I'm new to Mikrotik forgive my ignorance but I'm having some difficulty setting up IPSec tunnel tests before my CRR1009 goes live at the DC. Testing with a CRR1009-7G-1C-1S+ Office2 <==> Office3 hEX RB750Gr3. My goal would be then to setup Admin accounts to the DC with each using a hEX RB750Gr3. All Mikrotiks are using v6.40.5.
From Local (Office2)
IPSec debug states sendfromto failed
(phase 1 negotiation failed due to send error)
Code: Select all
17:31:24 ipsec,info initiate new phase 1 (Identity Protection): 10.1.2.0[500]<=>174.112.164.1[500]
17:31:24 ipsec,debug new cookie:
17:31:24 ipsec,debug 2f03b2dd9a7a0d7e
17:31:24 ipsec,debug add payload of len 56, next type 13
17:31:24 ipsec,debug add payload of len 16, next type 13
17:31:24 ipsec,debug add payload of len 16, next type 0
17:31:24 ipsec,debug 128 bytes from 10.1.2.0[500] to 174.112.164.1[500]
17:31:24 ipsec,debug 1 times of -1 bytes message will be sent to 174.112.164.1[500]
17:31:24 ipsec,debug,packet 2f03b2dd 9a7a0d7e 00000000 00000000 01100200 00000000 00000080 0d00003c
17:31:24 ipsec,debug,packet 00000001 00000001 00000030 01010001 00000028 01010000 800b0001 000c0004
17:31:24 ipsec,debug,packet 00015180 80010007 800e0100 80030001 80020004 80040002 0d000014 12f5f28c
17:31:24 ipsec,debug,packet 457168a9 702d9fe2 74cc0100 00000014 afcad713 68a1f1c9 6b8696fc 77570100
17:31:24 ipsec sendfromto failed
17:31:24 ipsec,error phase1 negotiation failed due to send error. 10.1.2.0[500]<=>174.112.164.1[500] 2f03b2dd9a7a0d7
e:0000000000000000
17:31:24 ipsec failed to begin ISAKMP SA negotiation
Proposal
Code: Select all
name="office" auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=modp1024
Peer
Code: Select all
address=174.1.1.1/32 local-address=10.1.2.0 auth-method=pre-shared-key secret="" generate-policy=no policy-template-group=default
exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp1024 lifetime=1d
dpd-interval=disable-dpd
Policy
Code: Select all
src-address=10.1.0.0/24 src-port=any dst-address=10.1.2.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=174.3.7.1 sa-dst-address=174.2.4.1 proposal=default ph2-count=0
Action: netmap Chain: dstnat works fine while testing port forwards from external. I have tested several local IP nets on different Ether Interfaces and several port forwards to each using destination add of 192.168.0.2 which is the DMZ and this all works as expected. Is there a way to get around the double NAT at the Office2 in order to get IPSec up? I have disabled fasttrack connection forward as very little CPU usage at the moment.