IPSec VPN between Mikrotik -- Juniper SRX

ithink · May 8, 2015, 1:53pm

Hello,
This is the second days that I can fix the connection from my Mikrotik from my office between Juniper SRX in branch company.

I have take the config from the branch:

Phase I
NAT-Traversal: Enable
Mode: main
Pre Shared Key - Ascii text: (xxxxxxxxxxxxx)
Authentication algorithm: sha1
Authentication Method: pre-shared-keys
DH Group: group1
Encryption algorithm: des-cbc
Lifetime seconds: 86400

Phase II
Perfect Foward Secrecy: group2
Authentication algorithm: hmac-md5-96
Encryption algorithm: aes-128-cbc
Lifetime seconds: 86400
Protocol: esp

That is all that I got and with Ip address.

Now I config the Mikrotik and I have make upgrade 6.28.

[admin@MikroTik] > ip firewall nat print   
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=accept src-address=192.168.106.0/24 
      dst-address=192.168.5.0/24 out-interface=ether1 log=no log-prefix="" 
 1    chain=srcnat action=accept src-address=192.168.106.0/24 
      dst-address=192.168.1.0/24 out-interface=ether1 log=no log-prefix="" 
 2    chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""

[admin@MikroTik] > ip ipsec peer print     
Flags: X - disabled, D - dynamic 
 0    ;;; VPn
      address=8x.xx.xxx.82/32 local-address=0.0.0.0 passive=no port=500 
      auth-method=pre-shared-key secret="xxxxxxxxxxxxxxxxxx" 
      generate-policy=no policy-template-group=default exchange-mode=main 
      send-initial-contact=yes nat-traversal=no proposal-check=obey 
      hash-algorithm=sha1 enc-algorithm=des dh-group=modp768 lifetime=1d 
      lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5

admin@MikroTik] > ip ipsec proposal print 
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=md5 enc-algorithms=aes-128-cbc lifetime=1d 
      pfs-group=modp1024

[admin@MikroTik] > ip ipsec policy print   
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 add action=encrypt disabled=no dst-address=192.168.5.0/24 dst-port=any ipsec-protocols=esp level=require priority=0
proposal=juniper protocol=all sa-dst-address=8x.xx.xxx.xxsa-src-address=80.xx.xx.6 src-address=192.168.106.0/24
src-port=any tunnel=yes

ithink · May 12, 2015, 5:28pm

That is all right,
The problem was in the other side, now is all right