I’m trying to create a vpn between Gcp and a RB750 v6.42.6, this last one is behind NAT ( i created a dmz) and the external router has dynamic ip.
This is my config at this moment:
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des
/ip ipsec peer
add address=35.205.XXX.XXX/32 dh-group=modp1024 enc-algorithm=aes-128 exchange-mode=ike2
generate-policy=port-override lifetime=1w local-address=83.46.0.0
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.132.0.0/24 level=unique proposal=ipsec sa-dst-address=35.205.XXX.XXX
sa-src-address=83.46.XXX.XXX src-address=192.168.99.0/24 tunnel=yes
The PH2 State in policies shows “no phase2”, in logs:
13:45:43 ipsec ike2 request, exchange: SA_INIT:0 35.205.XXX.XXX[500]
13:45:43 ipsec no IKEv2 peer config for 35.205.XXX.XXX
13:45:44 ipsec,debug ===== received 892 bytes from 35.205.XXX.XXX[500] to 192.168.1.33[500]
I have other vpn working with static ip between mikrotiks and Gcp, but i can not understand what is happening here.
13:45:43 ipsec no IKEv2 peer config for 35.205.XXX.XXX
13:45:44 ipsec,debug ===== received 892 bytes from 35.205.XXX.XXX[500] to 192.168.1.33[500]
You do not have suitable peer with local address 192.168.1.33 (or peer with no local address specified).
This sa-src-address=83.46.XXX.XXX would be second point of failure if you do not have exactly this address locally on your Mikrotik.
Also I am not sure if Nat Traversal is the default setting for peers (or peer profiles - not sure there it is in 6.42.6 RoS).