT 
22:57:23 ipsec adding payload: SA 
22:57:23 ipsec initiator selector: 192.168.0.0/24 
22:57:23 ipsec adding payload: TS_I 
22:57:23 ipsec responder selector: 192.168.1.33 
22:57:23 ipsec adding payload: TS_R 
22:57:23 ipsec <- ike2 request, exchange: AUTH:1 193.123.456.145[4500] 1994433b2c7f4b12:7740abd74a195127 
22:57:24 ipsec -> ike2 reply, exchange: AUTH:1 193.123.456.145[4500] 1994433b2c7f4b12:7740abd74a195127 
22:57:24 ipsec payload seen: ENC 
22:57:24 ipsec processing payload: ENC 
22:57:24 ipsec payload seen: ID_R 
22:57:24 ipsec payload seen: AUTH 
22:57:24 ipsec payload seen: SA 
22:57:24 ipsec payload seen: TS_I 
22:57:24 ipsec payload seen: TS_R 
22:57:24 ipsec payload seen: NOTIFY 
22:57:24 ipsec processing payloads: NOTIFY 
22:57:24 ipsec   notify: SET_WINDOW_SIZE 
22:57:24 ipsec ike auth: initiator finish 
22:57:24 ipsec processing payload: ID_R 
22:57:24 ipsec ID_R (ADDR4): 193.123.456.145 
22:57:24 ipsec processing payload: AUTH 
22:57:24 ipsec requested auth method: SKEY 
22:57:24 ipsec,info,account peer authorized: 84.123.456.164[4500]-193.123.456.145[4500] spi:1994433b2c7f4b12:7740abd74a195127 
22:57:24 ipsec processing payloads: NOTIFY 
22:57:24 ipsec   notify: SET_WINDOW_SIZE 
22:57:24 ipsec peer selected tunnel mode 
22:57:24 ipsec processing payload: TS_I 
22:57:24 ipsec 192.168.0.0/24 
22:57:24 ipsec processing payload: TS_R 
22:57:24 ipsec 192.168.1.33 
22:57:24 ipsec my vs peer's selectors: 
22:57:24 ipsec 192.168.0.0/24 vs 192.168.0.0/24 
22:57:24 ipsec 192.168.1.33 vs 192.168.1.33 
22:57:24 ipsec processing payload: SA 
22:57:24 ipsec IKE Protocol: ESP 
22:57:24 ipsec  proposal #1 
22:57:24 ipsec   enc: aes256-cbc 
22:57:24 ipsec   auth: sha256 
22:57:24 ipsec matched proposal: 
22:57:24 ipsec  proposal #1 
22:57:24 ipsec   enc: aes256-cbc 
22:57:24 ipsec   auth: sha256 
22:57:24 ipsec IPsec-SA established: 193.123.456.145[4500]->84.123.456.164[4500] spi=0x67838a9 
22:57:24 ipsec IPsec-SA established: 84.123.456.164[4500]->193.123.456.145[4500] spi=0x7eae1e22

it looks half so bad now:

 #    ID                   STATE              UPTIME          PH2-TOTAL REMOTE-ADDRESS                         
 0    193.123.456.145        established        9m19s                   1 193.123.456.145

but i cant ping the ip address on the other end, and a traceroute (/tool traceroute 192.168.1.33) routes through my default gateway, not though the ipsec connection.
do i need a route for that?

i read something about srcnat, but i guess this is the wrong way..
0 chain=srcnat action=accept src-address=192.168.0.0/24 dst-address=192.168.1.33 log=no log-prefix=“”
1 chain=srcnat action=masquerade log=no log-prefix=“”

All firewall processing, including NAT, takes place before the outgoing packets are matched to the traffic selectors of IPsec policies. Since the regular routing finds a route via some interface, the packets get src-nat’ed to the address of that interface thanks to the rule 1 above.

To avoid this for the packets from 192.168.0.0/24 to 192.168.1.33 from getting src-nat’ed and thus getting missed by the traffic selector, either the rule 0 above is required, or an action=notrack src-address=192.168.0.0/24 dst-address=192.168.1.33 in chain prerouting of /ip firewall raw - both have the same effect, packets from 192.168.0.0/24 to 192.168.1.33 do not get src-nat’ed.

But the above is not sufficient when pinging/tracerouting from the router itself, as in that case, another thing comes into play - the source address of packets sent by the router itself is chosen up to the route found by the regular routing. Since you (probably) have only the default route via WAN and the routes to local subnets, when pinging an address which is not in a connected subnet, the route via WAN is chosen, and therefore the WAN IP is used as source one. Packets with that source address don’t match the policy’s traffic selector, so they don’t get intercepted by the policy.

So if you don’t need that the router itself talks to 192.168.1.33 during normal operation, it is enough to add src-address=192.168.0.x (router’s own IP address in 192.168.0.0/24) to the ping or traceroute parameter list. If you do, there are two ways - either add a dedicated route to 192.168.1.33/32, via any gateway, with pref-src=192.168.0.x, or add a rule src-address-type=local dst-address=192.168.1.33 action=src-nat to-addresses=192.168.0.x to chain srcnat of /ip firewall nat - even before rule 0 above if it is present, and definitely before rule 1.

Thanks a lot for your help and great explanation!
Everything makes absolulty sense to me - so i changed the things you said, and everything is working now as expected

Patrick