Community discussions

MikroTik App
 
loveman
Member
Member
Topic Author
Posts: 349
Joined: Tue Mar 10, 2015 9:32 pm

VPN problem in gns3 ipsec?

Tue Jun 02, 2020 12:02 am

Hello everyone,
My case i used chr 6.46.6 in gns3 2.2.8 and the same version of gns3 2.2.8 in VMware workstation.
In this lab i will show you in picture below:
Lab.jpg
I need to connect vpn ipsec between R1 and R2 through R Internet,
Applied to configure ipsec in R1 and R2 all configure of Routers show below:
R1
[admin@R1] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 10.10.10.1/30 10.10.10.0 ether2
1 192.168.10.1/24 192.168.10.0 ether1


[admin@R1] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADC 10.10.10.0/30 10.10.10.1 ether2 0
1 A S 11.11.11.0/30 10.10.10.2 1
2 A S 12.12.12.0/24 192.168.10.2 1
3 ADC 192.168.10.0/24 192.168.10.1 ether1 0



[admin@R1] > ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 name="peer1" address=11.11.11.1/32 profile=profile1 exchange-mode=main
send-initial-contact=no
[admin@R1] >


[admin@R1] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active,
* - default
# TUN SRC-ADDRESS
0 T * ::/0
1 yes 192.168.10.0/24

[admin@R1] > ip ipsec profile print
Flags: * - default
0 * name="default" hash-algorithm=sha1 enc-algorithm=aes-128,3des
dh-group=modp2048,modp1024 lifetime=1d proposal-check=obey
nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5

1 name="profile1" hash-algorithm=md5 enc-algorithm=camellia-128
dh-group=modp1024 lifetime=1d proposal-check=obey nat-traversal=yes
dpd-interval=2m dpd-maximum-failures=5
[admin@R1] >


[admin@R1] > ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1
enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m
pfs-group=modp1024

1 name="proposal1" auth-algorithms=md5 enc-algorithms=camellia-128
lifetime=30m pfs-group=modp1024
[admin@R1] >


[admin@R1] > ip ipsec key print
Flags: P - private-key, R - rsa
# NAME KEY-SIZE
0 PR secrt 1024-bit
[admin@R1] >

R3
[admin@R3] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 12.12.12.1/24 12.12.12.0 bridge1
1 192.168.10.2/24 192.168.10.0 ether1
[admin@R3] >


[admin@R3] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADC 12.12.12.0/24 12.12.12.1 bridge1 0
1 ADC 192.168.10.0/24 192.168.10.2 ether1 0
[admin@R3] >

R Internet
[admin@Internet] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 11.11.11.2/30 11.11.11.0 ether2
1 10.10.10.2/30 10.10.10.0 ether1
[admin@Internet] >



[admin@Internet] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADC 10.10.10.0/30 10.10.10.2 ether1 0
1 ADC 11.11.11.0/30 11.11.11.2 ether2 0
2 A S 192.168.10.0/24 10.10.10.1 1
3 A S 192.168.20.0/24 11.11.11.1 1
[admin@Internet] >



[admin@Internet] > ip neighbor print
# INTERFACE ADDRESS
0 ether1 10.10.10.1
1 ether2 11.11.11.1
[admin@Internet] >


R2
[admin@R2] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.20.1/24 192.168.20.0 ether3
1 11.11.11.1/30 11.11.11.0 ether2
[admin@R2] >


[admin@R2] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 10.10.10.0/30 11.11.11.2 1
1 ADC 11.11.11.0/30 11.11.11.1 ether2 0
2 A S 13.13.13.0/24 192.168.20.2 1
3 ADC 192.168.20.0/24 192.168.20.1 ether3 0
[admin@R2] >


[admin@R2] > ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 name="peer1" address=10.10.10.1/32 profile=profile1 exchange-mode=main
send-initial-contact=no
[admin@R2] >


[admin@R2] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active,
* - default
# TUN SRC-ADDRESS
0 T * ::/0
1 yes 192.168.20.0/24
[admin@R2] >


[admin@R2] > ip ipsec profile print
Flags: * - default
0 * name="default" hash-algorithm=sha1 enc-algorithm=aes-128,3des
dh-group=modp2048,modp1024 lifetime=1d proposal-check=obey
nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5

1 name="profile1" hash-algorithm=md5 enc-algorithm=camellia-128
dh-group=modp1024 lifetime=1d proposal-check=obey nat-traversal=yes
dpd-interval=2m dpd-maximum-failures=5
[admin@R2] >





[admin@R2] > ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1
enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m
pfs-group=modp1024

1 name="proposal1" auth-algorithms=md5 enc-algorithms=camellia-128
lifetime=30m pfs-group=modp1024
[admin@R2] >



[admin@R2] > ip ipsec key print
Flags: P - private-key, R - rsa
# NAME KEY-SIZE
0 R secrt 1024-bit
[admin@R2] >


R4
[admin@R4] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.20.2/24 192.168.20.0 ether1
1 13.13.13.1/24 13.13.13.0 bridge1
[admin@R4] >



[admin@R4] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADC 13.13.13.0/24 13.13.13.1 bridge1 0
1 ADC 192.168.20.0/24 192.168.20.2 ether1 0
[admin@R4] >


Where the problem because my case the vpn ipsec not established where i found "no phase2" in R1 and the same in R2?
Any help?
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: No registered users and 4 guests