I'm trying to establish connection between 2 ROS routers.
One is behind provider's NAT (PPPoE connection) and the other is with static IP.
Here is my setup:
Router #1 (client)
Code: Select all
/ip ipsec mode-config
set [ find default=yes ] name=request-only
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-128-cbc,3des lifetime=30m name=default pfs-group=modp1024
/ip ipsec peer
add address=<public IP of server> auth-method=rsa-signature certificate=atcgz.crt_0 dh-group=modp1024 disabled=no dpd-interval=2m enc-algorithm=aes-128,3des exchange-mode=ike2 generate-policy=port-override hash-algorithm=sha1 mode-config=request-only \
policy-template-group=default send-initial-contact=yes
/ip ipsec policy
set 0 disabled=no dst-address=0.0.0.0/0 group=default proposal=default protocol=all src-address=0.0.0.0/0 template=yes
/ip ipsec user settings
set xauth-use-radius=no
Code: Select all
/ip ipsec mode-config
set [ find default=yes ] name=request-only
add address-pool=pool_vpn_global address-prefix-length=32 name=vpn_internal_access split-include=10.224.0.0/16 static-dns=10.224.1.1 system-dns=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 disabled=no enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=30m name=default pfs-group=modp1024
/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=crt_0 dh-group=modp1024 disabled=no dpd-interval=20s enc-algorithm=aes-256,aes-128,3des exchange-mode=ike2 generate-policy=port-override hash-algorithm=sha1 lifetime=1d \
local-address=<public IP> mode-config=vpn_internal_access passive=yes policy-template-group=default send-initial-contact=no
/ip ipsec policy
set 0 disabled=no dst-address=10.224.0.0/16 group=default proposal=default protocol=all src-address=0.0.0.0/0 template=yes
/ip ipsec user settings
set xauth-use-radius=no
Client:
Code: Select all
/ip ipsec policy pr
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes
1 DA src-address=10.224.2.92/32 src-port=any dst-address=10.224.0.0/16 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes sa-src-address=100.64.13.94 sa-dst-address=<public IP of server> proposal=default priority=0
ph2-count=1
Code: Select all
/ip ipsec policy pr
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=0.0.0.0/0 dst-address=10.224.0.0/16 protocol=all proposal=default template=yes
1 DA src-address=10.224.0.0/16 src-port=any dst-address=10.224.2.92/32 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes sa-src-address=<public IP of server> sa-dst-address=121.32.12.5 proposal=default priority=0
ph2-count=1
Code: Select all
add distance=1 dst-address=10.224.0.0/16 gateway=pppoe-ct pref-src=10.224.2.92 scope=10
Code: Select all
/ip address pr
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 10.224.29.1/24 10.224.29.0 bridge1
1 192.168.93.1/16 192.168.0.0 ether2
2 D 100.64.13.94/32 100.64.0.1 pppoe-ct
3 D 10.224.2.92/32 10.224.2.92 pppoe-ct