I'm missing something in the ipsec "proposal" selection as I both created one of my one and changed the encryption parameters to match in the default profile, yet according to the peer, it's still sending the original default parameters (aes-cbc instead of aes-256):
I'm trying to setup a tunnel from 172.20.1.0/24 to 10.64.99.0/24:
172.20.1.0/24 (lan if)<remote peer> (wan if) 69.59.192.19 <routers> 172.20.44.100 (wan if)<mikrotik>(lan if) 10.64.99.0/24
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 \
nat-traversal=no
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=new_profile nat-traversal=\
no
/ip ipsec peer
add address=69.59.192.19/32 exchange-mode=ike2 local-address=172.20.44.100 name=remote-peer \
profile=new_profile
Mikrotik:
14:55:09 ipsec,error no proposal chosen
14:55:19 ipsec,error no proposal chosen
14:55:24 ipsec,error simultaneous rekey
14:55:29 ipsec,error no proposal chosen
Peer:
ike 0:Bend test:549: received create-child request
ike 0:Bend test:549: responder received CREATE_CHILD exchange
ike 0:Bend test:549: responder creating new child
ike 0:Bend test:549 peer proposal:
ike 0:Bend test:549 TSi_0 0:10.64.99.0-10.64.99.255:0
ike 0:Bend test:549 TSr_0 0:69.59.192.19-69.59.192.19:0
ike 0:Bend test:549:Bend test comparing selectors
ike 0:Bend test:549:Bend test matched by rfc-rule-2
ike 0:Bend test:549:Bend test phase2 matched by subset
ike 0:Bend test:549:Bend test accepted proposal:
ike 0:Bend test:549:Bend test TSi_0 0:10.64.99.0-10.64.99.255:0
ike 0:Bend test:549:Bend test TSr_0 0:69.59.192.19-69.59.192.19:0
ike 0:Bend test:549:Bend test autokey
ike 0:Bend test:549:Bend test incoming child SA proposal:
ike 0:Bend test:549:Bend test proposal id = 1:
ike 0:Bend test:549:Bend test protocol = ESP:
ike 0:Bend test:549:Bend test encapsulation = TUNNEL
ike 0:Bend test:549:Bend test type=ENCR, val=AES_CBC (key_len = 128)
ike 0:Bend test:549:Bend test type=ENCR, val=AES_CBC (key_len = 192)
ike 0:Bend test:549:Bend test type=ENCR, val=AES_CBC (key_len = 256)
ike 0:Bend test:549:Bend test type=INTEGR, val=SHA
ike 0:Bend test:549:Bend test type=DH_GROUP, val=MODP1024
ike 0:Bend test:549:Bend test type=ESN, val=NO
ike 0:Bend test:549:Bend test my proposal:
ike 0:Bend test:549:Bend test proposal id = 1:
ike 0:Bend test:549:Bend test protocol = ESP:
ike 0:Bend test:549:Bend test encapsulation = TUNNEL
ike 0:Bend test:549:Bend test type=ENCR, val=AES_CBC (key_len = 256)
ike 0:Bend test:549:Bend test type=INTEGR, val=SHA256
ike 0:Bend test:549:Bend test type=DH_GROUP, val=MODP2048
ike 0:Bend test:549:Bend test type=ESN, val=NO
ike 0:Bend test:549:Bend test lifetime=28800
ike 0:Bend test:549:Bend test no proposal chosen