I faced today a problem while configuring an IPSec VPN for one of our providers.
They have sent me a document with the configurations I would need to set up to have an encrypted communication with them, once they are an finance company.
I will put here the configuration that they sent me with example addresses and after that what I have done trying to get this working.
Data sent by company
What I didRule/ACL for Edge Internet Equipment
Source Destination Destination(description) Protocolo/ Porta
100.100.100.101 200.200.200.200 ISAKMP UDP 500
100.100.100.101 200.200.200.200 ESP 50
200.200.200.200 100.100.100.101 ISAKMP UDP 500
200.200.200.200 100.100.100.101 ESP 50
Rule/ACL Crypto Domain – VPN Phase 2
192.168.1.32/27 300.300.300.0/24 Finance Services IP
Phase 1
encryption algorithm: AES
hash algorithm: SHA
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Phase 2
Mode: ESP
Transform-set: esp-aes esp-sha-hmac
Diffie-Hellman group: #2
Security association lifetime: 4608000 kilobytes/3600 seconds
Preshared Key: XXXXX
Code: Select all
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-256-cbc,aes-256-ctr
/ip ipsec peer
add address=200.200.200.200/32 comment=Finance enc-algorithm=aes-256 hash-algorithm=sha256 secret=XXXXX
/ip ipsec policy
add dst-address=300.300.300.0/24 sa-dst-address=200.200.200.200 sa-src-address=100.100.100.101 src-address=192.168.1.32/27 tunnel=yes
/ip ipsec remote-peers print
0 local-address=200.195.161.50 remote-address=177.54.222.7 state=message-1-sent side=initiator
/ip firewall nat
add chain=srcnat action=accept comment=Finance dst-address=300.300.300.0/24 src-address=192.168.1.32/27
/ip address
add address=192.168.1.33/27 interface=ether6-lan network=192.168.1.32
add address=100.100.100.101/29 interface=ether8-inet network=100.100.100.100
10:24:37 ipsec,debug,packet ===
10:24:37 ipsec,debug initiate new phase 1 negotiation: 100.100.100.101[500]<=>200.200.200.200[500]
10:24:37 ipsec,debug begin Identity Protection mode.
10:24:37 ipsec,debug,packet new cookie:
10:24:37 ipsec,debug,packet 143f933a772bcb12
10:24:37 ipsec,debug,packet add payload of len 56, next type 13
10:24:37 ipsec,debug,packet add payload of len 16, next type 13
10:24:37 ipsec,debug,packet add payload of len 16, next type 0
10:24:37 ipsec,debug,packet 128 bytes from 100.100.100.101[500] to 200.200.200.200[500]
10:24:37 ipsec,debug,packet sockname 100.100.100.101[500]
10:24:37 ipsec,debug,packet send packet from 100.100.100.101[500]
10:24:37 ipsec,debug,packet send packet to 200.200.200.200[500]
10:24:37 ipsec,debug,packet src4 100.100.100.101[500]
10:24:37 ipsec,debug,packet dst4 200.200.200.200[500]
10:24:37 ipsec,debug,packet 1 times of 128 bytes message will be sent to 200.200.200.200[500]
10:24:37 ipsec,debug,packet 143f933a 772bcb12 00000000 00000000 01100200 00000000 00000080 0d00003c
10:24:37 ipsec,debug,packet 00000001 00000001 00000030 01010001 00000028 01010000 800b0001 000c0004
10:24:37 ipsec,debug,packet 00015180 80010007 800e0100 80030001 80020004 80040002 0d000014 12f5f28c
10:24:37 ipsec,debug,packet 457168a9 702d9fe2 74cc0100 00000014 afcad713 68a1f1c9 6b8696fc 77570100
10:24:37 ipsec,debug,packet resend phase1 packet 143f933a772bcb12:0000000000000000
10:24:47 ipsec,debug,packet 128 bytes from 100.100.100.101[500] to 200.200.200.200[500]
10:24:47 ipsec,debug,packet sockname 100.100.100.101[500]
10:24:47 ipsec,debug,packet send packet from 100.100.100.101[500]
10:24:47 ipsec,debug,packet send packet to 200.200.200.200[500]
10:24:47 ipsec,debug,packet src4 100.100.100.101[500]
10:24:47 ipsec,debug,packet dst4 200.200.200.200[500]
10:24:47 ipsec,debug,packet 1 times of 128 bytes message will be sent to 200.200.200.200[500]
10:24:47 ipsec,debug,packet 143f933a 772bcb12 00000000 00000000 01100200 00000000 00000080 0d00003c
10:24:47 ipsec,debug,packet 00000001 00000001 00000030 01010001 00000028 01010000 800b0001 000c0004
10:24:47 ipsec,debug,packet 00015180 80010007 800e0100 80030001 80020004 80040002 0d000014 12f5f28c
10:24:47 ipsec,debug,packet 457168a9 702d9fe2 74cc0100 00000014 afcad713 68a1f1c9 6b8696fc 77570100
10:24:47 ipsec,debug,packet resend phase1 packet 143f933a772bcb12:0000000000000000