Hello All, I’m a first time “Mikrotiker”, and I’m attempting to get an IPSec tunnel going between two Mikrotik devices:
Device 1: RB750 - v4.11 - Level 4 (Internet working through an ADSL connection)
Device 2: RB433UAH - v4.11 - Level 5 (Internet working through a Huawei USB 3G stick)
I am able to ping the public IP address of each device from the other device
I have used the guide shown on this page to set up the IP tunnel : http://gregsowell.com/?p=787
I have triple checked my settings, and I can’t see any issues
My problem is that the IPSec tunnel, from what I can tell, won’t even start. I have enabled IPSec logging (memory), but nothing is showing up when I trigger the IPSec connection. To trigger it I am attempting to ping device 2’s private IP address from device 1, and vice versa. In Winbox, nothing shows up in the IPSec “Remote Peers” and “Installed SAs” tabs.
Device 1’s config:
/ip ipsec peer print detail
0 address=59.167.yyy.zz/32:500 auth-method=pre-shared-key secret="n3vpsk1" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1
/ip ipsec policy print detail
0 src-address=192.168.20.0/24:any dst-address=192.168.88.0/24:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=118.210.yy.zzz sa-dst-address=59.167.yyy.zz proposal=default priority=0
/ip firewall nat print detail
0 chain=srcnat action=accept src-address=192.168.20.0/24 dst-address=192.168.88.0/24
1 ;;; Added by webbox
chain=srcnat action=masquerade out-interface=pppoe-out1
/ip firewall filter print
0 ;;; Added by webbox
chain=input action=accept protocol=icmp
1 ;;; Added by webbox
chain=input action=accept connection-state=established in-interface=pppoe-out1
2 ;;; Added by webbox
chain=input action=accept connection-state=related in-interface=pppoe-out1
3 X ;;; RDP to NevDesktop
chain=forward action=accept protocol=tcp src-address-list="" in-interface=pppoe-out1 dst-port=3389
4 ;;; IPSec-ESP
chain=input action=accept protocol=udp src-port=500 dst-port=500
5 ;;; IPSec-ESP
chain=input action=accept protocol=ipsec-esp
6 ;;; IPSec-ESP
chain=output action=accept protocol=ipsec-esp
7 ;;; Added by webbox
chain=input action=drop in-interface=pppoe-out1
Device 2’s config:
/ip ipsec peer print detail
0 address=118.210.yy.zzz/32:500 auth-method=pre-shared-key secret="n3vpsk1" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1
/ip ipsec policy print detail
0 src-address=192.168.88.0/24:any dst-address=192.168.20.0/24:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=59.167.yyy.zz sa-dst-address=118.210.yy.zzz proposal=default priority=0
/ip firewall nat print detail
0 chain=srcnat action=accept src-address=192.168.88.0/24 dst-address=192.168.20.0/24
1 ;;; Added by webbox
chain=srcnat action=masquerade out-interface=ppp-out1
/ip firewall filter print
0 ;;; Added by webbox
chain=input action=accept protocol=icmp
1 ;;; Added by webbox
chain=input action=accept connection-state=established in-interface=ppp-out1
2 ;;; Added by webbox
chain=input action=accept connection-state=related in-interface=ppp-out1
3 ;;; IPSec-ESP
chain=input action=accept protocol=udp src-port=500 dst-port=500
4 ;;; IPSec-ESP
chain=input action=accept protocol=ipsec-esp
5 ;;; IPSec-ESP
chain=output action=accept protocol=ipsec-esp
6 ;;; Added by webbox
chain=input action=drop in-interface=ppp-out1
Also, each router has the NTP client set up, and the time on them is the same, even to the second.
Any help in getting this running would be hugely appreciated!
Thanks.