IPsec VPN site to site

alexpaige · November 12, 2015, 3:19pm

I am trying to setup a site to site VPN using Untangle version 11.2 as the server and a Mikrotik v6.32.3
I ran through the setup guide here https://www.nasa-security.net/mikrotik/l2tp-ipsec-vpn-site-to-site-mikrotik-how-to/

I have attached a screenshot of the log and the error I’m getting.
Mikrotik log.png
fatal NO-PROPOSAL-CHOSEN notify message, phase 1 should be deleted.

I have obviously made a mistake somewhere but I’m not sure where to start.

Any help would be greatly appreciated

Thanks

jaytcsd · November 29, 2015, 8:06pm

Have you tried this setup?

http://gregsowell.com/wp-content/plugins/download-monitor/download.php?id=15

I can get the routers to ping but can’t get any devices behind them to see the other side of the tunnel.

evince · November 30, 2015, 7:51am

Helle,

The src-address seems to be wrong, we can see in your logs 192.168.1.2. It should be a WAN IP.

Regards,

downther0ad · November 30, 2015, 3:07pm

Hi

I was able to make a VPN IPSec with this conf:

router_1

/ip ipsec policy>add src-address=<local_lan_router_1>/xx dst-address=<local_lan_router_2>/xx protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=<public_ip_router_1> sa-dst-address=<public_ip_router_2> proposal=default 
priority=0

/ip ipsec peer>add address=<public_ip_router_2> port=500 auth-method=pre-shared-key secret="some_password" exchange-mode=main send-initial-contact=yes proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 dpd-interval=
120 dpd-maximum-failures=5

/ip firewall nat>add chain=srcnat src-address=<local_lan_router_1>/xx dst-address=<local_lan_router_2>/xx action=accept disabled=no

router_2

/ip ipsec policy>add src-address=<local_lan_router_2>/xx dst-address=<local_lan_router_1>/xx protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=<public_ip_router_2> sa-dst-address=<public_ip_router_1> proposal=default 
priority=0

/ip ipsec peer>add address=<public_ip_router_1> port=500 auth-method=pre-shared-key secret="some_password" exchange-mode=main send-initial-contact=yes proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 dpd-interval=
120 dpd-maximum-failures=5

/ip firewall nat>add chain=srcnat src-address=<local_lan_router_2>/xx dst-address=<local_lan_router_1>/xx action=accept disabled=no

Regards