IPSec

belial688 · June 5, 2008, 8:11am

I try to make ipsec with remote gateway.
Use Mikrotik

LAN1 - [Mikrotik-1](public-1 address) - INTERNET - (public-2 address)[Mikrotik-2] - LAN2

Server1
policy print
src-address=10.0.0.0/24:any dst-address=192.168.64.0/24:any protocol=all
action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=PUBLIC-1 sa-dst-address=PUBLIC-2
proposal=default manual-sa=none dont-fragment=clear
peer print
address=PUBLIC-2/32:500 secret=“1234” generate-policy=yes
exchange-mode=aggressive send-initial-contact=yes proposal-check=obey
hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0
NAT print
chain=srcnat src-address=10.0.0.0/24 dst-address=192.168.64.0/24 action=accept
chain=srcnat out-interface=WAN1 action=masquerade

Server2
policy print
src-address=192.168.64.0/24:any dst-address=10.0.0.0/24:any protocol=all
action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=PUBLIC-2 sa-dst-address=PUBLIC-1
proposal=default manual-sa=none dont-fragment=clear
peer print
address=PUBLIC-1/32:500 secret=“1234” generate-policy=yes
exchange-mode=aggressive send-initial-contact=yes proposal-check=obey
hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0
NAT print
chain=srcnat out-interface=WAN1 action=masquerade
chain=srcnat src-address=192.168.64.0/24 dst-address=10.0.0.0/24 action=accept

Ping from LAN1 to LAN2
SERVER1 Log
15:07:54 ipsec,info ipsec packet discarded: src=10.0.0.88 dst=192.168.64.10
15:08:00 ipsec,ike,info queuing SA request, phase 1 with peer PUBLIC-2 will be established first
15:08:00 ipsec,ike,info initiating phase 1, starting mode Aggressive (local PUBLIC-1:500) (remote unknown)
15:08:00 ipsec,info ipsec packet discarded: src=10.0.0.88 dst=192.168.64.10
…
15:08:27 ipsec,info ipsec packet discarded: src=10.0.0.88 dst=192.168.64.10
15:08:31 ipsec,ike,info dequeuing SA request to PUBLIC-2, phase 1 wait timed out
15:08:33 ipsec,ike,info queuing SA request, phase 1 with peer PUBLIC-2 will be established first
15:08:33 ipsec,info ipsec packet discarded: src=10.0.0.88 dst=192.168.64.10
…
15:08:55 ipsec,info ipsec packet discarded: src=10.0.0.88 dst=192.168.64.10

SERVER2 Log is emtpy

Help, Please

Regards

Maxim

fatonk · June 5, 2008, 3:37pm

On Server 2 try to put the masquerade rule after accept rule.

belial688 · June 6, 2008, 8:13am

Nothing has changed.
Can I check the open Internet provider with AH and ESP protocol?