Page 1 of 1

IPsec problem

Posted: Wed Feb 27, 2008 8:43 pm
by oscarBravo
Hi - I'm having trouble getting two routerboards talking to each other over an IPsec encrypted connection.

The first board has an address of 10.50.3.131/25, and the second has 10.50.2.6/30. They're connected through a Linux PC acting as a router, with addresses of 10.50.3.129/25 and 10.50.2.5/30. Without IPsec policies in place, they can communicate with each other, so I know the routing is working.

I've configured IPsec on each machine like so:
 /ip ipsec proposal 
add auth-algorithms=md5 disabled=no enc-algorithms=aes-128 lifetime=30m \
    name="default" pfs-group=modp1024 
/ip ipsec peer 
add address=10.50.2.6/32:500 auth-method=pre-shared-key dh-group=modp1024 \
    disabled=no enc-algorithm=aes-128 exchange-mode=main generate-policy=no \
    hash-algorithm=md5 lifebytes=0 lifetime=1d nat-traversal=no \
    proposal-check=obey secret="abc" send-initial-contact=yes 
/ip ipsec policy 
add action=encrypt disabled=no dst-address=10.50.2.6/32:any ipsec-protocols=esp \
    level=require manual-sa=none priority=0 proposal=default protocol=all \
    sa-dst-address=10.50.2.6 sa-src-address=10.50.3.131 \
    src-address=10.50.3.131/32:any tunnel=no 
/ip ipsec proposal 
add auth-algorithms=md5 disabled=no enc-algorithms=aes-128 lifetime=30m \
    name="default" pfs-group=modp1024 
/ip ipsec peer 
add address=10.50.3.131/32:500 auth-method=pre-shared-key dh-group=modp1024 \
    disabled=no enc-algorithm=aes-128 exchange-mode=main generate-policy=no \
    hash-algorithm=md5 lifebytes=0 lifetime=1d nat-traversal=no \
    proposal-check=obey secret="abc" send-initial-contact=yes 
/ip ipsec policy 
add action=encrypt disabled=no dst-address=10.50.3.131/32:any \
    ipsec-protocols=esp level=require manual-sa=none priority=0 proposal=default \
    protocol=all sa-dst-address=10.50.3.131 sa-src-address=10.50.2.6 \
    src-address=10.50.2.6/32:any tunnel=no
I'm dumping the traffic on the Linux router, and there isn't even any ISAKMP attempt being made in either direction.

Any idea what I'm doing wrong?

Edit: RouterOS is 3.2 on both boards. The first is an RB150, the second is an RB600.

Re: IPsec problem

Posted: Wed Feb 27, 2008 9:58 pm
by andrewluck
No traffic is matching the IPSEC policy. You need to specify your internal LAN addresses on each end.

Regards

Andrew

Re: IPsec problem

Posted: Thu Feb 28, 2008 5:40 pm
by oscarBravo
Upgraded both routers to 3.3, and it's working perfectly. Strange, I don't see anything relevant in the changelog for 3.3/

Re: IPsec problem

Posted: Tue Mar 04, 2008 1:35 am
by Chupaka
I think, when MT writes changelog, they think about some changes: 'Let it be a little surprise' =)