I try to establish a successful IPSec tunnel between a RB4011 and my laptop with the Shrew IPSec client.
Everything seems well, Shrew says that the tunnel is established, but I can't ping the router.
So I looked at the log, and had a phase 2 failure, due to the missing of a matching policy, so I checked, and there was obviously a problem because no dynamic policy was created, even if there was an active peer.
Here is my IPSec configuration on the RB :
Code: Select all
/ip pool
add name=default-dhcp ranges=192.168.2.10-192.168.2.99
add name=pool-vpn ranges=172.16.100.1-172.16.100.20
/ip firewall address-list
add address=172.16.100.1-172.16.100.20 list=VPN
/ip ipsec mode-config
set [ find default=yes ] src-address-list=VPN
add address-pool=pool-vpn address-prefix-length=32 name=vpn split-include=192.168.2.0/24 system-dns=no
/ip ipsec policy group
add name=vpn
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=vpn
/ip ipsec peer
add exchange-mode=aggressive name=vpn passive=yes profile=vpn send-initial-contact=no
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm lifetime=1h name=vpn pfs-group=modp2048
/ip ipsec identity
add generate-policy=port-strict mode-config=vpn peer=vpn policy-template-group=vpn secret=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
/ip ipsec policy
add dst-address=172.16.100.0/24 group=vpn proposal=vpn src-address=192.168.2.0/24 template=yes
Joris
