First mikrotik has white ip without any nat(server).
Second doesn't have white ip (client).
After I configured everything I get messages in logs on both sides:
Client side:Logs:
14:26:25 ipsec,info new ike2 SA (R): peer SERVER_WHITE_IP SERVER_WHITE_IP[4500]-93.189.202.13[4500] spi:c937289a4100671f:1fc942c0bf837144
14:26:26 ipsec,info killing ike2 SA: peer SERVER_WHITE_IP SERVER_WHITE_IP[4500]-93.189.202.13[4500] spi:c937289a4100671f:1fc942c0bf837144
Server side: no active peers[admin@client] > /ip/ipsec/active-peers/print
Columns: STATE, UPTIME, PH2-TOTAL, REMOTE-ADDRESS
# STATE UPTIME PH2-TOTAL REMOTE-ADDRESS
0 message-1-sent 14s 1 SERVER_WHITE_IP
Server identity:
Client identity:[admin@server] /ip/ipsec> identity/print
Flags: D - dynamic; X - disabled
0 peer=peer SERVER_WHITE_IP auth-method=pre-shared-key mode-config=modeconf_xvizion-server my-id=fqdn:server.xvizion-ike2 remote-id=user-fqdn:client-babyshka
secret="****" generate-policy=port-strict policy-template-group=group_xvizion-ike2
Server modeconfig:[admin@client] > /ip/ipsec/identity/print
Flags: D - dynamic; X - disabled
0 peer=peer_xvizion-ike2 auth-method=pre-shared-key mode-config=request-only my-id=user-fqdn:client-babyshka remote-id=fqdn:server.xvizion-ike2 secret="****"
generate-policy=port-strict policy-template-group=group_xvizion-ike2
Client modeconfig:[admin@server] /ip/ipsec> mode-config/print
Flags: * - default; R - responder
0 * name="request-only" responder=no use-responder-dns=exclusively
1 R name="modeconf_xvizion-server" system-dns=yes address-pool=pool xvizion-ike2 address-prefix-length=32 split-include=0.0.0.0/0 split-dns=""
Server peer:[admin@client] > /ip/ipsec/mode-config/print
Flags: * - default; R - responder
0 * name="request-only" responder=no use-responder-dns=exclusively
Client peer:[admin@server] /ip/ipsec> peer/print
Flags: X - disabled; D - dynamic; R - responder
0 R name="peer SERVER_WHITE_IP" local-address=SERVER_WHITE_IP passive=yes profile=profile xvizion-ike2 exchange-mode=ike2 send-initial-contact=yes
Server policy:[admin@client] > /ip/ipsec/peer/print
Flags: X - disabled; D - dynamic; R - responder
0 name="peer_xvizion-ike2" address=SERVER_WHITE_IP/32 profile=profile_xvizion-ike2 exchange-mode=ike2 send-initial-contact=yes
Client policy:[admin@server] /ip/ipsec> policy/print
Flags: T - TEMPLATE; X, A - ACTIVE; * - DEFAULT
Columns: SRC-ADDRESS, DST-ADDRESS, PROTOCOL
# SRC-ADDRESS DST-ADDRESS PROTOCOL
0 TX* ::/0 ::/0 all
1 T 0.0.0.0/0 10.0.88.0/24 all
Server profile:[admin@client] > /ip/ipsec/policy/print
Flags: T - TEMPLATE; * - DEFAULT
Columns: SRC-ADDRESS, DST-ADDRESS, PROTOCOL
# SRC-ADDRESS DST-ADDRESS PROTOCOL
0 T* ::/0 ::/0 all
1 T 10.0.88.0/24 0.0.0.0/0 all
Client profile:[admin@server] /ip/ipsec> profile/print
Flags: * - default
0 * name="default" hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp2048,modp1024 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m
dpd-maximum-failures=5
1 name="profile xvizion-ike2" hash-algorithm=sha256 enc-algorithm=aes-256,aes-192,aes-128 dh-group=modp2048,modp1536,modp1024 lifetime=1d proposal-check=obey nat-traversal=yes
dpd-interval=2m dpd-maximum-failures=5
Server proposal:[admin@client] /ip/ipsec> profile/print
Flags: * - default
0 * name="default" hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp2048,modp1024 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m
dpd-maximum-failures=5
1 name="profile_xvizion-ike2" hash-algorithm=sha256 enc-algorithm=aes-256,aes-192,aes-128 dh-group=modp2048,modp1536,modp1024 lifetime=1d proposal-check=obey nat-traversal=yes
dpd-interval=2m dpd-maximum-failures=5
Client proposal:[admin@server] /ip/ipsec> proposal/print
Flags: X - disabled; * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp1024
1 name="ipsec-proposal" auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=30m pfs-group=none
2 name="proposal_xvizion-ike2" auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm
lifetime=8h pfs-group=none
Server firewall:[admin@client] /ip/ipsec> proposal/print
Flags: X - disabled; * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp1024
1 name="proposal_xvizion-ike2" auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm
lifetime=8h pfs-group=none
Client firewall:[admin@server] /ip/firewall/filter> print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; default configuration
chain=input action=accept connection-state=established,related
2 chain=output action=accept log=no log-prefix=""
3 chain=input action=accept protocol=udp dst-port=1701 log=no log-prefix=""
4 chain=input action=accept protocol=udp dst-port=500,4500 log=no log-prefix=""
5 chain=input action=accept in-interface=bridgeLan log=no log-prefix=""
6 chain=forward action=accept in-interface=bridgeLan out-interface=WAN log=no log-prefix=""
7 chain=forward action=accept connection-state=established,related in-interface=WAN out-interface=bridgeLan log=no log-prefix=""
8 chain=forward action=accept in-interface=bridgeLan log=no log-prefix=""
9 chain=forward action=accept src-address=10.10.0.0/24 log=no log-prefix=""
13 chain=output action=accept protocol=ipsec-esp log=no log-prefix=""
14 chain=input action=accept protocol=ipsec-esp log=no log-prefix=""
15 chain=input action=accept protocol=icmp log=no log-prefix=""
18 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
19 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
20 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related
21 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
22 chain=input action=drop in-interface=WAN log=no log-prefix=""
Both Mikrotiks have os version: version: 7.3 (stable)[admin@client] /ip/ipsec> /ip/firewall/filter/print
Flags: X - disabled, I - invalid; D - dynamic
0 chain=input action=accept connection-state=established,related log=no log-prefix=""
2 chain=output action=accept log=no log-prefix=""
3 chain=input action=accept in-interface=bridgeLocal log=no log-prefix=""
5 ;;; ipsec tunnel
chain=input action=accept protocol=udp dst-port=1701,500,4500 log=no log-prefix=""
6 chain=input action=accept protocol=ipsec-esp log=no log-prefix=""
7 chain=forward action=accept in-interface=bridgeLocal out-interface=WAN log=no log-prefix=""
8 chain=forward action=accept connection-state=established,related in-interface=WAN out-interface=bridgeLocal log=no log-prefix=""
9 chain=input action=accept protocol=icmp log=no log-prefix=""
10 chain=input action=drop in-interface=WAN log=no log-prefix=""
12 chain=forward action=accept protocol=ipsec-esp log=no log-prefix=""
Any suggestions?