Hi!
I’m trying to do one IPSec tunnel within one RB450G and a Cisco ASA 5510.
I’m doing what this tuto [1] says but I’m stuck on the IPSec phase2 with a message saying:
Received a valid R-U-THERE, ACK sent
And it loops always with the same codes.
No traffic it’s going throught the tunnel because the ping says timeout.
My devices are connected like this (all ips are ficticious)
Internal computer MKT INTERNET Cisco Server
------ ----- ----- ------
192.168.0.10 192.168.0.1 70.0.0.1 10.0.0.1
80.0.0.1
The 192.168.0.X IPs should not arrive at the 10.0.0.X network because these range it’s overlapped there. So I should do SNAT on my MKT. I don’t know if the tunnel in the MKT does it automatically or if I should change the below Nat Firewall rule to do src-nat instead of only accept it.
Peer (aka phase1)
address=70.0.0.1/32 local-address=80.0.0.1 passive=no port=500
auth-method=pre-shared-key secret=“password_phase1”
generate-policy=no policy-group=default exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=exact
hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=4608000 dpd-interval=disable-dpd dpd-maximum-failures=1**Policysrc-address=192.168.0.0/24 src-port=any dst-address=10.0.0.0/24
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=80.0.0.1
sa-dst-address=70.0.0.1 proposal=MyProposal priority=0Proposalname=“MyProposal” auth-algorithms=md5 enc-algorithms=3des lifetime=1h
pfs-group=modp1024IP / Firewall / Nat** (this rules it’s at the top of the rules)
chain=srcnat action=accept to-addresses=0.0.0.0 src-address=192.168.0.0/24
dst-address=10.0.0.1/24Thx for reading.
[1] http://www.vionblog.com/mikrotik-to-cisco-asa-ipsec-vpn/