Is it possible that IPSEC betwwen 2.7.2 and 2.8.12 not compatible?
I can setup IPSEC between two 2.7.2 just fine but when one end is 2.8.12 exact same setup just does not work.
anybody at mikrotik know if this is the problem or code has changed.
Tushar
Should not be incompatible… Please post the exact config (/ip ipsec export) here, or, better, write to support@mikrotik.com with your support output files.
I have put xxx on the real ip address
Here is the config 2.8.12
/ ip ipsec policy
add src-address=10.10.11.0/24:any dst-address=10.10.10.0/24:any protocol=all
action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=216.141.xxx.xxx sa-dst-address=24.173.xxx.xxx
proposal=default manual-sa=none dont-fragment=clear disabled=no
/ ip ipsec peer
add address=24.173.xxx.xxx/32:500 secret="xxxxx" generate-policy=no
exchange-mode=aggressive send-initial-contact=yes proposal-check=obey
hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0 disabled=no
/ ip ipsec proposal
add name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
lifebytes=0 pfs-group=modp1024 disabled=no
Fire wall rules
[admin@MikroTik] > ip firewall src-nat export
[admin@MikroTik] > ip ipsec export
/ ip ipsec policy
add src-address=10.10.10.0/24:any dst-address=10.10.11.0/24:any protocol=all
action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=24.173.xxx.xxx sa-dst-address=216.141.xxx.xxx
proposal=default manual-sa=none dont-fragment=clear disabled=no
add src-address=10.10.10.0/24:any dst-address=10.1.9.0/24:any protocol=all
action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=24.173.xxx.xxx sa-dst-address=216.141. xxx.xxx
proposal=default manual-sa=none dont-fragment=clear disabled=no
/ ip ipsec peer
add address=216.141.xxx.xxx/32:500 secret="xxxxx" generate-policy=no
exchange-mode=aggressive send-initial-contact=yes proposal-check=obey
hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0 disabled=no
add address=216.141.xxx.xxx/32:500 secret="xxxxx" generate-policy=no
exchange-mode=aggressive send-initial-contact=yes proposal-check=obey
hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0 disabled=no
/ ip ipsec proposal
add name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
lifebytes=0 pfs-group=modp1024 disabled=no
firewall rules
[admin@MikroTik] > ip firewall src-nat export
/ ip firewall src-nat
add src-address=10.10.10.0/24:0-65535 dst-address=10.10.11.0/24:0-65535
out-interface=all protocol=all icmp-options=any:any flow=""
connection=""
content="" limit-count=0 limit-burst=0 limit-time=0s action=accept
to-src-address=0.0.0.0 to-src-port=0-65535 comment="" disabled=no
add src-address=10.10.10.0/24:0-65535 dst-address=10.1.9.0/24:0-65535
out-interface=all protocol=all icmp-options=any:any flow=""
connection=""
content="" limit-count=0 limit-burst=0 limit-time=0s action=accept
to-src-address=0.0.0.0 to-src-port=0-65535 comment="" disabled=no
add src-address=0.0.0.0/0:0-65535 dst-address=0.0.0.0/0:0-65535
out-interface=public protocol=all icmp-options=any:any flow=""
connection="" content="" limit-count=0 limit-burst=0 limit-time=0s
action=masquerade to-src-address=0.0.0.0 to-src-port=0-65535 comment=""
disabled=no
Could you change exchange-mode setting under /ip ipsec peer to main and test the connection?
That did the trick. It works now.
So to summerise the solution:
2.7.2 <------> 2.7.2 (ip ipsec peer excahnge-mode set to aggressive works)
2.7.2 <---------> 2.8.12 (ip ipsec peer exchange-mode need to be set to main)
Thanks for the solution.
Tushar