I've installed a fresh 6.22.3 RouterOS (actually, as Cloud hoster router). Trying to initiate an IPSEC connection with Palo Alto firewall.
What make me sad is that I cannot force Mikrotik to turn off NAT-Traversal when working in IKE2 mode.
Specifically:
1. My IPSEC profile. Note that nat-traversal is off.
Code: Select all
/ip ipsec profile print
...
1 name="my_profile" hash-algorithm=sha1 enc-algorithm=aes-256,aes-192,aes-128
dh-group=ecp384,modp6144,modp4096,modp3072,modp2048,modp1536,modp1024 lifetime=1d proposal-check=obey nat-traversal=no dpd-interval=2m dpd-maximum-failures=5
Code: Select all
/ip ipsec peer print
0 name="my_peer" address=185.61.0.1/32 local-address=185.61.0.2 profile=my_profile exchange-mode=ike2 send-initial-contact=no
If I change exchange-mode to main, then it starts using 500 port, but switches to IKEv1 which I don't want.
Does anyone have ideas?