HI,
I have recently set up an IPSEC VPN from a Mikrotik to a Juniper. I have not got full access to the juniper nor am I that confident in my knowledge of the whole VPN process. I have too problems,
Local_PC -----------( local_lan)------|..Ether1 Mikrotik...|-------public internet
10.0.13.11.............10.0.13.0/24 ..........10.0.13.10.......|
.....................................................................................|-----------(IPsec VPN)---------------- ( juniper )-------------------- remote network-10.254.96.0/21
1) I am unable to ping device from a terminal session on the Mikrotik, I am unable to work out what the profess of routing packets from within the Mikrotik to have then directed to the VPN. I have created a NAT run to accept the packets as routed and thus not NAT them. But I am getting nowhere.
2) the IPSEC tunnel disconnects with no traffic flowing after about an hour and I am unable to wake it from the 10.254.96.0 network devices
I have one mode config set as request only, which is the default, if I create a second one as a responder, I do not know how to apply it. For the present time I have setup a cron job to regularly ping a device on the remote network to keep the tunnel alive.
I have posted the config here. with non related lines removed.
# apr/27/2020 20:17:35 by RouterOS 6.46.5
# software id =
#
#
#
/interface bridge
add name=bridge-loopback
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=3des lifetime=8h name=IPX_ipsec_profile nat-traversal=no
/ip ipsec peer
add address=223.37.96.44/32 exchange-mode=aggressive local-address=122.213.233.219 name=peer1 profile=IPX_ipsec_profile
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1,md5 enc-algorithms="aes-256-cbc,aes-256-ctr,\
aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-128-cbc,aes-128-ctr,aes-128-gcm,3des" lifetime=1h name=IPX
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add address=10.0.13.0/24 list=local_lan
add address=10.0.13.0/24 list=local_and_IPX
add address=10.254.96.0/21 list=local_and_IPX
add address=10.254.96.0/21 list=IPX_lan
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input src-address-list=friends
add action=accept chain=input src-address-list=local_lan
add action=drop chain=input
add action=accept chain=forward dst-address-list=IPX_lan
add action=accept chain=forward add action=accept chain=output
/ip firewall nat
add action=accept chain=srcnat dst-address-list=IPX_lan src-address-list=local_lan
add action=masquerade chain=srcnat dst-address-list=!local_and_IPX src-address-list=local_lan
/ip ipsec identity
add my-id=fqdn:vpn.company.com.au peer=peer1 secret=02349640003456104716
/ip ipsec policy
add dst-address=10.254.96.0/21 peer=peer1 proposal=IPX sa-dst-address=223.37.96.44 \
sa-src-address=122.213.233.219 src-address=10.0.13.0/24 tunnel=yes set 1 \
disabled=yes dst-address=10.254.96.0/24 proposal=IPX src-address=10.0.13.0/24
I anyone can assist I would greatly appreciate it. I have spent a lot of time reading articles and trying to learn, but unfortunately have got nowhere on these two issues.
Thanks - Tim