Community discussions

 
commander86
just joined
Topic Author
Posts: 8
Joined: Mon Mar 25, 2013 8:06 pm

IPSec Site-to-Site Problem Mikrotik RB1100AHx2 - CCR1009 - no SHA512

Wed Sep 02, 2015 1:55 pm

Hey Folks,

while configuring the Router for our new Branch Office i couldn't get IPSec Running (There are no Problems between two CCR1009).

The Problem is, that i can't get the Connection working with SHA512. While configuring another Branch Office with an RB1100AHx2 i had the same problem but after testing a lot it began working without any reason.

With the new Router there seems no way to get it working - here's the Config from the Branch Router:
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1,sha512 enc-algorithms=aes-128-cbc,aes-256-cbc
add enc-algorithms=aes-256-cbc name=prop-CGN_SAR
/ip ipsec peer
add address=172.16.216.1/32 dh-group=modp2048 enc-algorithm=aes-256 local-address=0.0.0.0 secret=<somesecret>
/ip ipsec policy
add dst-address=192.168.80.0/21 proposal=prop-CGN_SAR sa-dst-address=172.16.216.1 sa-src-address=172.16.216.2 src-address=192.168.66.0/24 tunnel=yes
To get it Woking i've added "SHA1" in the Proposal settings.

The Config on the Central Office Site is:
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1,sha512 enc-algorithms=aes-128-cbc,aes-256-cbc
add auth-algorithms=sha1,sha512 enc-algorithms=aes-128-cbc,aes-256-cbc name=prop-saarland
/ip ipsec peer
add address=172.16.216.2/32 dh-group=modp2048 enc-algorithm=aes-256 local-address=172.16.216.1 nat-traversal=no secret=<somesecret> send-initial-contact=no
/ip ipsec policy
add dst-address=192.168.66.0/24 proposal=prop-saarland sa-dst-address=172.16.216.2 sa-src-address=172.16.216.1 src-address=192.168.80.0/21 tunnel=yes

/ip ipsec peer print
address=172.16.216.2/32 local-address=172.16.216.1 passive=no port=500 auth-method=pre-shared-key secret="<somesecret>" generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=no 
      nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp2048 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5 
Also here i've added SHA1 and AES-128-CBC for testing. The Tunnel is now Up and Running inside an L2TP Tunnel (same with the other branch offices)

Can anyone give me an Advice what might be the Failure? While testing it had the Same Configuration as the other Branch Office which works with an RB1100AHx2 and SHA512 with AES-256-CBC.

The next Problem is, that i have an Massive Count of Dynamic IPSec Policies on the Central Site. Normal where under 30 but there are in 194 (!) Policies. I have this Problem since Upgrading to 6.31. Does anyone have an Suggestion to fix this Problem?

Greetings from Cologne
Sven

Who is online

Users browsing this forum: Google [Bot] and 68 guests