Hello ,
i Need your help in the following Network:
(in Attachment)
i need to build IPSec Tunnel Site to Site between Mikrotik and Sophos that Host PC with IP 192.168.17.100 can reach server with IP 192.168.1.100
i have get Phase 1 established but i cant get phase 2 whatever Config i use on both sides,
any one have done this before can help me with config on both side
can i build IPSec if mikrotik behind a router and his wan interface is nated do i need to make any port forwarding for 500 and 4500 and esp because i tryed it also with no success.
thank you guys
no one??
Hi,
I’m sorry, but you didn’t provide any useful information about cour config to help you.
Please post your config and exclude an sensitive data.
What’s in the logs of your MikroTik? Add a log rule in “System” → “Loggin” with “debug” and “ipsec” to see what is happening.
Next thing, depending on your FritzBox model, your FritzBox does IPSec too. So there might be in conflicting setup.
But this is just a guess.
Regards,
Ape
thank you for reply here is my config and Logs:,
MIkrotik Config :
/ip ipsec peer profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256,aes-128
lifetime=2h10m
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=
aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm
pfs-group=modp2048
/ip pool
add name=dhcp_pool0 ranges=192.168.200.20-192.168.200.25
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether2 name=dhcp1
/ip address
add address=192.168.200.1/24 interface=ether2 network=192.168.200.0
add address=192.168.178.100/24 interface=ether1 network=192.168.178.0
/ip dhcp-server network
add address=192.168.200.0/24 dns-server=192.168.200.1 gateway=192.168.200.1
/ip dns
set allow-remote-requests=yes
/ip firewall nat
add action=accept chain=srcnat disabled=no dst-address=192.168.2.0/24
src-address=192.168.200.0/24
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec peer
add address=130.X.X.X/32 compatibility-options=skip-peer-id-validation
secret=xXxXxXxXxX
/ip ipsec policy
set 0 dst-address=192.168.2.0/24 src-address=192.168.200.0/24
sophos config in Picture:
logs Mikrotik: will be in pic
Sophos logs
2018:12:21-04:33:06 test pluto[3425]: packet from 87.X.X.X:500: received Vendor ID payload [Dead Peer Detection]
2018:12:21-04:33:06 test pluto[3425]: “S_test”[1] 87.X.X.X #2: responding to Main Mode from unknown peer 87.X.X.X
2018:12:21-04:33:07 test pluto[3425]: “S_test”[1] 87.X.X.X #2: NAT-Traversal: Result using RFC 3947: peer is NATed
2018:12:21-04:33:07 test pluto[3425]: | NAT-T: new mapping 87.X.X.X:500/4500)
2018:12:21-04:33:07 test pluto[3425]: “S_test”[1] 87.X.X.X:4500 #2: Peer ID is ID_IPV4_ADDR: ‘192.168.178.84’
2018:12:21-04:33:07 test pluto[3425]: “S_test”[2] 87.X.X.X:4500 #2: Dead Peer Detection (RFC 3706) enabled
2018:12:21-04:33:07 test pluto[3425]: “S_test”[2] 87.X.X.X:4500 #2: sent MR3, ISAKMP SA established
2018:12:21-04:33:07 test pluto[3425]: “S_test”[2] 87.X.X.X:4500 #2: ignoring informational payload, type IPSEC_INITIAL_CONTACT
2018:12:21-04:34:06 test pluto[3425]: “S_test”[1] 87.X.X.X:4500 #1: max number of retransmissions (2) reached STATE_MAIN_R1
2018:12:21-04:34:06 test pluto[3425]: “S_test”[1] 87.X.X.X:4500: deleting connection “S_test”[1] instance with peer 87.X.X.X {isakmp=#0/ipsec=#0}
2018:12:21-05:00:39 test pluto[3425]: “S_test”[2] 87.X.X.X:4500 #2: received Delete SA payload: deleting ISAKMP State #2
2018:12:21-05:00:39 test pluto[3425]: “S_test”[2] 87.X.X.X:4500: deleting connection “S_test”[2] instance with peer 87.X.X.X {isakmp=#0/ipsec=#0}
2018:12:21-05:00:46 test pluto[3425]: packet from 87.X.X.X:500: received Vendor ID payload [RFC 3947]
2018:12:21-05:00:46 test pluto[3425]: packet from 87.X.X.X:500: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
2018:12:21-05:00:46 test pluto[3425]: packet from 87.X.X.X:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
2018:12:21-05:00:46 test pluto[3425]: packet from 87.X.X.X:500: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
2018:12:21-05:00:46 test pluto[3425]: packet from 87.X.X.X:500: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
2018:12:21-05:00:46 test pluto[3425]: packet from 87.X.X.X:500: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
2018:12:21-05:00:46 test pluto[3425]: packet from 87.X.X.X:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2018:12:21-05:00:46 test pluto[3425]: packet from 87.X.X.X:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2018:12:21-05:00:46 test pluto[3425]: packet from 87.X.X.X:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2018:12:21-05:00:46 test pluto[3425]: packet from 87.X.X.X:500: ignoring Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
2018:12:21-05:00:46 test pluto[3425]: packet from 87.X.X.X:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2018:12:21-05:00:46 test pluto[3425]: packet from 87.X.X.X:500: ignoring Vendor ID payload [Cisco-Unity]
2018:12:21-05:00:46 test pluto[3425]: packet from 87.X.X.X:500: received Vendor ID payload [Dead Peer Detection]
2018:12:21-05:00:46 test pluto[3425]: “S_test”[3] 87.X.X.X #3: responding to Main Mode from unknown peer 87.X.X.X
2018:12:21-05:00:47 test pluto[3425]: “S_test”[3] 87.X.X.X #3: NAT-Traversal: Result using RFC 3947: peer is NATed
2018:12:21-05:00:47 test pluto[3425]: | NAT-T: new mapping 87.X.X.X:500/4500)
2018:12:21-05:00:47 test pluto[3425]: “S_test”[3] 87.X.X.X:4500 #3: Peer ID is ID_IPV4_ADDR: ‘192.168.178.84’
2018:12:21-05:00:47 test pluto[3425]: “S_test”[4] 87.X.X.X:4500 #3: deleting connection “S_test”[3] instance with peer 87.X.X.X{isakmp=#0/ipsec=#0}
2018:12:21-05:00:47 test pluto[3425]: “S_test”[4] 87.X.X.X:4500 #3: Dead Peer Detection (RFC 3706) enabled
2018:12:21-05:00:47 test pluto[3425]: “S_test”[4] 87.X.X.X:4500 #3: sent MR3, ISAKMP SA established
Hi,
thank you for providing the additional information.
Unfortunatelly, I don’t understand what I see as the IP adresses in your config are other IP adresses than in your diagram.
From the UTM’s log you provided, I can see a peer ID of “192.168.178.84” is used. This looks like an IP from the LAN of the FritzBox. In the diagram, your MikroTik router is 192.168.178.100. Furthermore, your IPsec policy does not match the nets in the diagram.
If phase 1 establishes correctly, then you need to look at the policies to find the issue.
Regards,
Ape
Hi Ape,
vielen dank für Ihre nachricht , ich have Ihre Blog gesehen das Sie auch in Deutschland sind,
also IP in diagrams sind einfach ein Beispiel die richtige IPs sind wie im logs .
Phase 1 ist established aber leider sehe ich nicht unter Installed SaS . exchange mode muss main sein IKe2 wurde auch Phase 1 nicht laufen aber mikrotik sagt das main ist unsichere und solte Certificate dafür nutze.
any Idea?
MfG
Ali. Zawawi
HI to All ,i got this to work after few Hours of Testing , if someone need to establish the same Ipsec between UTM Sophos and MIkrotik just reply here and i will help you out with the configuration.
wish you all a Merry Christmas and Happy New Year
i established a ipsec connection in almost similar way but cant rout trafic trough ipsec conection all it gose trough the wan only 
Hello, would you be so kind and help me with Ipsec between Mikrotik and Sophos UTM? I have exactly same problem as you had. Only Phase1 and no phase2