I am trying to create a site-to-site IPSec VPN between a Mikrotik v6.28 and a Gateprotect v9.4.
I managed to make a site-to-site IPSev VPN between two Mikrotiks.

On the Mikrotik side I have:
PROPOSAL: Auth. Algo: SHA1; Encr. Algo: 3DES; Lifetime: default (00:30:00); PFS: Modp1024
PEER: Destination: 2.2.2.2; Port:500; Auth. method: PSK; Passive: no; Secret: something; Policy TG: default; Exchange mode: main; Send initial contact: yes; Proposal check: obey; Hash algo: SHA1; Encr. Algo: 3DES
POLICY: Src Addr:172.16.9.0/24; Dst Addr: 172.16.6.0/24; Action: encrypt; Level: require; IPSec Proto: AH+ESP; Tunnel: yes; SA Src Addr: 1.1.1.1; SA Dst Addr: 2.2.2.2; Proposal: default (the one describe above).

Then I have setup the Firewall:
NAT: Chain: srcnat; Src Addr: 172.16.9.0/24; Dst Addr: 172.16.6.0/24; Action: accept

On the gateProtect I don't have exactly the same stuff, but:
Local network: 172.16.6.0/24
Remote network: Destination: 1.1.1.1; Network: 172.16.9.0/24; Do not initiate: yes;
Authentication: Type: PSK; Preshared key: something;
Cryptography: ISAKMP: IKEv1; Crypto Algo: 3DES; Auth. Algo: SHA1; DH Group: MODP 1024: Lifespan: 7800s; IPSec Cryp. Algo: 3DES; IPSec Auth. Algo: SHA1; Validity period: 3600s; PFS: yes; PFS Group: MODP 1024
Advanced: Compression: no

The connection is reported as "up" in the Mikrotik logs while it's "down" on the Gateprotect GUI.
On both the Mikrotik and the GP I can see "ISAKMP_SA established" but there's no traffic flowing between the two LANs.
Is this enough and I just need to adapt the routing/firewalling?
How can I troubleshoot this?

1. Look at remote-peers section and see if status is "established". It will indicate that phase1 succeeded.
2. Look at installed-sas if you get two SAs with valid SPI numbers then phase2 succeeded too.
3. If any of above failed then enable ipsec debug logs to see what parameters are mismatched.

If both phase1 and phase2 are successfully established but still no traffic on SAs then it is not an ipsec problem, packets do not match created policies, either wrong src or dst address or packets got NATed.

Hi,

I have the same issue between Mikrotik and Gateprotect.
IPSec Remote Peer shows as "established" , but IPsec SA show "none" at Authentication Algorithm and Encr. Algorithm, and no Auth Key and Encr. Key.

First phase negotiates successfully, but fails on Phase 2 with error:
"fatal INVALID-MESSAGE-ID notify message, phase1 should be deleted", and on Installed SAs I can see that at Auth and Encrypt all fields show as "none".

Did anyone else encounter this case?

On our case the issue was that on the other side they had to select "Site-to-Site VPN" and not "Client-to-Site".

1. Look at remote-peers section and see if status is "established". It will indicate that phase1 succeeded.
2. Look at installed-sas if you get two SAs with valid SPI numbers then phase2 succeeded too.
3. If any of above failed then enable ipsec debug logs to see what parameters are mismatched.

If both phase1 and phase2 are successfully established but still no traffic on SAs then it is not an ipsec problem, packets do not match created policies, either wrong src or dst address or packets got NATed.

I have the following situation with version 6.30 - I hope that you can assist (one-way connection problem via an IPSec Tunnel)

Referring to the above:

Item 1 above : success
Item 2 above : success (please see below)

So, it would appear that Phase 1 and Phase 2 are successful and that an IPSec tunnel has been successfully established between the two peer networks, one on each side of the tunnel (in this case 192.168.109.0/24 and 192.168.12.0/24).

Ping ICMP traffic is successful in one direction - remote to local - (I can 'see' (torch) ICMP packets arriving at the ping'd IP address).

However, when I ping a remote network host (with source and destination addresses matching the policy for Peer IPs i.e. src=192.168.12.253 pinging 192.168.109.1 or 192.168.109.5), an SPI with 0 gets created. It is as if ICMP ping data (with correct source and destination IP addresses) does not pass into the SA that has been established to tunnel traffic to the remote network.

/ip ipsec installed-sa print
Flags: A - AH, E - ESP
0 E spi=0xAB68DB8 src-address=RemotePublicIP:1024 dst-address=local:4500
state=mature auth-algorithm=sha1 enc-algorithm=3des
auth-key="52f6f6859dff1b7b94c2f2b75d18deacf1d7ebe1"
enc-key="7b5f6409026a9f124e61c62260d22a9a7f51094287c3146d"
add-lifetime=48m/1h replay=128

1 E spi=0xBB85FE16 src-address=local:4500 dst-address=RemotePublicIP:1024
state=mature auth-algorithm=sha1 enc-algorithm=3des
auth-key="482fd2f66129ebde0aab1479e08eec09a5cebb59"
enc-key="d51cc03138521a59bfd0c2a41abb6c8f25dbe18a1821ee66"
add-lifetime=48m/1h replay=128

2 E spi=0 src-address=localPublicIP:8 dst-address=RemotePublicIP state=larval
add-lifetime=0s/30s replay=128

SPI=0 forms temporarily for ping traffic from local to remote, instead of going via spi=0xBB85FE16

There are NO active filter firewall rules and there is one NAT bypass rule (action=accept) at position 0

0 chain=srcnat action=accept src-address=192.168.12.0/24
dst-address=192.168.109.0/24 log=no log-prefix=""

1 ;;; default configuration
chain=srcnat action=masquerade to-addresses=0.0.0.0
out-interface=ether1-gateway log=no log-prefix=""

Please can you advise what else to look at.

Any other updates on this topic? We are also running into an issue between MT and a Cisco ASA. The Remote Peer shows established and we have SAs but keep getting the following in the ipsec debug log:

Aug/11/2016 14:05:50 ipsec,debug initiate new phase 2 negotiation: 173.165.127.60[500]<=>198.182.15.249[500]
Aug/11/2016 14:05:50 ipsec,debug pfkey GETSPI succeeded: ESP/Tunnel 198.182.15.249[500]->173.165.127.60[500] spi=108686035(0x67a6ad3)
Aug/11/2016 14:05:50 ipsec,debug sent phase2 packet 173.165.127.60[500]<=>198.182.15.249[500] 198523ea44f00e30:ae6d6337e2f1f8e0:0000f2e0
Aug/11/2016 14:05:50 ipsec,debug fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted.
Aug/11/2016 14:05:50 ipsec,debug Message: '1 v P_+ # %h o } h \ zj p p p - Y TA Q g [ u P\ '.
Aug/11/2016 14:06:00 ipsec,debug resent phase2 packet 173.165.127.60[500]<=>198.182.15.249[500] 198523ea44f00e30:ae6d6337e2f1f8e0:0000f2e0
Aug/11/2016 14:06:00 ipsec,debug fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted.
Aug/11/2016 14:06:00 ipsec,debug Message: '1 v P_+ # %h o } h \ zj p p p - Y TA Q g [ u P\ '.
Aug/11/2016 14:06:10 ipsec,debug resent phase2 packet 173.165.127.60[500]<=>198.182.15.249[500] 198523ea44f00e30:ae6d6337e2f1f8e0:0000f2e0
Aug/11/2016 14:06:10 ipsec,debug fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted.
Aug/11/2016 14:06:10 ipsec,debug Message: '1 v P_+ # %h o } h \ zj p p p - Y TA Q g [ u P\ '.
Aug/11/2016 14:06:20 ipsec,debug 198.182.15.249 give up to get IPsec-SA due to time up to wait.

Any ideas??