I have built IPSEC tunnels between an MT RB493AH and 15 LinkSys RV016 routers. I used Greg S. method and got it working somewhat.
SA’s pop up, Remote peers show up, ping from a PC on the MT to any of the interior IP’s or Linksys interior gateway’s is successful.
Cannot ping from the MT Ping tool to any of them however.
Also, cannot browse to any of the tunnel’d interior IP’s at all. Ping from DOS window on a PC on the MT interior to any of the tunnel’d ip’s is successful, however.
What am I missing, do I need to add routes somehow to the tunnel’d ip’s?
Here is code i took out of the router and edited the personal stuff to be benign.
Any help would be appreciated. I need to access all of the interior IP’s in the tunnels via a browser on MT’s interior, 192.168.16.0/24.
# jun/17/2010 09:15:07 by RouterOS 4.10
# software id = IF60-GXT5
#
/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
comment="" disabled=no forward-delay=15s l2mtu=1522 max-message-age=20s \
mtu=1500 name=bridge1 priority=0x8000 protocol-mode=none \
transmit-hold-count=6
/interface ethernet
set 0 arp=enabled auto-negotiation=yes comment="" disabled=no full-duplex=yes \
l2mtu=1526 mac-address=00:0C:42:74:DC:BD mtu=1500 name=ether1 speed=\
100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes l2mtu=1522 mac-address=00:0C:42:74:DC:BE \
master-port=none mtu=1500 name=ether2 speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes l2mtu=1522 mac-address=00:0C:42:74:DC:BF \
master-port=none mtu=1500 name=ether3 speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes l2mtu=1522 mac-address=00:0C:42:74:DC:C0 \
master-port=none mtu=1500 name=ether4 speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes l2mtu=1522 mac-address=00:0C:42:74:DC:C1 \
master-port=none mtu=1500 name=ether5 speed=100Mbps
set 5 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes l2mtu=1522 mac-address=00:0C:42:74:DC:C2 \
master-port=none mtu=1500 name=ether6 speed=100Mbps
set 6 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes l2mtu=1522 mac-address=00:0C:42:74:DC:C3 \
master-port=none mtu=1500 name=ether7 speed=100Mbps
set 7 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes l2mtu=1522 mac-address=00:0C:42:74:DC:C4 \
master-port=none mtu=1500 name=ether8 speed=100Mbps
set 8 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes l2mtu=1522 mac-address=00:0C:42:74:DC:C5 \
master-port=none mtu=1500 name=ether9 speed=100Mbps
/interface ethernet switch
set switch1 mirror-source=none mirror-target=none name=switch1
/ip ipsec proposal
set default auth-algorithms=sha1 comment="" disabled=no enc-algorithms=3des \
lifetime=30m name=default pfs-group=modp1024
add auth-algorithms=md5 comment="" disabled=no enc-algorithms=null lifetime=\
30m name=LinkSys pfs-group=modp768
/ip pool
add name=dhcp_pool1 ranges=192.168.16.2-192.168.16.254
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay bootp-support=\
static disabled=no interface=bridge1 lease-time=3d name=dhcp1
/port
set 0 baud-rate=auto data-bits=8 flow-control=none name=serial0 parity=none \
stop-bits=1
/interface bridge port
add bridge=bridge1 comment="" disabled=no edge=auto external-fdb=auto \
horizon=none interface=ether2 path-cost=10 point-to-point=auto priority=\
0x80
add bridge=bridge1 comment="" disabled=no edge=auto external-fdb=auto \
horizon=none interface=ether3 path-cost=10 point-to-point=auto priority=\
0x80
add bridge=bridge1 comment="" disabled=no edge=auto external-fdb=auto \
horizon=none interface=ether4 path-cost=10 point-to-point=auto priority=\
0x80
add bridge=bridge1 comment="" disabled=no edge=auto external-fdb=auto \
horizon=none interface=ether5 path-cost=10 point-to-point=auto priority=\
0x80
add bridge=bridge1 comment="" disabled=no edge=auto external-fdb=auto \
horizon=none interface=ether6 path-cost=10 point-to-point=auto priority=\
0x80
add bridge=bridge1 comment="" disabled=no edge=auto external-fdb=auto \
horizon=none interface=ether7 path-cost=10 point-to-point=auto priority=\
0x80
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=\
no
/ip address
add address=68.000.000.40/24 broadcast=68.000.000.255 comment="" disabled=no \
interface=ether1 network=68.000.000.0
add address=192.168.16.1/24 broadcast=192.168.16.255 comment="" disabled=no \
interface=bridge1 network=192.168.16.0
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=192.168.16.0/24 comment="" gateway=192.168.16.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
max-udp-packet-size=512 servers=68.251.212.13,69.209.39.13
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall nat
add action=accept chain=srcnat comment="" disabled=no dst-address=\
192.168.18.0/24 src-address=192.168.16.0/24
add action=accept chain=srcnat comment="" disabled=no dst-address=\
192.168.14.0/24 src-address=192.168.16.0/24
add action=accept chain=srcnat comment="" disabled=no dst-address=\
192.168.13.0/24 src-address=192.168.16.0/24
add action=accept chain=srcnat comment="" disabled=no dst-address=\
192.168.12.0/24 src-address=192.168.16.0/24
add action=accept chain=srcnat comment="" disabled=no dst-address=\
192.168.11.0/24 src-address=192.168.16.0/24
add action=accept chain=srcnat comment="" disabled=no dst-address=\
192.168.10.0/24 src-address=192.168.16.0/24
add action=accept chain=srcnat comment="" disabled=no dst-address=\
192.168.9.0/24 src-address=192.168.16.0/24
add action=accept chain=srcnat comment="" disabled=no dst-address=\
192.168.8.0/24 src-address=192.168.16.0/24
add action=accept chain=srcnat comment="" disabled=no dst-address=\
192.168.7.0/24 src-address=192.168.16.0/24
add action=accept chain=srcnat comment="" disabled=no dst-address=\
192.168.6.0/24 src-address=192.168.16.0/24
add action=accept chain=srcnat comment="" disabled=no dst-address=\
192.168.5.0/24 src-address=192.168.16.0/24
add action=accept chain=srcnat comment="" disabled=no dst-address=\
192.168.4.0/24 src-address=192.168.16.0/24
add action=accept chain=srcnat comment="" disabled=no dst-address=\
192.168.3.0/24 src-address=192.168.16.0/24
add action=accept chain=srcnat comment="" disabled=no dst-address=\
192.168.2.0/24 src-address=192.168.16.0/24
add action=accept chain=srcnat comment="" disabled=no dst-address=\
192.168.1.0/24 src-address=192.168.16.0/24
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
ether1
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip ipsec peer
add address=68.000.000.43/32:500 auth-method=pre-shared-key comment="" \
dh-group=modp768 disabled=no dpd-interval=disable-dpd \
dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main \
generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d \
nat-traversal=no proposal-check=obey secret=111 \
send-initial-contact=yes
add address=70.00.00.9/32:500 auth-method=pre-shared-key comment="" dh-group=\
modp768 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 \
enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=\
md5 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=\
111 send-initial-contact=yes
add address=66.00.00.180/32:500 auth-method=pre-shared-key comment="" \
dh-group=modp768 disabled=no dpd-interval=disable-dpd \
dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main \
generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d \
nat-traversal=no proposal-check=obey secret=111 \
send-initial-contact=yes
add address=69.00.00.118/32:500 auth-method=pre-shared-key comment="" \
dh-group=modp768 disabled=no dpd-interval=disable-dpd \
dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main \
generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d \
nat-traversal=no proposal-check=obey secret=111 \
send-initial-contact=yes
add address=66.00.00.18/32:500 auth-method=pre-shared-key comment="" \
dh-group=modp768 disabled=no dpd-interval=disable-dpd \
dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main \
generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d \
nat-traversal=no proposal-check=obey secret=111 \
send-initial-contact=yes
add address=76.00.00.203/32:500 auth-method=pre-shared-key comment="" \
dh-group=modp768 disabled=no dpd-interval=disable-dpd \
dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main \
generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d \
nat-traversal=no proposal-check=obey secret=111 \
send-initial-contact=yes
add address=76.00.00.251/32:500 auth-method=pre-shared-key comment="" \
dh-group=modp768 disabled=no dpd-interval=disable-dpd \
dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main \
generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d \
nat-traversal=no proposal-check=obey secret=111 \
send-initial-contact=yes
add address=68.00.00.68/32:500 auth-method=pre-shared-key comment="" \
dh-group=modp768 disabled=no dpd-interval=disable-dpd \
dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main \
generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d \
nat-traversal=no proposal-check=obey secret=111 \
send-initial-contact=yes
add address=99.00.00.137/32:500 auth-method=pre-shared-key comment="" \
dh-group=modp768 disabled=no dpd-interval=disable-dpd \
dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main \
generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d \
nat-traversal=no proposal-check=obey secret=111 \
send-initial-contact=yes
add address=99.00.00.105/32:500 auth-method=pre-shared-key comment="" \
dh-group=modp768 disabled=no dpd-interval=disable-dpd \
dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main \
generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d \
nat-traversal=no proposal-check=obey secret=111 \
send-initial-contact=yes
add address=68.00.00.10/32:500 auth-method=pre-shared-key comment="" \
dh-group=modp768 disabled=no dpd-interval=disable-dpd \
dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main \
generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d \
nat-traversal=no proposal-check=obey secret=111 \
send-initial-contact=yes
add address=216.00.00.136/32:500 auth-method=pre-shared-key comment="" \
dh-group=modp768 disabled=no dpd-interval=disable-dpd \
dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main \
generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d \
nat-traversal=no proposal-check=obey secret=111 \
send-initial-contact=yes
add address=68.00.00.57/32:500 auth-method=pre-shared-key comment="" \
dh-group=modp768 disabled=no dpd-interval=disable-dpd \
dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main \
generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d \
nat-traversal=no proposal-check=obey secret=111 \
send-initial-contact=yes
add address=199.00.00.224/32:500 auth-method=pre-shared-key comment="" \
dh-group=modp768 disabled=no dpd-interval=disable-dpd \
dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main \
generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d \
nat-traversal=no proposal-check=obey secret=111 \
send-initial-contact=yes
add address=99.00.00.1/32:500 auth-method=pre-shared-key comment="" dh-group=\
modp768 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 \
enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=\
md5 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=\
111 send-initial-contact=yes
add address=99.00.00.201/32:500 auth-method=pre-shared-key comment="" \
dh-group=modp768 disabled=no dpd-interval=disable-dpd \
dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main \
generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d \
nat-traversal=no proposal-check=obey secret=111 \
send-initial-contact=yes
/ip ipsec policy
add action=encrypt comment="" disabled=no dst-address=192.168.18.0/24:any \
ipsec-protocols=esp level=require priority=0 proposal=LinkSys protocol=\
all sa-dst-address=68.00.00.43 sa-src-address=68.00.00.40 \
src-address=192.168.16.0/24:any tunnel=yes
add action=encrypt comment="" disabled=no dst-address=192.168.1.0/24:any \
ipsec-protocols=esp level=require priority=0 proposal=LinkSys protocol=\
all sa-dst-address=70.00.00.9 sa-src-address=68.00.00.40 src-address=\
192.168.16.0/24:any tunnel=yes
add action=encrypt comment="" disabled=no dst-address=192.168.2.0/24:any \
ipsec-protocols=esp level=require priority=0 proposal=LinkSys protocol=\
all sa-dst-address=66.00.00.180 sa-src-address=68.00.00.40 src-address=\
192.168.16.0/24:any tunnel=yes
add action=encrypt comment="" disabled=no dst-address=192.168.3.0/24:any \
ipsec-protocols=esp level=require priority=0 proposal=LinkSys protocol=\
all sa-dst-address=99.00.00.201 sa-src-address=68.00.00.40 \
src-address=192.168.16.0/24:any tunnel=ye
add action=encrypt comment="" disabled=no dst-address=192.168.4.0/24:any \
ipsec-protocols=esp level=require priority=0 proposal=LinkSys protocol=\
all sa-dst-address=69.00.00.118 sa-src-address=68.00.00.40 \
src-address=192.168.16.0/24:any tunnel=yes
add action=encrypt comment="" disabled=no dst-address=192.168.5.0/24:any \
ipsec-protocols=esp level=require priority=0 proposal=LinkSys protocol=\
all sa-dst-address=66.00.00.18 sa-src-address=68.00.00.40 \
src-address=192.168.16.0/24:any tunnel=yes
add action=encrypt comment="" disabled=no dst-address=192.168.6.0/24:any \
ipsec-protocols=esp level=require priority=0 proposal=LinkSys protocol=\
all sa-dst-address=76.00.00.203 sa-src-address=68.00.00.40 \
src-address=192.168.16.0/24:any tunnel=yes
add action=encrypt comment="" disabled=no dst-address=192.168.7.0/24:any \
ipsec-protocols=esp level=require priority=0 proposal=LinkSys protocol=\
all sa-dst-address=76.00.00.251 sa-src-address=68.00.00.40 \
src-address=192.168.16.0/24:any tunnel=yes
add action=encrypt comment="" disabled=no dst-address=192.168.9.0/24:any \
ipsec-protocols=esp level=require priority=0 proposal=LinkSys protocol=\
all sa-dst-address=99.00.00.137 sa-src-address=68.00.00.40 \
src-address=192.168.16.0/24:any tunnel=yes
add action=encrypt comment="" disabled=no dst-address=192.168.10.0/24:any \
ipsec-protocols=esp level=require priority=0 proposal=LinkSys protocol=\
all sa-dst-address=99.00.00.105 sa-src-address=68.00.00.40 src-address=\
192.168.16.0/24:any tunnel=yes
add action=encrypt comment="" disabled=no dst-address=192.168.8.0/24:any \
ipsec-protocols=esp level=require priority=0 proposal=LinkSys protocol=\
all sa-dst-address=68.00.00.68 sa-src-address=68.00.00.40 \
src-address=192.168.16.0/24:any tunnel=yes
add action=encrypt comment="" disabled=no dst-address=192.168.11.0/24:any \
ipsec-protocols=esp level=require priority=0 proposal=LinkSys protocol=\
all sa-dst-address=68.00.00.10 sa-src-address=68.00.00.40 \
src-address=192.168.16.0/24:any tunnel=yes
add action=encrypt comment="" disabled=no dst-address=192.168.12.0/24:any \
ipsec-protocols=esp level=require priority=0 proposal=LinkSys protocol=\
all sa-dst-address=216.00.00.136 sa-src-address=68.00.00.40 \
src-address=192.168.16.0/24:any tunnel=yes
add action=encrypt comment="" disabled=no dst-address=192.168.14.0/24:any \
ipsec-protocols=esp level=require priority=0 proposal=LinkSys protocol=\
all sa-dst-address=99.00.00.1 sa-src-address=68.00.00.40 src-address=\
192.168.16.0/24:any tunnel=yes
add action=encrypt comment="" disabled=no dst-address=192.168.13.0/24:any \
ipsec-protocols=esp level=require priority=0 proposal=LinkSys protocol=\
all sa-dst-address=199.00.00.224 sa-src-address=68.00.00.40 \
src-address=192.168.16.0/24:any tunnel=yes
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
cache-on-disk=no enabled=no max-cache-size=none max-client-connections=\
600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 \
parent-proxy-port=0 port=8080 serialize-connections=no src-address=\
0.0.0.0
/ip route
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
68.251.212.1 scope=30 target-scope=10
/ip service
set telnet address=0.0.0.0/0 disabled=no port=23
set ftp address=0.0.0.0/0 disabled=no port=21
set www address=0.0.0.0/0 disabled=no port=80
set ssh address=0.0.0.0/0 disabled=no port=22
set www-ssl address=0.0.0.0/0 certificate=none disabled=yes port=443
set api address=0.0.0.0/0 disabled=yes port=8728
set winbox address=0.0.0.0/0 disabled=no port=8291
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no \
inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes
/mpls
set dynamic-label-range=16-1048575 propagate-ttl=yes
/mpls interface
add comment="" disabled=no interface=all mpls-mtu=1508
/mpls ldp
set distribute-for-default-route=no enabled=no hop-limit=255 loop-detect=no \
lsr-id=0.0.0.0 path-vector-limit=255 transport-address=0.0.0.0 \
use-explicit-null=no
/store
add comment="" disabled=no disk=system name=web-proxy1 type=web-proxy
/system clock
set time-zone-name=America/Chicago
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\
"jan/01/1970 00:00:00" time-zone=+00:00
/system console
add disabled=no port=serial0 term=vt102
/system health
set fan-mode=auto use-fan=main
/system identity
set name=40-16
/system logging
add action=memory disabled=no prefix="" topics=info
add action=memory disabled=no prefix="" topics=error
add action=memory disabled=no prefix="" topics=warning
add action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=yes mode=unicast primary-ntp=66.79.148.39 secondary-ntp=0.0.0.0
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\
0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes no-ping-delay=5m watch-address=\
none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=\
100
/tool e-mail
set from=<> password="" server=0.0.0.0:25 username=""
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
add disabled=no interface=all
/tool mac-server ping
set enabled=yes
/tool sms
set allowed-number="" channel=0 keep-max-sms=0 receive-enabled=no secret=""
/tool sniffer
set file-limit=10 file-name="" filter-address1=0.0.0.0/0:0-65535 \
filter-address2=0.0.0.0/0:0-65535 filter-protocol=ip-only filter-stream=\
yes interface=all memory-limit=10 memory-scroll=no only-headers=no \
streaming-enabled=no streaming-server=0.0.0.0
/user aaa
set accounting=yes default-group=read interim-update=0s use-radius=no