Community discussions

MikroTik App
 
Klfak
just joined
Topic Author
Posts: 3
Joined: Tue Feb 16, 2021 4:39 pm

IPsec tunel - no phase 2

Tue Feb 16, 2021 4:48 pm

Hi,
i have problem with ipsec tunnels.

Here is config and log

213.226.208.xx failed to get valid proposal.
213.226.208.xx failed to pre-process ph1 packet (side: 1, status 1).

konfigurace HQ

/ip ipsec peer
add address=213.226.220.xx/32 name=Kovprojekt
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256 name=\
Ipsec_Stroje
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add enc-algorithms=aes-256-cbc name=Stroje
/ip ipsec identity
add disabled=yes generate-policy=port-override peer=Dynamic secret=stroje01
add peer=Stroje secret="aaaa"
/ip ipsec policy
add dst-address=192.168.88.0/24 peer=Stroje proposal=Stroje sa-dst-address=77.236.206.xx sa-src-address=213.226.220.xx src-address=10.22.1.0/24 tunnel=yes
add dst-address=192.168.90.0/24 peer=Stroj02 proposal=Stroje sa-dst-address=213.226.208.xx sa-src-address=0.0.0.0 src-address=10.22.1.0/24 tunnel=yes

Client
/ip ipsec peer
add address=213.226.220.xx/32 name=Centrala
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256 name=\
Ipsec_Stroje
/ip ipsec proposal
add enc-algorithms=aes-256-cbc name=Stroje
/ip ipsec identity
add peer=Centala secret="aaaa"
/ip ipsec policy
add dst-address=10.22.1.0/24 peer=Centrala proposal=Stroje sa-dst-address=\
213.226.220.xx sa-src-address=192.168.1.99 src-address=192.168.90.0/24 \
tunnel=yes
/ip firewall nat
add action=accept chain=srcnat dst-address=10.22.1.0/24 src-address=\
192.168.90.0/24

but i have second client with same config (subnet 88.0/24) - its first policy and this on works.

If you have better way how connect multiple client to HQ give me tip :) i need access all devices behind client (PLC computers etc.)

Thank you
Petr
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: IPsec tunel - no phase 2

Wed Feb 17, 2021 2:09 pm

Hello did you Enable IPsec log? there is a tone of information in there.
Also, I don't see any PFS Group in your config

there is a reference link Maybe it will help you check for site to site section.
https://wiki.mikrotik.com/wiki/Manual:I ... entication
 
Klfak
just joined
Topic Author
Posts: 3
Joined: Tue Feb 16, 2021 4:39 pm

Re: IPsec tunel - no phase 2

Wed Feb 17, 2021 2:15 pm

Hi,
Today i have progress
i have at same time L2TP over Ipsec and Ipsec.
And clients get proposals and secret from L2TP config not from IPsec config.
If i disable L2TP server, tunels get up normally.

Any way how i can have both services?

P.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: IPsec tunel - no phase 2

Wed Feb 17, 2021 2:33 pm

did you try to use a different proposal and profile other than the default one also try using a template.
 
Klfak
just joined
Topic Author
Posts: 3
Joined: Tue Feb 16, 2021 4:39 pm

Re: IPsec tunel - no phase 2

Mon Mar 15, 2021 4:37 pm

Hi, sorry for late reply.

Yes all phases use my proposal. But when i enable L2TP i have wrong secret key.

P.

Who is online

Users browsing this forum: Ferdinando1968, Google [Bot] and 26 guests