Community discussions

MUM Europe 2020
 
User avatar
mag
Member
Member
Topic Author
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

basic IPsec configuration not working in 2.9.10

Fri Dec 23, 2005 12:59 pm

the IPsec VPN config from the manuals application example (http://www.mikrotik.com/docs/ros/2.9/ip ... t#5.44.8.2) is not working for me, the packets are discarded

scenario is very basic:

LAN - 10.10.1.1/24-(R1)-x.y.z.157 - DSL - x.y.z.160-(R2)-10.10.5.1/24 - LAN

config of router 1
/ ip firewall nat 
add chain=srcnat src-address=10.10.1.0/24 dst-address=10.10.5.0/24 action=accept comment="" disabled=no 
add chain=srcnat out-interface=t-dsl-business action=masquerade comment="" disabled=no 

/ ip ipsec policy 
add src-address=10.10.1.0/24:any dst-address=10.10.5.0/24:any protocol=all action=encrypt level=require \
    ipsec-protocols=esp tunnel=yes sa-src-address=x.y.z.157 sa-dst-address=x.y.z.160 proposal=default \
    manual-sa=none dont-fragment=clear disabled=no 

/ ip ipsec peer 
add address=x.y.z.160/32:500 secret="qwertzuiopasdfghjkl" generate-policy=no exchange-mode=aggressive \
    send-initial-contact=yes proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 \
    lifetime=1d lifebytes=0 disabled=no 

/ ip ipsec proposal 
add name="default" auth-algorithms=md5 enc-algorithms=3des lifetime=30m lifebytes=0 pfs-group=modp1024 \
    disabled=no 
config of router 2
/ ip firewall nat 
add  chain=srcnat src-address=10.10.5.0/24 dst-address=10.10.1.0/24 action=accept 
add  chain=srcnat out-interface=t-dsl-business action=masquerade 

/ ip ipsec policy 
add src-address=10.10.5.0/24:any dst-address=10.10.1.0/24:any protocol=all action=encrypt level=require \
    ipsec-protocols=esp tunnel=yes sa-src-address=x.y.z.160 sa-dst-address=x.y.z.157 proposal=default \
    manual-sa=none dont-fragment=clear disabled=no 
/ ip ipsec peer 
add address=x.y.z.157/32:500 secret="qwertzuiopasdfghjkl" generate-policy=no exchange-mode=aggressive \
    send-initial-contact=yes proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 \
    lifetime=1d lifebytes=0 disabled=no 
/ ip ipsec proposal 
add name="default" auth-algorithms=md5 enc-algorithms=3des lifetime=30m lifebytes=0 pfs-group=modp1024 \
    disabled=no 
tested with ping from both ends
router 1:
/ping 10.10.5.1 src-address=10.10.1.4

11:40:00 ipsec,ike,info initiating phase 2 (src x.y.z.157) (dst x.y.z.160) 
11:40:00 ipsec,info ipsec packet discarded: src=10.10.1.4 dst=10.10.5.1 
11:40:00 ipsec,ike,info received ISAKMP packet from x.y.z.160:500, phase 2, Quick 
11:40:01 ipsec,info ipsec packet discarded: src=10.10.1.4 dst=10.10.5.1 
11:40:02 ipsec,info ipsec packet discarded: src=10.10.1.4 dst=10.10.5.1 
11:40:03 ipsec,info ipsec packet discarded: src=10.10.1.4 dst=10.10.5.1 
router2:
/ping 10.10.1.4 src-address=10.10.5.1

10:39:00 ipsec,ike,info initiating phase 2 (src x.y.z.160) (dst x.y.z.157) 
10:39:01 ipsec,ike,info received ISAKMP packet from x.y.z.157:500, phase 2, Quick 
10:39:01 ipsec,info ipsec packet discarded: src=10.10.5.1 dst=10.10.1.4 
10:39:02 ipsec,info ipsec packet discarded: src=10.10.5.1 dst=10.10.1.4 
under ip ipsec installed-sa only the direction=in-SA is established on both routers.

anyone an idea? do i overlook somthing obvious?
TIA.
Last edited by mag on Fri Dec 23, 2005 1:24 pm, edited 1 time in total.
 
Tonda
Member Candidate
Member Candidate
Posts: 164
Joined: Thu Jun 30, 2005 12:59 pm

Fri Dec 23, 2005 1:10 pm

I have the same problem, I have already written to Mikrotik support...
 
User avatar
mag
Member
Member
Topic Author
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Fri Dec 23, 2005 1:39 pm

hmm, i have a few mt's running IPsec with 2.9.8. and the changelog contains nothing about IPsec!
i just wrote to support, too.

update: i switched back to 2.8.8 and IPsec is working again!
 
Tonda
Member Candidate
Member Candidate
Posts: 164
Joined: Thu Jun 30, 2005 12:59 pm

Sun Dec 25, 2005 8:12 pm

Support answered:
Thank you for the bug report. This problem has been confirmed and will be fixed in future releases.

Who is online

Users browsing this forum: Bing [Bot], faxxe and 90 guests