Hello!
Is there any way to set up Mikrotik ROS device as as IPSec road warrior client to another Mikrotik ROS Device?
I have following setup:
- RB1100AHx2 with static public IP in IDC
- RB2011 with dynamic public IP
I followed this guide http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_with_Mode_Conf but I could not understand where to go after RouterOS Client Config
/ip ipsec peer
add address=2.2.2.2 auth-method=pre-shared-key-xauth generate-policy=port-strict secret=123 \
xauth-login=user1 xauth-password=123
Seems that connection between peer is established
[admin@roadwarrior] > /ip ipsec remote-peers print
0 local-address=roadwarrior.dynamic.public.ip remote-address=vpnrouter.static.public.ip state=established
side=initiator established=1m7s
[admin@vpnrouter] > /ip ipsec remote-peers print
0 local-address=vpnrouter.static.public.ip remote-address=roadwarrior.dynamic.public.ip state=established side=responder remote-dynamic-address=192.168.145.250 established=4m9s
But on the road warrior side I cannot see remote-dynamic-address=192.168.145.250 in IP addresses, no additional interfaces of any type are created and no policies generated
Config on VPN router
[admin@vpnrouter] > /ip ipsec peer print
Flags: X - disabled, D - dynamic
10 address=0.0.0.0/0 local-address=0.0.0.0 passive=yes port=500 auth-method=pre-shared-key-xauth secret="xauthsharedkey" xauth-login="" xauth-password="" generate-policy=port-strict policy-template-group=vpn exchange-mode=main mode-config=vpn
send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=8h lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
[admin@vpnrouter] > /ip ipsec mode-config print
Flags: * - default
0 * name="request-only" send-dns=yes
1 name="vpn" send-dns=yes address-pool=pool_vpn_ipsec address-prefix-length=24 split-include=10.224.0.0/16,0.0.0.0/0
[admin@vpnrouter] > /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T * group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes
6 T group=vpn src-address=10.224.0.0/16 dst-address=192.168.145.0/24 protocol=all proposal=default template=yes
7 T group=vpn src-address=192.168.145.0/24 dst-address=10.224.0.0/16 protocol=all proposal=default template=yes
Config on road warrior side:
[admin@roadwarrior] > /ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=vpnrouter.public.static.ip local-address=:: passive=no port=500 auth-method=pre-shared-key-xauth secret="xauthsharedsecret" xauth-login="mylogin" xauth-password="mypassword" generate-policy=port-strict policy-template-group=default
exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=8h lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
What am I missing? How can I get to remote network (10.224.0.0/16) from remote side?