I try to establish a successful IPSec tunnel between a RB4011 and my laptop with the Shrew IPSec client.
Everything seems well, Shrew says that the tunnel is established, but I can't ping the router.
So I looked at the log, and had a phase 2 failure, due to the missing of a matching policy, so I checked, and there was obviously a problem because no dynamic policy was created, even if there was an active peer.
Here is my IPSec configuration on the RB :
What did I miss ?
Code: Select all
/ip pool add name=default-dhcp ranges=192.168.2.10-192.168.2.99 add name=pool-vpn ranges=172.16.100.1-172.16.100.20 /ip firewall address-list add address=172.16.100.1-172.16.100.20 list=VPN /ip ipsec mode-config set [ find default=yes ] src-address-list=VPN add address-pool=pool-vpn address-prefix-length=32 name=vpn split-include=192.168.2.0/24 system-dns=no /ip ipsec policy group add name=vpn /ip ipsec profile add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=vpn /ip ipsec peer add exchange-mode=aggressive name=vpn passive=yes profile=vpn send-initial-contact=no /ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm lifetime=1h name=vpn pfs-group=modp2048 /ip ipsec identity add generate-policy=port-strict mode-config=vpn peer=vpn policy-template-group=vpn secret=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx /ip ipsec policy add dst-address=172.16.100.0/24 group=vpn proposal=vpn src-address=192.168.2.0/24 template=yes