IPSec VPN problem [SOLVED]

leonset · February 1, 2010, 7:19pm

Hello,

I’m trying to test IPSec without L2TP, just tunneling two lans in tunnel mode. Both ends have a fixed & real IP address and are reachable from the Internet, so afaik I shoudn’t need L2TP. Currently I’m using a preshared key. When I generate traffic from the local lan destined to the remote lan I get this in my log:

20:12:00 ipsec IPsec-SA request for [RemoteIP] queued due to no phase1 found.
20:12:00 ipsec initiate new phase 1 negotiation: LocalIP[500]<=>RemoteIP[500]
20:12:00 ipsec begin Identity Protection mode.
20:12:00 ipsec sendfromto failed
20:12:00 ipsec failed to begin ipsec sa negotication.

It looks like local router tries to stablish the tunnel but I get that error inmediately. I have open UDP 500 and protocol 50 (ipsec-esp) in both ends…

What am I doing wrong?

Thank you!

leonset · February 3, 2010, 2:00pm

Hi,

No one has faced this problem before? Should I send a report to support?

Thanks,

fewi · February 3, 2010, 2:54pm

Post the phase 1 configuration and firewall from both sides.

leonset · February 3, 2010, 4:56pm

Hi!

Here’s the IPSec config for the local router:

/ip ipsec proposal
set default auth-algorithms=sha1 comment="" disabled=no enc-algorithms=3des \
    lifetime=30m name=default pfs-group=modp1024
/ip ipsec peer
add address=2.2.2.2/32:500 auth-method=pre-shared-key comment="" \
    dh-group=modp1024 disabled=no dpd-interval=disable-dpd \
    dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main \
    generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d \
    nat-traversal=no proposal-check=obey secret=PASSWORD send-initial-contact=\
    yes
/ip ipsec policy
add action=encrypt comment="" disabled=no dst-address=10.2.2.2/23:any \
    ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
    all sa-dst-address=2.2.2.2 sa-src-address=1.1.1.1 src-address=\
    10.1.1.1/32:any tunnel=yes

And this is the remote router:

/ip ipsec proposal
set default auth-algorithms=sha1 comment="" disabled=no enc-algorithms=3des \
    lifetime=30m name=default pfs-group=modp1024
/ip ipsec peer
add address=1.1.1.1/32:500 auth-method=pre-shared-key comment="" \
    dh-group=modp1024 disabled=no dpd-interval=disable-dpd \
    dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main \
    generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d \
    nat-traversal=no proposal-check=obey secret=PASSWORD send-initial-contact=\
    yes
/ip ipsec policy
add action=encrypt comment="" disabled=no dst-address=10.1.1.1/32:any \
    ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
    all sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=\
    10.2.2.2/23:any tunnel=yes

The local site firewall (1.1.1.1) has nearly 150 rules right now, too much to post. I have open everything coming from 2.2.2.2 at input chain and everything going to 2.2.2.2 at output rule. I have nothing at forward related to IPSec because as far as I know that chaing won’t be used for that traffic.

EDIT: forgot to remark that the remote firewall has currently no rules, so all traffic should flow freely.

Thank you!

fewi · February 3, 2010, 6:56pm

That configuration matches and phase 1 should completely successfully.

In your policy, why are you protecting only 10.1.1.1/32 on the remote end, but 10.2.2.2/23 on the local end?

leonset · February 26, 2010, 9:54am

Hi,

In case anyone needs this:

The problem is that there was a route to the IPSec protected remote lan through a OpenVPN disabled interface that I had created when testing with OpenVPN… so my router couldn’t reach the remote IPSec peer. Checked all settings again and now I have a working IPSec VPN, even with the remote peers behind a NAT

Regards,