Community discussions

MikroTik App
 
anius
just joined
Topic Author
Posts: 17
Joined: Sat Feb 06, 2010 6:34 pm

Mikrotik IPSec only for standard conf small company's

Thu Jun 16, 2011 11:23 pm

We have decide change our old SnapGear site to site VPN router to Mikrotik router. So I created about 20 Peers and about 50 Polices in to Mikrotik router. And after that I have problem, how to check Police with Peers, only comments filtering help me, but it very disadvantage... If I decide create new VPN tunnel all 20 tunnels are reconnecting, it's normal? I should create or change configuration not in working hours?? So I replace our SnapGear with Mikrotik router and go to Remote Peers and... What a status? establish or not establish? I must all 20 peers manually check? it sucks!
This is not big problems, biggest problem we found in Polices, for example:
/ip address
add address=192.168.0.254/24 disabled=no interface=ether5 network=192.168.0.0
add address=88.88.88.88/24 disabled=no interface=ether1 network=88.88.88.0
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=88.88.88.100 \
scope=30 target-scope=10
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=192.168.0.200 \
scope=30 target-scope=10
/ip ipsec policy
add action=encrypt comment=agro_veriskes disabled=no dst-address=\
192.168.25.0/24 dst-port=any ipsec-protocols=esp level=require priority=0 \
proposal=default protocol=all sa-dst-address=77.77.77.77 sa-src-address=\
88.88.88.88 src-address=192.168.0.0/24 src-port=any tunnel=yes
add action=encrypt comment=agro_veriskes disabled=no dst-address=\
192.168.25.0/24 dst-port=any ipsec-protocols=esp level=require priority=0 \
proposal=default protocol=all sa-dst-address=77.77.77.77 sa-src-address=\
88.88.88.88 src-address=192.168.1.0/24 src-port=any tunnel=yes

WORKS ONLY 1 POLICE. If I re-enable VPN tunnel and ping for example 192.168.1.254 I be able access 192.168.1.0/24 and unable access to 192.168.0.0/24. And if I re-enable VPN tunnel and ping 192.168.0.254 I be able access to 192.168.0.0/24 but not able - 192.168.1.0/24.
So demo Microtik router failed our test!
 
duvi
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Fri Jun 05, 2009 12:32 pm
Contact:

Re: Mikrotik IPSec only for standard conf small company's

Thu Jun 16, 2011 11:38 pm

Set level=unique in ipsec policies.
 
anius
just joined
Topic Author
Posts: 17
Joined: Sat Feb 06, 2010 6:34 pm

Re: Mikrotik IPSec only for standard conf small company's

Fri Jun 17, 2011 1:36 am

Thanks it help.
The VPN connections not lost after Peers configuration, only in Remote Peers window all peers clears...

Who is online

Users browsing this forum: Bing [Bot], meazz1, Onigma and 109 guests