I've been asked to replicate one end of a Cisco<-->Cisco IPSec connection so it becomes RouterOS<-->Cisco.
The spec. is:
Code: Select all
S2S VPN Details
VPN Parameters
Equipment type CISCO ASR 1002-X
VPN Peer IP Address 193.X.Y.Z
Encryption Domain 193.X.Y.Z (SVTI)
IKE Ph I Parameters
Authentication Method PSK
Pre-Shared Key SECRETKEY
Hash sha 512
Encryption Algorithm aes-256
DH-Group 14
Life Time ( Seconds ) 28800
Mode (Aggressive/Main) Main
IKE Ph II Parameters
Encapsulation Protocol ESP
Encryption Algorithm AES
Authentication Algorithm sha512/sha256/sha
PFS / DH-group none
Life Time ( Seconds ) 3600
Life Time ( KB ) 4608000
Encapsulation Mode Tunnel
Communication Domain
CISCO-END ROUTEROS-END
10.A.B.C 10.D.E.F/28
Code: Select all
/ip ipsec mode-config set [ find default=yes ] use-responder-dns=no
/ip ipsec profile add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 lifebytes=4608000 lifetime=8h name=ike-profile
/ip ipsec peer add address=193.X.Y.Z/32 exchange-mode=aggressive local-address=46.U.V.W name=ike-peer profile=ike-profile
/ip ipsec proposal add auth-algorithms=sha512 enc-algorithms=aes-128-cbc lifetime=1h name=ike-proposal pfs-group=none
/ip ipsec identity add auth-method=pre-shared-key disabled=no generate-policy=no peer=ike-peer secret=SECRETKEY
/ip ipsec policy add dst-address=10.A.B.C/32 level=unique peer=ike-peer proposal=ike-proposal src-address=10.D.E.F/28 tunnel=yes
and then the installed SAs are deleted and the whole process starts again.
I've got to the stage where I think I've tried everything and nothing works. I'm sure I've missed something that's really obvious.
Can anybody spot anything? Please?