Site-to-Site IPSEC

JJX · April 18, 2009, 11:25pm

I am trying to create a site to site ipsec tunnel between two sites,

(192.168.10.0/24) MT1 ---->>(10.19.146.217) LINK (10.19.146.217) —> MT2 (192.168.7.0/24)

Above diagram shows the WAN links and the protected LAN addressing.
MT1 version: 2.9.51
MT2 version: 2.9.27

\


```text
/ ip ipsec manual-sa 
add name="sa1" ah-algorithm=null esp-auth-algorithm=sha1 esp-enc-algorithm=des ah-key="" \
    esp-auth-key=0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5 \
    esp-enc-key=0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5 ah-spi=0x100 esp-spi=0x100 disabled=no 
/ ip ipsec proposal 
add name="default" auth-algorithms=sha1 enc-algorithms=des,3des lifetime=30m lifebytes=0 pfs-group=none disabled=no 
add name="aes128-sha1-23h" auth-algorithms=sha1 enc-algorithms=des lifetime=23h lifebytes=0 pfs-group=modp1024 disabled=no 
/ ip ipsec policy 
add src-address=192.168.7.0/24:any dst-address=192.168.10.0/24:any protocol=all action=encrypt level=require \
    ipsec-protocols=esp tunnel=yes sa-src-address=10.19.146.217 sa-dst-address=10.19.146.218 proposal=aes128-sha1-23h \
    manual-sa=sa1 dont-fragment=clear disabled=no 
/ ip ipsec peer 
add address=10.19.146.218/32:500 secret="secret" generate-policy=no exchange-mode=main send-initial-contact=yes \
    proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d lifebytes=0 disabled=no
```

~~~~~~~~~ MT2 export ~~~~~~~~~

```text
/ ip ipsec policy 
add src-address=192.168.10.0/24:any dst-address=192.168.7.0/24:any protocol=all action=encrypt level=require \
    ipsec-protocols=esp tunnel=yes sa-src-address=10.19.146.218 sa-dst-address=10.19.146.217 proposal=aes128-sha1-23h \
    manual-sa=sa1 dont-fragment=clear disabled=no 
/ ip ipsec manual-sa 
add name="sa1" ah-algorithm=null esp-auth-algorithm=sha1 esp-enc-algorithm=des ah-key="" \
    esp-auth-key=0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5 \
    esp-enc-key=0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5 ah-spi=0x100 esp-spi=0x100 disabled=no 
/ ip ipsec peer 
add address=10.19.146.217/32:500 secret="secret" generate-policy=no exchange-mode=main send-initial-contact=yes \
    proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d lifebytes=0 disabled=no 
/ ip ipsec proposal 
add name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m lifebytes=0 pfs-group=modp1024 disabled=no 
add name="aes128-sha1-23h" auth-algorithms=sha1 enc-algorithms=aes-128 lifetime=23h lifebytes=0 pfs-group=modp1024 \
    disabled=no
```

However, i disable/enable peer i get the "invalid" indication for a few seconds and then "no phase 2" error message. Logs doesnt show anything.
\
\
Any idea where is my mistake??

- My ethernet card has two ip addresses. Is that a problem?
- Do i have to create manually a tunnel interface?

Thank you

Chupaka · April 19, 2009, 10:03am

upgrade MT2 to 2.9.51

JJX · April 19, 2009, 6:16pm

I upgraded 2.9.51 to 3.0.22! Still same problem
I will upgrade 2.9.21 to 3.x and try again