Re: [Mikrotik] IPSec

Paul J. Benner, Jr. Thu, 19 Jun 2008 16:19:09 -0500 (CDT)

Check your counters. My guess would be that since you're runningprivate networks on both sides the traffic is being masqueraded as it'sleaving the router, so it never matches your policy. Add an accept onboth sides that is ahead of the masquerade for traffic bound for theopposite side's network and see what happens.


Regards,


Paul

Mike Hammett wrote:

Where would I see that at?


----------
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

----- Original Message -----From: "Paul J. Benner, Jr." <[EMAIL PROTECTED]>

To: "Mikrotik discussions" <mikrotik@mail.butchevans.com>
Sent: Thursday, June 19, 2008 11:22 AM
Subject: Re: [Mikrotik] IPSec

Mike,

Does the IPSec tunnel encrypt any packets when you attempt to make a
connection from one side to the other?

Regards,

Paul

Mike Hammett wrote:

Actually, the darn thing stopped working once it started and without any
changes to either side.  :-\

[EMAIL PROTECTED] > /ip ipsec policy print detail
Flags: X - disabled, D - dynamic, I - inactive
 0   src-address=192.168.2.0/24:any dst-address=192.168.1.0/24:any

protocol=all action=encrypt level=require ipsec-protocols=ah,esptunnel=yes

sa-src-address=68.60.0.0 sa-dst-address=65.182.0.0
     proposal=default manual-sa=none priority=0
[EMAIL PROTECTED] > /ip ipsec proposal print detail
Flags: X - disabled
 0   name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024
[EMAIL PROTECTED] > /ip ipsec peer print detail
Flags: X - disabled
 0   address=65.182.0.0/32:500 auth-method=pre-shared-key
secret="0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5"
generate-policy=no exchange-mode=main send-initial-contact=yes
nat-traversal=no
     proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd
dpd-maximum-failures=5
[EMAIL PROTECTED] > /ip ipsec installed-sa print detail
Flags: A - AH, E - ESP, P - pfs




[EMAIL PROTECTED] > /ip ipsec policy print detail
Flags: X - disabled, D - dynamic, I - inactive
 0   src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any

protocol=all action=encrypt level=require ipsec-protocols=ah,esptunnel=yes

sa-src-address=65.182.0.0 sa-dst-address=68.60.0.0
     proposal=default manual-sa=none priority=0
[EMAIL PROTECTED] > /ip ipsec proposal print detail
Flags: X - disabled
 0   name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024
[EMAIL PROTECTED] > /ip ipsec peer print detail
Flags: X - disabled
 0   address=68.60.0.0/32:500 auth-method=pre-shared-key
secret="0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5"
generate-policy=no exchange-mode=main send-initial-contact=yes
nat-traversal=no
     proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=20s
dpd-maximum-failures=1
[EMAIL PROTECTED] > /ip ipsec installed-sa print detail
Flags: A - AH, E - ESP, P - pfs


----------
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

----- Original Message -----From: "Mike Hammett" <[EMAIL PROTECTED]>

To: "Mikrotik discussions" <mikrotik@mail.butchevans.com>
Sent: Saturday, June 07, 2008 11:49 AM
Subject: Re: [Mikrotik] IPSec

I had actually just gotten it fixed by trying the masquerade optionbeforeButch told me to do masquerade. That said, I have attached a map ofwhat

we're working with.  The NIF wireless and everything behind it cannot
communicate with anything across the IPSec link, though everything else

including and behind NIF router does. Everything including and behindNIF

router can talk to everyone else on that side of the network as well as
the
Internet.


----------
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

----- Original Message -----From: "Mike Hammett" <[EMAIL PROTECTED]>

To: "Mikrotik discussions" <mikrotik@mail.butchevans.com>
Sent: Friday, June 06, 2008 11:33 PM
Subject: [Mikrotik] IPSec

I'm trying to setup a 3.10 IPSec tunnel between two Mikrotiks.  First
off,

the manual isn't correct. I do exactly what they say and I get anerror.

As it turns out, you're also required to choose an AH In\Out Algorithm.
It also doesn't explain things well, like ah-spi.

How do I know it's working?  I cannot ping addresses on the other side.


Side 1:

< ICS] > /ip ipsec policy print
Flags: X - disabled, D - dynamic, I - inactive
0   src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=ah tunnel=yes
sa-src-address=65.182.111.111 sa-dst-address=68.60.111.111
proposal=default
    manual-sa=ah-sa1 priority=0
[EMAIL PROTECTED] - ICS] > /ip ipsec manual-sa print
Flags: X - disabled, I - invalid
0   name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null
esp-enc-algorithm=null ah-key=64 hex characters esp-auth-key=""
esp-enc-key="" ah-spi=0x100/0x101
    esp-spi=0x100 lifetime=0s



Side 2:

[EMAIL PROTECTED] Fence] > /ip ipsec policy pr
Flags: X - disabled, D - dynamic, I - inactive
0   src-address=192.168.2.0/24:any dst-address=192.168.1.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=ah tunnel=yes
sa-src-address=68.60.111.111 sa-dst-address=65.182.111.111
proposal=default
    manual-sa=ah-sa1 priority=0
[EMAIL PROTECTED] Fence] > /ip ipsec manual-sa pr
Flags: X - disabled, I - invalid
0   name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null
esp-enc-algorithm=null ah-key=same 64 hex characters esp-auth-key=""
esp-enc-key="" ah-spi=0x101/0x100
    esp-spi=0x100 lifetime=0s



----------
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://www.butchevans.com/pipermail/mikrotik/attachments/20080606/9f93d58b/attachment.html
_______________________________________________
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

-------------- next part --------------
A non-text attachment was scrubbed...
Name: CF NIF IPSec issue.pdf
Type: application/pdf
Size: 62758 bytes
Desc: not available
Url :
http://www.butchevans.com/pipermail/mikrotik/attachments/20080607/ff575dbf/attachment.pdf
_______________________________________________
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

_______________________________________________
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

_______________________________________________
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik


_______________________________________________
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Re: [Mikrotik] IPSec

Reply via email to