while configuring the Router for our new Branch Office i couldn't get IPSec Running (There are no Problems between two CCR1009).
The Problem is, that i can't get the Connection working with SHA512. While configuring another Branch Office with an RB1100AHx2 i had the same problem but after testing a lot it began working without any reason.
With the new Router there seems no way to get it working - here's the Config from the Branch Router:
To get it Woking i've added "SHA1" in the Proposal settings.
Code: Select all
/ip ipsec proposal set [ find default=yes ] auth-algorithms=sha1,sha512 enc-algorithms=aes-128-cbc,aes-256-cbc add enc-algorithms=aes-256-cbc name=prop-CGN_SAR /ip ipsec peer add address=172.16.216.1/32 dh-group=modp2048 enc-algorithm=aes-256 local-address=0.0.0.0 secret=<somesecret> /ip ipsec policy add dst-address=192.168.80.0/21 proposal=prop-CGN_SAR sa-dst-address=172.16.216.1 sa-src-address=172.16.216.2 src-address=192.168.66.0/24 tunnel=yes
The Config on the Central Office Site is:
Also here i've added SHA1 and AES-128-CBC for testing. The Tunnel is now Up and Running inside an L2TP Tunnel (same with the other branch offices)
Code: Select all
/ip ipsec proposal set [ find default=yes ] auth-algorithms=sha1,sha512 enc-algorithms=aes-128-cbc,aes-256-cbc add auth-algorithms=sha1,sha512 enc-algorithms=aes-128-cbc,aes-256-cbc name=prop-saarland /ip ipsec peer add address=172.16.216.2/32 dh-group=modp2048 enc-algorithm=aes-256 local-address=172.16.216.1 nat-traversal=no secret=<somesecret> send-initial-contact=no /ip ipsec policy add dst-address=192.168.66.0/24 proposal=prop-saarland sa-dst-address=172.16.216.2 sa-src-address=172.16.216.1 src-address=192.168.80.0/21 tunnel=yes /ip ipsec peer print address=172.16.216.2/32 local-address=172.16.216.1 passive=no port=500 auth-method=pre-shared-key secret="<somesecret>" generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=no nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp2048 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
Can anyone give me an Advice what might be the Failure? While testing it had the Same Configuration as the other Branch Office which works with an RB1100AHx2 and SHA512 with AES-256-CBC.
The next Problem is, that i have an Massive Count of Dynamic IPSec Policies on the Central Site. Normal where under 30 but there are in 194 (!) Policies. I have this Problem since Upgrading to 6.31. Does anyone have an Suggestion to fix this Problem?
Greetings from Cologne