1. A Cisco router behind a NAT device
2. A Mikrotik router (emulated with CHR image version 6.39.2) which has a public IP configured directly on it's WAN interface
3. Both routers are configured with an IPIP tunnel between them. Topology attached
4. NAT is not an issue as I could see the IPsec signalling packets back and forth. I could also see not only udp port 500 but also udp port 4500 being opened on the NAT router - which means the NAT-T mechanism works. Which is also evident in the logs (attached).
5. So far what I could see is that initial Phase1 succeeds.
6. But when it comes to negotiate Phase 2 the signalling brakes. On the Mikroting oruter I could see in the debugs:
22:04:12 ipsec policy not found
22:04:12 ipsec failed to get proposal for responder.
22:04:12 ipsec,error 213.149.143.84 failed to pre-process ph2 packet.
From "debug crypto isakmp" on the Cisco Router:
*Feb 21 22:14:22.833: ISAKMP: (1070):processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 1
(the clocks of the routers are off course not synchronized as this is a test setup in a virtual GNS3 topology)
The question is... why this happens. I do believe I have matching IPsec configs:
1. Mikrotik router:
Code: Select all
/ip ipsec proposal
add auth-algorithms=md5 enc-algorithms=aes-256-cbc,aes-128-cbc name=dup-001-router-1
/ip ipsec peer
add address=213.149.143.84/32 comment=dup-001-router-1 enc-algorithm=aes-256 hash-algorithm=md5 secret=<PSK>
/ip ipsec policy
add comment=dup-001-router-1 dst-address=213.149.143.84/32 proposal=dup-001-router-1 protocol=ipsec-esp src-address=77.70.67.28/32
Code: Select all
crypto isakmp policy 2
encr aes 256
hash md5
authentication pre-share
group 2
crypto isakmp key <PSK> address 77.70.67.28
crypto isakmp profile grg13vpn-boyan
keyring default
match identity address 77.70.67.28 255.255.255.255
crypto ipsec transform-set ipip-boyan esp-aes esp-md5-hmac
mode transport
crypto ipsec profile ipip-boyan-profile
set transform-set ipip-boyan
set isakmp-profile grg13vpn-boyan