1. A Cisco router behind a NAT device
2. A Mikrotik router (emulated with CHR image version 6.39.2) which has a public IP configured directly on it's WAN interface
3. Both routers are configured with an IPIP tunnel between them. Topology attached
4. NAT is not an issue as I could see the IPsec signalling packets back and forth. I could also see not only udp port 500 but also udp port 4500 being opened on the NAT router - which means the NAT-T mechanism works. Which is also evident in the logs (attached).
5. So far what I could see is that initial Phase1 succeeds.
6. But when it comes to negotiate Phase 2 the signalling brakes. On the Mikroting oruter I could see in the debugs:
22:04:12 ipsec policy not found
22:04:12 ipsec failed to get proposal for responder.
22:04:12 ipsec,error 22.214.171.124 failed to pre-process ph2 packet.
From "debug crypto isakmp" on the Cisco Router:
*Feb 21 22:14:22.833: ISAKMP: (1070):processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 1
(the clocks of the routers are off course not synchronized as this is a test setup in a virtual GNS3 topology)
The question is... why this happens. I do believe I have matching IPsec configs:
1. Mikrotik router:
2. Cisco IOS router:
Code: Select all
/ip ipsec proposal add auth-algorithms=md5 enc-algorithms=aes-256-cbc,aes-128-cbc name=dup-001-router-1 /ip ipsec peer add address=126.96.36.199/32 comment=dup-001-router-1 enc-algorithm=aes-256 hash-algorithm=md5 secret=<PSK> /ip ipsec policy add comment=dup-001-router-1 dst-address=188.8.131.52/32 proposal=dup-001-router-1 protocol=ipsec-esp src-address=184.108.40.206/32
Code: Select all
crypto isakmp policy 2 encr aes 256 hash md5 authentication pre-share group 2 crypto isakmp key <PSK> address 220.127.116.11 crypto isakmp profile grg13vpn-boyan keyring default match identity address 18.104.22.168 255.255.255.255 crypto ipsec transform-set ipip-boyan esp-aes esp-md5-hmac mode transport crypto ipsec profile ipip-boyan-profile set transform-set ipip-boyan set isakmp-profile grg13vpn-boyan