I have a problem with IPSEC connection from CCR1009 to Cisco.
I got IPSEC parameters from the other side and I have to follow them in CCR.
Cisco configuration
Code: Select all
interfaces {
vti vti0 {
address 172.16.0.78/30
}
}
protocols {
static {
interface-route 172.30.8.0/24 {
next-hop-interface vti0 {
}
}
}
}
vpn {
ipsec {
esp-group ESP_to_Cisco {
compression disable
lifetime 3600
mode tunnel
pfs dh-group2
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group IKE_to_Cisco {
ikev2-reauth no
key-exchange ikev1
lifetime 86400
proposal 1 {
dh-group 2
encryption aes128
hash sha1
}
}
site-to-site {
peer 78.11.x.x {
authentication {
id 185.36.169.170
mode pre-shared-secret
. pre-shared-secret
remote-id 78.11.x.x
}
connection-type respond
default-esp-group ESP_to_Cisco
description "Radom <> ATM"
ike-group IKE_to_Cisco
ikev2-reauth inherit
vti {
bind vti0
esp-group ESP_to_Cisco
}
}
}
}
}
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128,3des hash-algorithm=sha1 \
lifetime=1d name=default nat-traversal=yes proposal-check=obey
add dh-group=modp1024 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128 hash-algorithm=sha1 lifetime=1d name=OP24-to-KONESER_CATI \
nat-traversal=yes proposal-check=strict
/ip ipsec peer
add address=78.9.x.x disabled=no exchange-mode=main local-address=78.11.x.x name=OP24-to-KONESER_CATI profile=OP24-to-KONESER_CATI \
send-initial-contact=yes
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=default pfs-group=\
modp1024
add auth-algorithms=sha1 disabled=no enc-algorithms=aes-128-cbc lifetime=1h name=proposal1 pfs-group=modp1024
/ip ipsec identity
add auth-method=pre-shared-key disabled=no generate-policy=no peer=OP24-to-KONESER_CATI
/ip ipsec policy
set 0 disabled=yes dst-address=::/0 group=default proposal=default protocol=all src-address=::/0 template=yes
add action=encrypt disabled=no dst-address=172.16.0.78/32 dst-port=any ipsec-protocols=esp level=require peer=OP24-to-KONESER_CATI proposal=\
proposal1 protocol=all src-address=172.16.0.77/32 src-port=any tunnel=no
/ip ipsec settings
set accounting=yes interim-update=0s xauth-use-radius=no
Logs:
Code: Select all
Nov/11/2021 12:40:17 ipsec,info ISAKMP-SA deleted 78.11.x.x[500]-78.9.x.x[500] spi:20ba390ef75e154f:1ecaebf4b0b62497 rekey:1
Nov/11/2021 12:40:19 ipsec,info initiate new phase 1 (Identity Protection): 78.11.x.x[500]<=>78.9.x.x[500]
Nov/11/2021 12:40:19 ipsec sent phase1 packet 78.11.x.x[500]<=>78.9.x.x[500] 175e44bf1fcb54e3:0000000000000000
Nov/11/2021 12:40:19 ipsec sent phase1 packet 78.11.x.x[500]<=>78.9.x.x[500] 175e44bf1fcb54e3:1ecaebf49fc2030d
Nov/11/2021 12:40:19 ipsec received Vendor ID: CISCO-UNITY
Nov/11/2021 12:40:19 ipsec received Vendor ID: DPD
Nov/11/2021 12:40:19 ipsec received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Nov/11/2021 12:40:20 ipsec sent phase1 packet 78.11.x.x[500]<=>78.9.x.x[500] 175e44bf1fcb54e3:1ecaebf49fc2030d
Nov/11/2021 12:40:20 ipsec 78.9.x.x ignore RESPONDER-LIFETIME notification.
Nov/11/2021 12:40:20 ipsec ph2 possible after ph1 creation
Nov/11/2021 12:40:20 ipsec initiate new phase 2 negotiation: 78.11.x.x[500]<=>78.9.x.x[500]
Nov/11/2021 12:40:20 ipsec,info ISAKMP-SA established 78.11.x.x[500]-78.9.x.x[500] spi:175e44bf1fcb54e3:1ecaebf49fc2030d
Nov/11/2021 12:40:20 ipsec sent phase2 packet 78.11.x.x[500]<=>78.9.x.x[500] 175e44bf1fcb54e3:1ecaebf49fc2030d:00008ab8
Nov/11/2021 12:40:20 ipsec 78.9.x.x ignore RESPONDER-LIFETIME notification.
Nov/11/2021 12:40:20 ipsec attribute has been modified.
Nov/11/2021 12:40:20 ipsec IPsec-SA established: ESP/Tunnel 78.9.x.x[500]->78.11.x.x[500] spi=0x79c39d5
Nov/11/2021 12:40:20 ipsec IPsec-SA established: ESP/Tunnel 78.11.x.x[500]->78.9.x.x[500] spi=0xa3d5d3e
Nov/11/2021 12:40:47 ipsec respond new phase 2 negotiation: 78.11.x.x[500]<=>78.9.x.x[500]
Nov/11/2021 12:40:47 ipsec searching for policy for selector: 0.0.0.0/0 <=> 0.0.0.0/0
Nov/11/2021 12:40:47 ipsec policy not found
Nov/11/2021 12:40:47 ipsec failed to get proposal for responder.
Nov/11/2021 12:40:47 ipsec,error 78.9.x.x failed to pre-process ph2 packet.
Nov/11/2021 12:40:47 ipsec,info purging ISAKMP-SA 78.11.x.x[500]<=>78.9.x.x[500] spi=175e44bf1fcb54e3:1ecaebf49fc2030d.
Nov/11/2021 12:40:47 ipsec purged IPsec-SA proto_id=ESP spi=0xa3d5d3e
Nov/11/2021 12:40:47 ipsec purged IPsec-SA proto_id=ESP spi=0x79c39d5
Nov/11/2021 12:40:47 ipsec purged ISAKMP-SA 78.11.x.x[500]<=>78.9.x.x[500]