Community discussions

MikroTik App
  4. RouterOS
  5. General

Mikrotik to Juniper 5200

Post Reply
 
jerryroy1
Member Candidate
Member Candidate
Topic Author
Posts: 168
Joined: Sat Mar 17, 2007 4:55 am
Location: LA and OC USA
Contact:
Contact jerryroy1

Mikrotik to Juniper 5200

Sat Apr 14, 2012 3:43 am

All, Having a difficult time getting RB750 to pass traffic thru to Juniper 5200 with IPsec tunnel aggressive mode. Can someone take a look and see what I did wrong? I believe I am having a Nat/Routing issue now but cannot figure out. I don't completely understand the masquerading and IP chains.

The IPsec SA's are flowing in both directions but cannot ping any devices from Lan of 750 to Lan of Juniper.

Scenario is as follows:

(PC-DHCP-172.16.132.126)<->(172.19.132.1/25-LAN)**RB750**(WAN-DHCP-Client)->Internet<-(WAN-Static)**Juniper**(LAN-Static-216.231.198.233)<->(216.231.198.234-PC-Static)

Here is my config:
Code: Select all
[admin@MikroTik] > ip export 
# jan/02/1970 03:09:23 by RouterOS 5.14
# software id = 9HDQ-0000
#
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot http-cookie-lifetime=3d http-proxy=\
    0.0.0.0:0 login-by=cookie,http-chap name=default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m name=default shared-users=1 status-autorefresh=1m \
    transparent-proxy=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024
add auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=juniper pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool-172.19.132.0/24 ranges=172.19.132.11-172.19.132.126
/ip dhcp-server
add address-pool=pool-172.19.132.0/24 authoritative=after-2sec-delay bootp-support=static disabled=no interface=\
    ether2-master-local lease-time=3d name=default
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=172.19.132.1/25 comment="default configuration" disabled=no interface=ether2-master-local network=172.19.132.0
/ip dhcp-client
add add-default-route=yes comment="default configuration" default-route-distance=1 disabled=no interface=ether1-gateway \
    use-peer-dns=yes use-peer-ntp=yes
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=172.19.132.0/25 dhcp-option="" dns-server=8.8.8.8 gateway=172.19.132.1 ntp-server="" wins-server=""
add address=192.168.88.0/24 comment="default configuration" dhcp-option="" dns-server=192.168.88.1 gateway=192.168.88.1 \
    ntp-server="" wins-server=""
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=4096 servers=""
/ip dns static
add address=192.168.88.1 disabled=no name=router ttl=1d
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s \
    tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established disabled=no
add action=accept chain=input comment="default configuration" connection-state=related disabled=no
add action=drop chain=input comment="default configuration" disabled=no in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat disabled=no dst-address=216.231.198.232/29 protocol=255 src-address=!172.19.132.0/25
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=ether1-gateway
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip ipsec peer
add address=216.231.198.13/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=1m \
    dpd-maximum-failures=2 enc-algorithm=3des exchange-mode=aggressive generate-policy=no hash-algorithm=sha1 lifebytes=0 \
    lifetime=10h my-id-user-fqdn=OM-ess-LAB2@xxxxxxx.com nat-traversal=no port=500 proposal-check=obey secret=\
    8888888888888888 send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=216.231.198.232/29 dst-port=any ipsec-protocols=esp level=require priority=0 \
    proposal=juniper protocol=all sa-dst-address=216.231.198.13 sa-src-address=0.0.0.0 src-address=172.19.132.0/24 \
    src-port=any tunnel=yes
/ip neighbor discovery
set ether1-gateway disabled=yes
set ether2-master-local disabled=no
set ether3-slave-local disabled=no
set ether4-slave-local disabled=no
set ether5-slave-local disabled=no
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no enabled=no max-cache-size=none \
    max-client-connections=600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=\
    8080 serialize-connections=no src-address=0.0.0.0
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes
[admin@MikroTik] >
Top
Post Reply

Who is online

Users browsing this forum: Bernhard, Bing [Bot], jason9456402, rudivd, slimmerwifi and 75 guests
  4. RouterOS
  5. General