Hi all. I’m newbie in ROS…
I have an hAP Lite 2 in branch office and MS ISA 2006 in main office. I wanna setup IPSEC site-to-site VPN between branch and main. I have read mikrotik ipsec s2s manual between mikrotiks, change proposal… and nothing…
plz help…
this is my mikrotik config:
[admin@MikroTik] /ip ipsec peer> print
Flags: X - disabled, D - dynamic
0 address=Y/32 local-address=:: passive=no port=500
auth-method=pre-shared-key secret="123" generate-policy=no
policy-template-group=default exchange-mode=main send-initial-contact=yes
nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des
dh-group=modp1024 lifetime=1h lifebytes=0 dpd-interval=2m
dpd-maximum-failures=1
[admin@MikroTik] /ip ipsec peer> /ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m
pfs-group=modp1024
1 name="ISA" auth-algorithms=sha1 enc-algorithms=3des lifetime=8h
pfs-group=modp1024
[admin@MikroTik] /ip ipsec peer> /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default
template=yes
1 src-address=192.168.88.0/24 src-port=any dst-address=192.168.0.0/24
dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp
tunnel=yes sa-src-address=X sa-dst-address=Y
proposal=default priority=0
[admin@MikroTik] /ip ipsec peer> /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward
1 chain=input action=accept protocol=tcp dst-port=8291 log=no log-prefix=""
2 chain=input action=accept protocol=ipsec-esp log=no log-prefix=""
3 chain=input action=accept protocol=udp dst-port=500 log=no log-prefix=""
4 chain=input action=accept connection-state=established log=no log-prefix=""
5 chain=input action=accept protocol=icmp log=no log-prefix=""
6 ;;; default configuration
chain=forward action=accept connection-state=established,related log=no
log-prefix=""
7 chain=input action=accept connection-state=related log=no log-prefix=""
8 ;;; default configuration
chain=input action=accept connection-state=established,related log=no
log-prefix=""
9 chain=input action=accept protocol=icmp src-address=0.0.0.0
dst-address=X in-interface=ether1-gateway log=no log-prefix=""
10 ;;; default configuration
chain=forward action=drop connection-state=new connection-nat-state=!dstnat
in-interface=ether1-gateway log=no log-prefix=""
11 ;;; default configuration
chain=forward action=fasttrack-connection connection-state=established,related
log=no log-prefix=""
12 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway log=no log-prefix=""
13 ;;; default configuration
chain=forward action=drop connection-state=invalid log=no log-prefix=""
14 chain=input action=drop in-interface=ether1-gateway log=no log-prefix=""
[admin@MikroTik] /ip ipsec peer> /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.88.0/24
dst-address=192.168.0.0/24 log=no log-prefix=""
1 ;;; default configuration
chain=srcnat action=masquerade out-interface=ether1-gateway log=no
log-prefix=""
ISA 2006 settings:
Setting for IKE Phase I:
Mode: main
Encryption: 3DES
Hash: SHA1
DF-Group: Group 2 (1024 bit's)
Auth method: pre-shared key (123)
Lifetime: 28800 sec
Settings IKE Phase II:
Mode: esp-tunnel
Encryption: 3DES
Hash: SHA1
(PFS): enable.
DF-Group: Group 2 (1024 bit's)
Key retry recreation by time: enable
Lifetime: 3600 s
Key retry recreation by bytes: Disable
IP-subnets networks site-to-site type:
subnet = 192.168.0.96/255.255.255.252
subnet = 192.168.0.64/255.255.255.224
subnet = 192.168.0.0/255.255.255.192
subnet = 192.168.0.140/255.255.255.252
subnet = 192.168.0.144/255.255.255.240
subnet = 192.168.0.160/255.255.255.224
subnet = 192.168.0.192/255.255.255.192
Result is: phase1 negotiation failed due to time up