Here is the IPSec config on a huawei AR1200. Please translate this to RouterOS settings!
#
sysname RouterA
#
acl number 3000 //Configure an ACL.
rule 0 permit ip source 1.2.1.1 0 destination 1.2.2.1 0
#
ipsec proposal rtb //Configure an IPSec proposal.
encapsulation-mode transport //Set the encapsulation mode to transport.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
#
ike proposal 1 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
#
ike peer rtb v1 //The commands used to configure IKE peers and the IKE protocol differ depending on the software version. In earlier versions of V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a negotiation request using IKEv1, run the undo version 2 command.
ike-proposal 1
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //Configure the authentication password in the pre-shared key to huawei, in cipher text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and the password is displayed in plain text.
remote-address 1.2.2.1
#
ipsec policy rtb 1 isakmp //Configure an IPSec policy and define IKE negotiation.
security acl 3000 //Specify the ACL.
ike-peer rtb //Specify the IKE peer.
proposal rtb //Specify the IPSec proposal.
#
interface Ethernet1/0/1
ip address 1.2.1.1 255.255.255.252
ipsec policy rtb //Bind the IPSec policy to the interface.
#
interface GigabitEthernet0/0/1
ip address 10.1.0.1 255.255.255.0
#
interface Tunnel0/0/1 //Configure a tunnel interface.
ip address 1.3.1.1 255.255.255.252
tunnel-protocol gre
source 1.2.1.1 //Specify the source address of the tunnel interface.
destination 1.2.2.1 //Specify the destination address of the tunnel interface.
#
ip route-static 10.2.0.0 255.255.255.0 Tunnel0/0/1 //Configure a static route.
ip route-static 0.0.0.0 0.0.0.0 1.2.1.2
#
return
Re: IPSec equivalent config for Mikrotik RouterOS
Disclaimer: default values of some parameters are likely to differ between Huawei and Mikrotik. Unless you can make Huawei show its defaults, you'll have to find out using logging (/system logging add topics=ipsec,!packet).
Encapsulation mode (transport or tunnel) is set under /ip ipsec policy in RouterOS (tunnel=no or yes).
/ip ipsec identity add peer=huawei-peer auth-method=pre-shared-key secret="%^%#..."
This particular secret itself may be hard to specify using command line, I could not find how to escape the ` symbol. Try Winbox or WebFig.
/ip ipsec profile add enc-algorithm=aes-128 hash-algorithm=sha256 dh-group=modp2048 name=huawei-profileike proposal 1 //Configure an IKE proposal.
encryption-algorithm aes-cbc-128 //In V200R008 and later versions, the aes-cbc-128 parameter is changed to aes-128.
dh group14
authentication-algorithm sha2-256
/ip ipsec proposal add name=huawei-proposal auth-algorithms=sha256 enc-algorithms=aes-192-cbcipsec proposal rtb //Configure an IPSec proposal.
encapsulation-mode transport //Set the encapsulation mode to transport.
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-192
Encapsulation mode (transport or tunnel) is set under /ip ipsec policy in RouterOS (tunnel=no or yes).
The binding of IPsec peer to a particular local interface is done by specifying local-address in peer configuration.interface Ethernet1/0/1
ip address 1.2.1.1 255.255.255.252
ipsec policy rtb //Bind the IPSec policy to the interface.
/ip ipsec peer add name=huawei-peer profile=huawei-profile exchange-mode=main address=1.2.2.1 local-address=1.2.1.1ike peer rtb v1 //The commands used to configure IKE peers and the IKE protocol differ depending on the software version. In earlier versions of V200R008, the command is ike peer peer-name [ v1 | v2 ]. In V200R008 and later versions, the command is ike peer peer-name and version { 1 | 2 }. By default, IKEv1 and IKEv2 are enabled simultaneously. An initiator uses IKEv2 to initiate a negotiation request, while a responder uses IKEv1 or IKEv2 to respond. To initiate a negotiation request using IKEv1, run the undo version 2 command.
ike-proposal 1
pre-shared-key cipher %^%#JvZxR2g8c;a9~FPN~n'$7`DEV&=G(=Et02P/%\*!%^%# //Configure the authentication password in the pre-shared key to huawei, in cipher text. This command in V2R3C00 and earlier versions is pre-shared-key huawei, and the password is displayed in plain text.
remote-address 1.2.2.1
/ip ipsec identity add peer=huawei-peer auth-method=pre-shared-key secret="%^%#..."
This particular secret itself may be hard to specify using command line, I could not find how to escape the ` symbol. Try Winbox or WebFig.
The traffic matching criteria are specified directly on the /ip ipsec policy row in RouterOS if tunnel mode is used; for transport mode, there is no need to specify them as the policy inherits them from the peer.acl number 3000 //Configure an ACL.
rule 0 permit ip source 1.2.1.1 0 destination 1.2.2.1 0
/ip ipsec policy add tunnel=no peer=huawei-peer proposal=huawei-proposalipsec policy rtb 1 isakmp //Configure an IPSec policy and define IKE negotiation.
security acl 3000 //Specify the ACL.
ike-peer rtb //Specify the IKE peer.
proposal rtb //Specify the IPSec proposal.