Community discussions

MikroTik App
 
mgo
just joined
Topic Author
Posts: 9
Joined: Fri Jun 23, 2017 12:49 pm

LAN2LAN ipsec tunnel with Juniper

Mon May 07, 2018 11:52 am

Hello,
we have to configure ipsec tunnel to our customer, who has Juniper router, only what we have are following parameters
Is is possible to establish such tunnel on cheap router (RB960PGS) ?

Kind Regards,

Device Manufacturer Juniper
Model SSG 140
VPN Gateway x.x.x.x

IKE Phase 1
Internet-Key-Exchange-Pro IKEv1
Authentication Method PSK
Diffie-Hellman Group 5
Encryption Algorithm AES-CBC (256 Bits)
Hash-Algorithm SHA2 (256 Bits)
Lifetime IKE Phase 1 28800
Xauthentication Mode Disable

IKE Phase 2

Perfect Forward Secrecy
Diffie-Hellmann Group 5
Encapsulation ESP
Encryption Algorithm AES-CBC (256 Bits)
Authentication Algorithm SHA2 (256 Bits)

Lifetime 3600
Proxy ID Enable
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: LAN2LAN ipsec tunnel with Juniper

Mon May 07, 2018 6:18 pm

I'm not sure what "Proxy ID Enable" means, but otherwise I don't see anything clearly not supported by RouterOS. Phase 1 config goes in /ip ipsec peer, phase 2 in /ip ipsec proposal, group names can be found here, then specify what traffic should go via tunnel in /ip ipsec policy, and that should be it.
 
mgo
just joined
Topic Author
Posts: 9
Joined: Fri Jun 23, 2017 12:49 pm

Re: LAN2LAN ipsec tunnel with Juniper

Tue May 08, 2018 12:18 pm

thank you Sob, will try it
 
mgo
just joined
Topic Author
Posts: 9
Joined: Fri Jun 23, 2017 12:49 pm

Re: LAN2LAN ipsec tunnel with Juniper

Wed Jun 13, 2018 10:11 am

Hello again,
as you predicted, we have a problem with the proxy id setting. As admin of juniper sad, our side has no proxy ID configured for phase 2
I am affraid, there is no such setting on mikrotik...
will be happy if someone could shed some light on it

Kind Regards
Mac
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: LAN2LAN ipsec tunnel with Juniper

Thu Jun 14, 2018 12:08 am

Unfortunately for you, I don't know anything about Juniper, but I'm sure somebody else here does. Lets hope they notice your thread.

But if I had this problem, I'd start with IPSec logs. If you enable "ipsec" topic in System->Logging, you'll get a lot of logs from IPSec. Go through them and hopefully there will be some hint what's wrong. I'm wondering if this proxy ID is anything related (or can be influenced by) "My ID" option in RouterOS.
 
rkau045
newbie
Posts: 45
Joined: Mon Jun 25, 2012 9:14 pm

Re: LAN2LAN ipsec tunnel with Juniper

Thu Jun 14, 2018 2:02 am

The Juniper should be set up as a policy-based VPN, it seems that they have it set up as route-based, and only partially at that, if the cited config is complete.
I do not believe that it is possible to use IPSec in a route-based configuration unless both endpoints are Juniper devices.
Proxy ID should not be enabled on the Juniper router.

Sent from my LG-H910 using Tapatalk


 
mgo
just joined
Topic Author
Posts: 9
Joined: Fri Jun 23, 2017 12:49 pm

Re: LAN2LAN ipsec tunnel with Juniper

Tue Jun 19, 2018 4:54 pm

Problem solved,
switch to policy-based ipsec on jupiper probably did the trick, there was nothing changed on mikrotik side, thx for help,
Best Regards

Who is online

Users browsing this forum: haedertowfeq and 25 guests