Hi!
I am trying to setup a tunnel - cisco-side conf:
object network REMOTE
host <cisco side PRIVATE IP>
object network REMOTE2
host <mtik side PRIVATE IP>
access-list out extended permit ip object REMOTE object REMOTE2
crypto map outside_map1 2 match address out
crypto map outside_map1 2 set pfs group5
crypto map outside_map1 2 set peer <mtik side PUBLIC IP>
crypto map outside_map1 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto ikev1 policy 50
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
group-policy MyPolicy internal
group-policy MyPolicy attributes
vpn-tunnel-protocol ikev1
tunnel-group <mtik side PUBLIC IP> type ipsec-l2l
tunnel-group <mtik side PUBLIC IP> general-attributes
default-group-policy MyPolicy
tunnel-group <mtik side PUBLIC IP> ipsec-attributes
ikev1 pre-shared-key reallysecurekey
Mtik side conf:
/ip firewall filter
add action=accept chain=forward src-address=<mtik side PRIVATE IP>
/ip firewall raw
add action=notrack chain=prerouting dst-address=<mtik side PRIVATE IP> \
src-address=<cisco side PRIVATE IP>
add action=notrack chain=prerouting dst-address=<cisco side PRIVATE IP> \
src-address=<mtik side PRIVATE IP>
/ip ipsec policy group
set [ find default=yes ] name=vpn
add name=CISCO
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=3des lifetime=8h name=CISCO \
pfs-group=modp1536
/ip ipsec peer
add address=<cisco side PUBLIC IP> comment="PEER" dh-group=modp1536 \
enc-algorithm=3des generate-policy=port-strict notrack-chain=prerouting \
policy-template-group=CISCO secret="reallysecurekey"
/ip ipsec policy
add dst-address=<cisco side PRIVATE IP> proposal=CISCO sa-dst-address=<cisco side PUBLIC IP> \
sa-src-address=<mtik side PUBLIC IP> src-address=<mtik side PRIVATE IP> tunnel=yes
Tunnel is up, phase 1 & 2 ok, but i cant reach cisco private ip from mtik side private ip.
Got in-template-mismathes increasing for every my ping.