Help:
following the manual for ipsec tunnels, I reach the point
/ip ipsec peer
add address=192.168.80.1/32:500 auth-method=pre-shared-key secret="test"
then there is an error saying IVP6 address expected, I guess because the : triggered it.
On looking at the GUI it shows the peer address but is redded, meaning it doesn't like it.
the local address in the GUI dialogue box for peer also shows an IPV6 address is expected.
do I try to turn off the IPV6 somehow?
Re: ipsec can't configure because : is interpreted as ip6 address
Use "port" parameter instead of colon.
Code: Select all
address=192.168.80.1/32 port=500Re: ipsec can't configure because : is interpreted as ip6 address
OK, thanks, will do that.
Re: ipsec can't configure because : is interpreted as ip6 address
port=500 syntax is accepted by router console, great.
However, when I get to adding an ipsec peer, a similar thing happens, which port=500 doesn't fix.
/ip ipsec peer
add address=192.168.1.1/24 port=500 etc etc: the p in port shows as an error
Again, looking at the GUI, it appears that the router doesn't like the address format and wants IPV6..because of the :
The gui doesn't like the /24 network address for peer and is only happy when there is a simple address without the /24.
Upshot: no sa is established, although pinging both ways works and each router sees the remote peers and establish links between them.
(I have the routers directly connected now, using 192.168.1.2 and 192.168.1.1 as the gateways addresses.
I've spent a lot of time trying this over public internet but can't afford to keep doing that, when no progress.)
However, when I get to adding an ipsec peer, a similar thing happens, which port=500 doesn't fix.
/ip ipsec peer
add address=192.168.1.1/24 port=500 etc etc: the p in port shows as an error
Again, looking at the GUI, it appears that the router doesn't like the address format and wants IPV6..because of the :
The gui doesn't like the /24 network address for peer and is only happy when there is a simple address without the /24.
Upshot: no sa is established, although pinging both ways works and each router sees the remote peers and establish links between them.
(I have the routers directly connected now, using 192.168.1.2 and 192.168.1.1 as the gateways addresses.
I've spent a lot of time trying this over public internet but can't afford to keep doing that, when no progress.)
Re: ipsec can't configure because : is interpreted as ip6 address
downloading os 5.26 and 6.36.4 to see if they will allow it to work, meanwhile.
* In the log I don't see any ipsec errors, although when I had (wrongly) the lan addrass as local ip, in peer setup window, there was a phase one error on the ipsec log, which stopped when I corrected the local address by either not using one or using the wan address.
* In the log I don't see any ipsec errors, although when I had (wrongly) the lan addrass as local ip, in peer setup window, there was a phase one error on the ipsec log, which stopped when I corrected the local address by either not using one or using the wan address.
Re: ipsec can't configure because : is interpreted as ip6 address
OK, sorted. My bad: It looks like you need to have a PC at each end to generate the legitimate traffic to set the SA's.
Pinging between the routers to their respective LAN port isn't enough.
Initially, when I had two PC's hooked up, I didn't have my setting right, then when the settings were corrected, I only had a single PC, figuring that pinging from the routers would be enough...
thanks for the help with the syntax
Pinging between the routers to their respective LAN port isn't enough.
Initially, when I had two PC's hooked up, I didn't have my setting right, then when the settings were corrected, I only had a single PC, figuring that pinging from the routers would be enough...
thanks for the help with the syntax
Re: ipsec can't configure because : is interpreted as ip6 address
Hi,
you can ping from MT to MT over IPSEC. YOu just need to spcify internal interface
where bridge-local is my internal interface and 172.16.1.10 is server on the internal remote IPSEC site.
you can ping from MT to MT over IPSEC. YOu just need to spcify internal interface
Code: Select all
ping interface=bridge-local 172.16.1.10Who is online
Users browsing this forum: No registered users and 173 guests