Tue May 03, 2016 5:47 pm
Hello,
This is the RB1100 conf.
/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.0.0/24
dst-address=192.168.190.0/24 log=no log-prefix=""
1 chain=srcnat action=accept src-address=192.168.0.0/24 dst-address=192.168.90.0/24
log=no log-prefix=""
2 chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=1-INTERNET
log=no log-prefix=""
/ip ipsec remote-peers print
0 local-address=X.X.X.130 remote-address=X.X.X.133 state=established
side=responder established=24m6s
1 local-address=X.X.X.130 remote-address=X.X.X.233 state=established
side=initiator established=26m27s
2 local-address=X.X.X.130 remote-address=X.X.X.133 state=expired
side=responder
3 local-address=X.X.X.130 remote-address=X.X.X.233 state=expired
side=initiator
/ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=X.X.X.233/32 local-address=:: passive=no port=500
auth-method=pre-shared-key secret="PPPPPP" generate-policy=no
policy-template-group=default exchange-mode=main send-initial-contact=yes
nat-traversal=yes proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des,aes-128 dh-group=modp1024 lifetime=1d lifebytes=0
dpd-interval=2m dpd-maximum-failures=5
1 address=X.X.X.133/32 local-address=:: passive=no port=500
auth-method=pre-shared-key secret="PPPPPP" generate-policy=no
policy-template-group=default exchange-mode=main send-initial-contact=yes
nat-traversal=yes proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des,aes-128 dh-group=modp1024 lifetime=1d lifebytes=0
dpd-interval=2m dpd-maximum-failures=5
/ip ipsec> policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 TX* group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default
template=yes
1 src-address=192.168.0.0/24 src-port=any dst-address=192.168.90.0/24 dst-port=any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=X.X.X.130 sa-dst-address=X.X.X.233 proposal=default
priority=0
2 src-address=192.168.0.0/24 src-port=any dst-address=192.168.190.0/24
dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp
tunnel=yes sa-src-address=X.X.X.133 sa-dst-address=X.X.X.233
proposal=default priority=0
3 I src-address=192.168.0.0/24 src-port=any dst-address=192.168.90.0/24 dst-port=any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=X.X.X.130 sa-dst-address=X.X.X.233 proposal=default
priority=0
/ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024
/ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 X.X.X.129 1
1 A S 172.16.11.0/24 192.168.0.1 1
2 ADC X.X.X.128/29 X.X.X.130 1-INTERNET 0
3 ADC 192.168.0.0/24 192.168.0.7 2-LAN 0
4 A S 192.168.90.0/24 1-INTERNET 1
5 A S 192.168.190.0/24 1-INTERNET 1
This is the WORKING RB750 conf
/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.90.0/24
dst-address=192.168.0.0/24 log=no log-prefix=""
1 chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""
2 chain=dstnat action=redirect to-ports=22 protocol=tcp
dst-address-type=local dst-port=9122 log=no log-prefix=""
/ip ipsec remote-peers print
0 local-address=X.X.X.233 remote-address=X.X.X.130
state=established side=responder established=40m48s
1 local-address=X.X.X.233 remote-address=X.X.X.130 state=expired
side=responder
/ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=X.X.X.130/32 local-address=0.0.0.0 passive=no port=500
auth-method=pre-shared-key secret="PPPPPP" generate-policy=no
policy-template-group=default exchange-mode=main
send-initial-contact=yes nat-traversal=yes proposal-check=obey
hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
/ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all
proposal=default template=yes
1 src-address=192.168.90.0/24 src-port=any dst-address=192.168.0.0/24
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=X.X.X.233
sa-dst-address=X.X.X.130 proposal=default priority=0
/ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024
/ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 X.X.X.238 1
1 ADC X.X.X.232/29 X.X.X.233 ether1 0
2 A S 192.168.0.0/24 ether1 1
3 ADC 192.168.90.0/24 192.168.90.2 ether2 0
This is the NON WORKING RB750 conf
/ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.190.0/24
dst-address=192.168.0.0/24 log=no log-prefix=""
1 chain=srcnat action=masquerade out-interface=1-INTERNET log=no
log-prefix=""
/ip ipsec remote-peers print
0 local-address=X.X.X.133 remote-address=X.X.X.130
state=established side=initiator established=23m27s
1 local-address=X.X.X.133 remote-address=X.X.X.130 state=expired
side=initiator
/ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=X.X.X.130/32 local-address=0.0.0.0 passive=no port=500
auth-method=pre-shared-key secret="PPPPPP" generate-policy=no
policy-template-group=default exchange-mode=main
send-initial-contact=yes nat-traversal=yes proposal-check=obey
hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
/ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 TX* group=default src-address=::/0 dst-address=::/0 protocol=all
proposal=default template=yes
1 src-address=192.168.190.0/24 src-port=any dst-address=192.168.0.0/24
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=X.X.X.133
sa-dst-address=X.X.X.130 proposal=default priority=0
/ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024
/ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 X.X.X.129 1
1 ADC X.X.X.128/29 X.X.X.133 1-INTERNET 0
2 A S 192.168.0.0/24 1-INTERNET 1
3 ADC 192.168.190.0/24 192.168.190.1 2-LAN 0