I’ve been having some trouble establishing an IPSEC tunnel with a Cisco VPN 3030 Concentrator. On my side the ‘remote-peer’ shows up as state=expired a half second after it first shows up as state=established.
On the Cisco side they say "I’m getting a timeout in Phase2 where it establishes the IKE session, the the IPSEC session hangs at the remote end and we never get the final handshake.
The reaper then sees the SA hung and kills the SA after 30 seconds of inactivity."
I’m hoping someone else has run into this problem before and knows a solution. Copied below are my sides IPSEC settings.
/ip ipsec proposal
set default auth-algorithms=md5 disabled=no enc-algorithms=des lifetime=30m \
name=default pfs-group=none
/ip ipsec peer
add address=xx.xxx.147.6/32:500 auth-method=pre-shared-key dh-group=modp768 \
disabled=no dpd-interval=disable-dpd dpd-maximum-failures=5 \
enc-algorithm=des exchange-mode=main generate-policy=no hash-algorithm=\
md5 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=\
THESECRETPASSWORD send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=yes dst-address=172.20.200.0/24:any \
ipsec-protocols=esp level=unique manual-sa=none priority=0 proposal=\
default protocol=all sa-dst-address=xx.xxx.147.6 sa-src-address=\
yyy.yyy.201.99 src-address=10.1.127.0/24:any tunnel=yes
add action=encrypt disabled=no dst-address=172.20.200.0/24:any \
ipsec-protocols=esp level=require manual-sa=none priority=0 proposal=\
default protocol=all sa-dst-address=xx.xxx.147.6 sa-src-address=\
yyy.yyy.201.99 src-address=10.4.4.0/24:any tunnel=yes
Thanks