IPsec VPN not comming up

Bas15 · April 8, 2015, 12:49pm

Having seen many VPN topics already I still cant get mine to work.

I have a Mikrotik 2011iL at home with a public IPv4 adress on eth0 (ISP modem in pass-through) which will be the replacement of my current Juniper ssg-5 (screenos) that currently does multiple VPNs.

In the datacenter I have a Juniper netscreenOS.

To keep things simple to roll-back I want to keep the current VPN configuration in the datacenter and adjust the Mikrotik to that.

The VPN setup
Phase 1
Netscreen naming: pre-g2-3des-sha
Pre-shared key
Group 2 (Diffie-Hellman)
Lifetime 28800 seconds
peer-id: bogus.domain.com

Phase 2
Netscreen naming: g2-esp-3des-sha
Esp > IPSEC protocol 51 for Authentication header(ah), udp port 500 and udp port 4500, http://kb.juniper.net/InfoCenter/index?page=content&id=KB5671
3des / tripple des
Lifetime 3600

Config on the Mikrotik
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec < Diffie-Hellman Group 2 = 1024 MODP group.

set [ find default=yes ] enc-algorithms=3des pfs-group=none
add enc-algorithms=3des lifetime=8h name=HC

/ip ipsec peer
add address=1.2.3.4/32 enc-algorithm=3des exchange-mode=aggressive lifetime=8h my-id=user-fqdn:bogus.domain.com nat-traversal=no secret="blablabla"

/ip ipsec policy
add dst-address=192.168.180.0/24 ipsec-protocols=ah-esp proposal=HC protocol=ipsec-esp sa-dst-address=1.2.3.4 sa-src-address=4.3.2.1 src-address=0.0.0.0/0 tunnel=yes

Note: i masked the IP’s. replacing the home IP with 4.3.2.1 and the datacenter IP with 1.2.3.4

/ip firewall filter
add chain=input dst-port=500 protocol=udp
add chain=input dst-port=4500 protocol=udp
add chain=input protocol=ipsec-ah
add chain=input comment="Permit existing connections" connection-state=established,related

/ip firewall nat
add action=masquerade chain=srcnat log-prefix=nat out-interface=eth-1-UPC to-addresses=4.3.2.1

This rule is only for my internet access.

The error in the log is:
phase1 negotiation failed due to time up 4.3.2.1[500]<=>1.2.3.4[500] 98d934fc5088b131:0000000000000000

But to me it appears that the peer has the phase 1 lifetime of 8 hours. To get through the phase 1 I have set the encryption algorith also to 8 hours incase I have the phase1 / phase2 messed up.

None of the three firewall rules list packets.

Bas15 · April 8, 2015, 4:04pm

After some changes Phase 1 is succesfull, now stuck on

no policy found: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=in

I did create the NAT rule and rebooted.

add chain=srcnat dst-address=192.168.180.0/24 src-address=192.168.101.0/24

It appears that the policy I created is not used as it has a destination subnet.

/Edit, stopping for now as it’s driving me crazy.
Current status, phase1 succesfull, phase2 fails

19:25:11 ipsec,debug,packet get a src address from ID payload 0.0.0.0[0] prefixlen=0 ul_proto=255
19:25:11 ipsec,debug,packet get dst address from ID payload 0.0.0.0[0] prefixlen=0 ul_proto=255
19:25:11 ipsec,debug,packet 0x7f9306b8 masked with /24: 0.0.0.0[0]
19:25:11 ipsec,debug,packet 0x47bf08 masked with /24: 192.168.180.0[0]
19:25:11 ipsec,debug no policy found: 0.0.0.0/0[0] 0.0.0.0/0[0] proto=any dir=in
19:25:11 ipsec,debug failed to get proposal for responder.
19:25:11 ipsec,error failed to pre-process ph2 packet.

jabb1123 · June 8, 2015, 6:32pm

What were the changes that you applied? I am having the same problem with phase 1 and would like to get it connected.

logiqit · June 13, 2016, 1:25pm

Did you ever resolve this issue?

I am having the same issue right now.

Thank you.

/Ulrich