Re: [Mikrotik] IPSec

Thu, 19 Jun 2008 11:05:33 -0500 (CDT)

Actually, the darn thing stopped working once it started and without any changes to either side. :-\ 

[EMAIL PROTECTED] > /ip ipsec policy print detail
Flags: X - disabled, D - dynamic, I - inactive
0 src-address=192.168.2.0/24:any dst-address=192.168.1.0/24:any protocol=all action=encrypt level=require ipsec-protocols=ah,esp tunnel=yes sa-src-address=68.60.0.0 sa-dst-address=65.182.0.0 
    proposal=default manual-sa=none priority=0
[EMAIL PROTECTED] > /ip ipsec proposal print detail
Flags: X - disabled
0 name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1024 
[EMAIL PROTECTED] > /ip ipsec peer print detail
Flags: X - disabled
0 address=65.182.0.0/32:500 auth-method=pre-shared-key secret="0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5 
[EMAIL PROTECTED] > /ip ipsec installed-sa print detail
Flags: A - AH, E - ESP, P - pfs




[EMAIL PROTECTED] > /ip ipsec policy print detail
Flags: X - disabled, D - dynamic, I - inactive
0 src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any protocol=all action=encrypt level=require ipsec-protocols=ah,esp tunnel=yes sa-src-address=65.182.0.0 sa-dst-address=68.60.0.0 
    proposal=default manual-sa=none priority=0
[EMAIL PROTECTED] > /ip ipsec proposal print detail
Flags: X - disabled
0 name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1024 
[EMAIL PROTECTED] > /ip ipsec peer print detail
Flags: X - disabled
0 address=68.60.0.0/32:500 auth-method=pre-shared-key secret="0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=20s dpd-maximum-failures=1 
[EMAIL PROTECTED] > /ip ipsec installed-sa print detail
Flags: A - AH, E - ESP, P - pfs


----------
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
----- Original Message ----- From: "Mike Hammett" <[EMAIL PROTECTED]> 
To: "Mikrotik discussions" <mikrotik@mail.butchevans.com>
Sent: Saturday, June 07, 2008 11:49 AM
Subject: Re: [Mikrotik] IPSec



I had actually just gotten it fixed by trying the masquerade option before
Butch told me to do masquerade.  That said, I have attached a map of what
we're working with.  The NIF wireless and everything behind it cannot
communicate with anything across the IPSec link, though everything else
including and behind NIF router does.  Everything including and behind NIF
router can talk to everyone else on that side of the network as well as the 
Internet.


----------
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
----- Original Message ----- From: "Mike Hammett" <[EMAIL PROTECTED]> 
To: "Mikrotik discussions" <mikrotik@mail.butchevans.com>
Sent: Friday, June 06, 2008 11:33 PM
Subject: [Mikrotik] IPSec
I'm trying to setup a 3.10 IPSec tunnel between two Mikrotiks. First off, 
the manual isn't correct.  I do exactly what they say and I get an error.
As it turns out, you're also required to choose an AH In\Out Algorithm.
It also doesn't explain things well, like ah-spi.

How do I know it's working?  I cannot ping addresses on the other side.


Side 1:

< ICS] > /ip ipsec policy print
Flags: X - disabled, D - dynamic, I - inactive
0   src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=ah tunnel=yes
sa-src-address=65.182.111.111 sa-dst-address=68.60.111.111
proposal=default
    manual-sa=ah-sa1 priority=0
[EMAIL PROTECTED] - ICS] > /ip ipsec manual-sa print
Flags: X - disabled, I - invalid
0   name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null
esp-enc-algorithm=null ah-key=64 hex characters esp-auth-key=""
esp-enc-key="" ah-spi=0x100/0x101
    esp-spi=0x100 lifetime=0s



Side 2:

[EMAIL PROTECTED] Fence] > /ip ipsec policy pr
Flags: X - disabled, D - dynamic, I - inactive
0   src-address=192.168.2.0/24:any dst-address=192.168.1.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=ah tunnel=yes
sa-src-address=68.60.111.111 sa-dst-address=65.182.111.111
proposal=default
    manual-sa=ah-sa1 priority=0
[EMAIL PROTECTED] Fence] > /ip ipsec manual-sa pr
Flags: X - disabled, I - invalid
0   name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null
esp-enc-algorithm=null ah-key=same 64 hex characters esp-auth-key=""
esp-enc-key="" ah-spi=0x101/0x100
    esp-spi=0x100 lifetime=0s



----------
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://www.butchevans.com/pipermail/mikrotik/attachments/20080606/9f93d58b/attachment.html
_______________________________________________
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik


-------------- next part --------------
A non-text attachment was scrubbed...
Name: CF NIF IPSec issue.pdf
Type: application/pdf
Size: 62758 bytes
Desc: not available
Url : http://www.butchevans.com/pipermail/mikrotik/attachments/20080607/ff575dbf/attachment.pdf 
_______________________________________________
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Reply via email to