[Mikrotik] ipsec issue

Tue, 23 Oct 2012 16:24:30 -0700 

All,

We have an IPSec hub and spoke design. I have a 750GL (spoke) that is
connected via IPsec back to a Juniper (Hub). I initiate the connection from
the 750 and it creates a tunnel (2 SA's) and then I can ping to a device
sitting behind the Juniper. If I try and ping back from the device behind
the Juniper to a loopback address applied to the 750, it creates another
set of SA's (now I have 4 SA's). This should not happen. The spokes should
be the initiator and ONLY the initiator because all spoke locations (750's)
are either static, dhcp or pppoe. My question is since the SA is already
created by the spoke as the initiator (I have 2 SA's per connection to be
exact) should the traffic from behind the Juniper already utilize the
tunnel that was created by the spoke? Why does another tunnel (2 SA's) get
created? If I clear the connection on the Juniper and start a ping from the
device sitting behind it to the spoke, it creates a tunnel and then I start
a ping from the spoke top the device behind the Juniper, it utilized the
existing tunnel and passes traffic. A second set of SA's does not get
created.


# oct/23/2012 21:27:52 by RouterOS 5.21
# software id = 182Q-xxxx
#
/interface bridge
add name=loopback1
/interface ethernet
 set 0 name=ether1-gateway
set 1 name=ether2-master-local
set 2 master-port=ether2-master-local name=ether3-slave-local
set 3 master-port=ether2-master-local name=ether4-slave-local
set 4 master-port=ether2-master-local name=ether5-slave-local
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip ipsec proposal
add name=juniper pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.100.10-192.168.100.254
/ip dhcp-server
add add-arp=yes address-pool=default-dhcp disabled=no
interface=ether2-master-local name=default
/ip address
add address=192.168.100.1/24 comment="default configuration"
interface=ether2-master-local
add address=50.104.x.x/30 interface=ether1-gateway
add address=5.1.1.10/32 interface=loopback1 network=5.1.1.10
/ip dhcp-server network
add address=192.168.100.0/24 comment="default configuration"
dns-server=208.67.220.220,208.67.222.222 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=208.67.220.220,208.67.222.222
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=input dst-address=5.1.1.10 dst-port=161 protocol=udp src-address=
10.94.64.16/29
add chain=input dst-port=22,80,443,8291 protocol=tcp
src-address=68.167.x.x/24
add chain=input dst-port=22,80,443,8291 protocol=tcp
src-address=68.106.x.x/26
add chain=input dst-port=22,80,443,8291 protocol=tcp src-address=68.106.x.x
add chain=input dst-port=22,80,443,8291 protocol=tcp
src-address=10.94.x.x/29
add chain=input dst-port=22,80,443,8291 protocol=tcp
src-address=216.231.x.x/24
add chain=input dst-port=22,80,443,8291 protocol=tcp
src-address=216.231.x.x/24
add chain=input dst-port=22,80,443,8291 protocol=tcp src-address=76.168.x.x
add action=drop chain=input comment="default configuration"
in-interface=ether1-gateway
/ip firewall nat
add chain=srcnat dst-address=10.94.64.16/29 src-address=192.168.100.0/24
add action=masquerade chain=srcnat comment="default configuration"
out-interface=ether1-gateway src-address=192.168.100.0/24
/ip firewall service-port
set sip disabled=yes
/ip ipsec peer
add address=216.231.198.14/32 dpd-interval=1m dpd-maximum-failures=2
exchange-mode=aggressive hash-algorithm=sha1 lifetime=10h \
    my-id-user-fqdn=cs750...@xxxxx.com <cs750...@schwab.com>
/ip ipsec policy
add dst-address=10.94.64.16/29 proposal=juniper
sa-dst-address=216.231.x.x sa-src-address=0.0.0.0 src-address=5.1.1.10/32 \
    tunnel=yes
add dst-address=10.94.64.16/29 proposal=juniper
sa-dst-address=216.231.x.x sa-src-address=0.0.0.0 src-address=
192.168.100.0/24 \
    tunnel=yes
/ip neighbor discovery
set ether1-gateway disabled=yes
/ip route
add distance=1 gateway=50.104.x.x
/system identity
set name=CS750-10
/system logging
add topics=snmp
/system ntp client
set enabled=yes mode=unicast primary-ntp=50.116.38.157
secondary-ntp=208.38.65.35
/system scheduler
add interval=10s name=schedule1 on-event=ping-vpn
policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api
\
    start-date=may/15/2012 start-time=22:08:12
/system script
add name=ping-vpn
policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api
source=\
    ":put [/ping interface=loopback1 10.94.64.19 count=5]"
add name=email-reboots
policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api
source=":while ( [:pick [/syst\
    em clock get date] 7 11]<\"2003\" ) do={ :delay 10s }\r\
    \n/log info \"time updated; uptime: \$[/system resource get uptime]\"\r\
    \n:local es \"\$[/system identity get name] rebooted on \$[/system
clock get date] \$[/system clock get time]\"\r\
    \n:delay 90s\r\
    \n:local eb \"Log contents (with 90 seconds delay):\\r\\n\"\r\
    \n:foreach le in=[/log print as-value] do={\r\
    \n  :set eb \"\$eb\$[:pick [:tostr [:pick \$le 1]] 5 100] \$[:pick
[:tostr [:pick \$le 2]] 7 100]: \$[:pick [:tostr [:pick \$l\
    e 3]] 8 1000]\\r\\n\"\r\
    \n}"
/tool mac-server
add disabled=no interface=ether2-master-local
add disabled=no interface=ether3-slave-local
add disabled=no interface=ether4-slave-local
add disabled=no interface=ether5-slave-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
[admin@CS750-10] >

*Jerry Roy*
Sr. Systems Engineer
MTCNA/MTCRE/MTCTCE

<http://www.ipass.com/> <http://www.ipass.com/>

1 949 681 5054
1 562 305 9545 Cell

Managed Network Services

*An iPass Company*
125 Technology Drive Suite 100
Irvine, CA 92618

*Read and share our white paper - *The Next Generation Network:
"Why the Distributed Enterprise Should Consider Multi-circuit WAN VPN
Solutions" <http://bit.ly/julyMNSWP>

*iPass.com/blog* <http://www.ipass.com/blog>*    |
**facebook.com/iPass*<http://www.facebook.com/ipass>
*    |    **twitter.com/iPass <http://www.twitter.com/ipass/>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
<http://www.butchevans.com/pipermail/mikrotik/attachments/20121023/37c9c351/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2041 bytes
Desc: not available
URL: 
<http://www.butchevans.com/pipermail/mikrotik/attachments/20121023/37c9c351/attachment.gif>
_______________________________________________
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Reply via email to