Community discussions

MUM Europe 2020
 
oscarBravo
newbie
Topic Author
Posts: 33
Joined: Wed Aug 29, 2007 8:31 pm

IPsec problem

Wed Feb 27, 2008 8:43 pm

Hi - I'm having trouble getting two routerboards talking to each other over an IPsec encrypted connection.

The first board has an address of 10.50.3.131/25, and the second has 10.50.2.6/30. They're connected through a Linux PC acting as a router, with addresses of 10.50.3.129/25 and 10.50.2.5/30. Without IPsec policies in place, they can communicate with each other, so I know the routing is working.

I've configured IPsec on each machine like so:
 /ip ipsec proposal 
add auth-algorithms=md5 disabled=no enc-algorithms=aes-128 lifetime=30m \
    name="default" pfs-group=modp1024 
/ip ipsec peer 
add address=10.50.2.6/32:500 auth-method=pre-shared-key dh-group=modp1024 \
    disabled=no enc-algorithm=aes-128 exchange-mode=main generate-policy=no \
    hash-algorithm=md5 lifebytes=0 lifetime=1d nat-traversal=no \
    proposal-check=obey secret="abc" send-initial-contact=yes 
/ip ipsec policy 
add action=encrypt disabled=no dst-address=10.50.2.6/32:any ipsec-protocols=esp \
    level=require manual-sa=none priority=0 proposal=default protocol=all \
    sa-dst-address=10.50.2.6 sa-src-address=10.50.3.131 \
    src-address=10.50.3.131/32:any tunnel=no 
/ip ipsec proposal 
add auth-algorithms=md5 disabled=no enc-algorithms=aes-128 lifetime=30m \
    name="default" pfs-group=modp1024 
/ip ipsec peer 
add address=10.50.3.131/32:500 auth-method=pre-shared-key dh-group=modp1024 \
    disabled=no enc-algorithm=aes-128 exchange-mode=main generate-policy=no \
    hash-algorithm=md5 lifebytes=0 lifetime=1d nat-traversal=no \
    proposal-check=obey secret="abc" send-initial-contact=yes 
/ip ipsec policy 
add action=encrypt disabled=no dst-address=10.50.3.131/32:any \
    ipsec-protocols=esp level=require manual-sa=none priority=0 proposal=default \
    protocol=all sa-dst-address=10.50.3.131 sa-src-address=10.50.2.6 \
    src-address=10.50.2.6/32:any tunnel=no
I'm dumping the traffic on the Linux router, and there isn't even any ISAKMP attempt being made in either direction.

Any idea what I'm doing wrong?

Edit: RouterOS is 3.2 on both boards. The first is an RB150, the second is an RB600.
 
User avatar
andrewluck
Forum Veteran
Forum Veteran
Posts: 702
Joined: Fri May 28, 2004 9:05 pm
Location: Norfolk, UK

Re: IPsec problem

Wed Feb 27, 2008 9:58 pm

No traffic is matching the IPSEC policy. You need to specify your internal LAN addresses on each end.

Regards

Andrew
 
oscarBravo
newbie
Topic Author
Posts: 33
Joined: Wed Aug 29, 2007 8:31 pm

Re: IPsec problem

Thu Feb 28, 2008 5:40 pm

Upgraded both routers to 3.3, and it's working perfectly. Strange, I don't see anything relevant in the changelog for 3.3/
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8325
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: IPsec problem

Tue Mar 04, 2008 1:35 am

I think, when MT writes changelog, they think about some changes: 'Let it be a little surprise' =)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.

Who is online

Users browsing this forum: AUsquirrel, bpwl, Guntis and 51 guests