Actually, the darn thing stopped working once it started and without any
changes to either side. :-\
[EMAIL PROTECTED] > /ip ipsec policy print detail
Flags: X - disabled, D - dynamic, I - inactive
0 src-address=192.168.2.0/24:any dst-address=192.168.1.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=ah,esp
tunnel=yes
sa-src-address=68.60.0.0 sa-dst-address=65.182.0.0
proposal=default manual-sa=none priority=0
[EMAIL PROTECTED] > /ip ipsec proposal print detail
Flags: X - disabled
0 name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024
[EMAIL PROTECTED] > /ip ipsec peer print detail
Flags: X - disabled
0 address=65.182.0.0/32:500 auth-method=pre-shared-key
secret="0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5"
generate-policy=no exchange-mode=main send-initial-contact=yes
nat-traversal=no
proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd
dpd-maximum-failures=5
[EMAIL PROTECTED] > /ip ipsec installed-sa print detail
Flags: A - AH, E - ESP, P - pfs
[EMAIL PROTECTED] > /ip ipsec policy print detail
Flags: X - disabled, D - dynamic, I - inactive
0 src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=ah,esp
tunnel=yes
sa-src-address=65.182.0.0 sa-dst-address=68.60.0.0
proposal=default manual-sa=none priority=0
[EMAIL PROTECTED] > /ip ipsec proposal print detail
Flags: X - disabled
0 name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024
[EMAIL PROTECTED] > /ip ipsec peer print detail
Flags: X - disabled
0 address=68.60.0.0/32:500 auth-method=pre-shared-key
secret="0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5"
generate-policy=no exchange-mode=main send-initial-contact=yes
nat-traversal=no
proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=20s
dpd-maximum-failures=1
[EMAIL PROTECTED] > /ip ipsec installed-sa print detail
Flags: A - AH, E - ESP, P - pfs
----------
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
----- Original Message -----
From: "Mike Hammett" <[EMAIL PROTECTED]>
To: "Mikrotik discussions" <mikrotik@mail.butchevans.com>
Sent: Saturday, June 07, 2008 11:49 AM
Subject: Re: [Mikrotik] IPSec
I had actually just gotten it fixed by trying the masquerade option
before
Butch told me to do masquerade. That said, I have attached a map of
what
we're working with. The NIF wireless and everything behind it cannot
communicate with anything across the IPSec link, though everything else
including and behind NIF router does. Everything including and behind
NIF
router can talk to everyone else on that side of the network as well as
the
Internet.
----------
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
----- Original Message -----
From: "Mike Hammett" <[EMAIL PROTECTED]>
To: "Mikrotik discussions" <mikrotik@mail.butchevans.com>
Sent: Friday, June 06, 2008 11:33 PM
Subject: [Mikrotik] IPSec
I'm trying to setup a 3.10 IPSec tunnel between two Mikrotiks. First
off,
the manual isn't correct. I do exactly what they say and I get an
error.
As it turns out, you're also required to choose an AH In\Out Algorithm.
It also doesn't explain things well, like ah-spi.
How do I know it's working? I cannot ping addresses on the other side.
Side 1:
< ICS] > /ip ipsec policy print
Flags: X - disabled, D - dynamic, I - inactive
0 src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=ah tunnel=yes
sa-src-address=65.182.111.111 sa-dst-address=68.60.111.111
proposal=default
manual-sa=ah-sa1 priority=0
[EMAIL PROTECTED] - ICS] > /ip ipsec manual-sa print
Flags: X - disabled, I - invalid
0 name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null
esp-enc-algorithm=null ah-key=64 hex characters esp-auth-key=""
esp-enc-key="" ah-spi=0x100/0x101
esp-spi=0x100 lifetime=0s
Side 2:
[EMAIL PROTECTED] Fence] > /ip ipsec policy pr
Flags: X - disabled, D - dynamic, I - inactive
0 src-address=192.168.2.0/24:any dst-address=192.168.1.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=ah tunnel=yes
sa-src-address=68.60.111.111 sa-dst-address=65.182.111.111
proposal=default
manual-sa=ah-sa1 priority=0
[EMAIL PROTECTED] Fence] > /ip ipsec manual-sa pr
Flags: X - disabled, I - invalid
0 name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null
esp-enc-algorithm=null ah-key=same 64 hex characters esp-auth-key=""
esp-enc-key="" ah-spi=0x101/0x100
esp-spi=0x100 lifetime=0s
----------
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://www.butchevans.com/pipermail/mikrotik/attachments/20080606/9f93d58b/attachment.html
_______________________________________________
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CF NIF IPSec issue.pdf
Type: application/pdf
Size: 62758 bytes
Desc: not available
Url :
http://www.butchevans.com/pipermail/mikrotik/attachments/20080607/ff575dbf/attachment.pdf
_______________________________________________
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik
_______________________________________________
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik