oops... My apologies that should be no.
I was doing some other tests and disabled these rules.
Thanks!
PS: There is a known bug with IPSEC between Mikrotik to Cisco if you have
multiple Peers.
I managed to duplicate this exact bug...
See: http://forum.mikrotik.com/viewtopic.php?f=2t=39243
On Fri, May 21, 2010 at 7:21 PM, Casey Mills wkm...@gmail.com wrote:
Why are your Firewall NAT rules disabled?
Casey
On Fri, May 21, 2010 at 4:42 AM, Kurt Plaatjes kurtplaat...@gmail.com
wrote:
Details:
Local network:
10.10.0.0/16
Remote networks
172.16.70.0/24
172.16.71.0/24
Local Public IP:
195.10.10.20
Remote Public IP:
202.10.10.20
/ip ipsec proposal
set default auth-algorithms=sha1 comment= disabled=no enc-algorithms=\
aes-256 lifetime=1h name=default pfs-group=modp1536
/ip ipsec peer
add address=202.10.10.20/32:500 auth-method=pre-shared-key comment= \
dh-group=modp1536 disabled=no dpd-interval=disable-dpd \
dpd-maximum-failures=2 enc-algorithm=aes-256 exchange-mode=aggressive \
generate-policy=no hash-algorithm=sha1 lifebytes=0 lifetime=5h \
nat-traversal=no proposal-check=obey secret=secretskey12345 \
send-initial-contact=no
/ip ipsec policy
add action=encrypt comment= disabled=no dst-address=172.16.70.0/24:any\
ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
all sa-dst-address=202.10.10.20 sa-src-address=195.10.10.20 \
src-address=10.10.0.0/16 :any tunnel=yes
add action=encrypt comment= disabled=no dst-address=172.16.71.0/24:any\
ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
all sa-dst-address=202.10.10.20 sa-src-address=195.10.10.20 \
src-address=10.10.0.0/16 :any tunnel=yes
Firewall:NAT
/ip firewall nat
add action=accept chain=srcnat comment= disabled=yes dst-address=\
172.16.70.0/24 src-address=10.10.0.0/16
add action=accept chain=srcnat comment= disabled=yes dst-address=\
172.16.71.0/24 src-address=10.10.0.0/16
Note: This has to be inserted above all masquerade rules
Routing:
None
Once the tunnels are up Mikrotik does its thing.
I will try and get the cisco config posted aswell.
Kurt
-- next part --
An HTML attachment was scrubbed...
URL:
http://www.butchevans.com/pipermail/mikrotik/attachments/20100521/a51a7d39/attachment.html
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
-- next part --
An HTML attachment was scrubbed...
URL:
http://www.butchevans.com/pipermail/mikrotik/attachments/20100521/27757abb/attachment.html
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS