[Mikrotik] IPsec tunnel times out and does not re-establish

[Roy, Jerry]

All,

Have an issue where two of three IPsec tunnels (two aes and one 3des) are not 
rebuilding and I have to manually login to "Kill connections" and then they 
rebuild. Originally we had adjusted the Policy level to be "Unique" based on 
recommendations from this list. It seems to have fixed the issue on 99% of the 
sites. But I still have some sites that have this applied and they show zero 
bytes on new sa's so until I clear, they stay down.

All 200 MT's are 750GL with 5.26 code.

Any ideas or recommendation's?

Thanks,

Jerry Roy

-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] IPsec tunnel drops and requires flush

[Alexander Neilson]

Hi Jerry. 

I hadn't used IPSEC on 5.26 so I can't advise about any bugs back then that may 
now be fixed. Another thing is to never assume the other end doesn't also have 
bugs. 

The only time require vs unique should come into play would be when there were 
more than one subnet at one end of the tunnel. (As in more than one policy with 
the same two end points). So changing to unique may make no difference to you. 

Hopefully others may have some more experience with this version and 
integrating with Cisco may be able to help. 

Regards
Alexander

> On 27/05/2016, at 06:45, Roy, Jerry  wrote:
> 
> Hi Alexander,
> 
> Thanks for the quick response.
> 
> We are running 5.26 on all 750's and the firmware is 3.19. There is an 
> initial tunnel that has been up on these boxes to a Juniper that never goes 
> down. The tunnel to the Cisco was added months later and of course to 
> different subnet. So I see the setting in under the policy to set it to 
> unique. You believe that should resolve this?
> 
> Thanks,
> 
> Jerry Roy 949.681.5054
> jerry@toltsolutions.com
> 
> ___
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://mail.butchevans.com/mailman/listinfo/mikrotik
> 
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] IPsec tunnel drops and requires flush

[Roy, Jerry]

Hi Alexander,

Thanks for the quick response.

We are running 5.26 on all 750's and the firmware is 3.19. There is an initial 
tunnel that has been up on these boxes to a Juniper that never goes down. The 
tunnel to the Cisco was added months later and of course to different subnet. 
So I see the setting in under the policy to set it to unique. You believe that 
should resolve this?

Thanks,

Jerry Roy 949.681.5054
jerry@toltsolutions.com

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] IPsec tunnel drops and requires flush

[Alexander Neilson]

Hi Jerry

I don't have specific experience with Cisco at the far end. However are there 
more that a single subnet at either end of the link?

I have found that some other providers default to "unique" for SA's while the 
Mikrotik defaults to "require". This can mean that it fails to maintain the 
SA's properly and will also work on whichever subnet is first used but the 
others won't work. 

Can you please advise which RouterOS version you have installed and the 
RouterBoot version running (System > RouterBoard)?

There have been quite a few change log entries in recent versions that 
reference IPSEC and have added features and squashed bugs. Personally I have 
6.34.4 as my version in the network however most of my links are to other 
Mikrotik routers. 

Regards
Alexander

> On 27/05/2016, at 06:23, Roy, Jerry  wrote:
> 
> Hey all,
> 
> Need your expertise. We have MikroTik 750's building IPsec tunnels using 
> aes128 to a Cisco router. Our script initially brings up the tunnel via a 
> ping (runs 3 pings every minute) and tunnel will run until the lifetime 
> expires (I believe) but after it expires, it never rebuilds. We have to 
> manually go in and flush the SA's or kill connections. Any ideas what we can 
> do to fix this? Lifetimes for ike and IPsec are standard 24 and 8.
> 
> Thanks,
> 
> Jerry
> -- next part --
> An HTML attachment was scrubbed...
> URL: 
> 
> ___
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://mail.butchevans.com/mailman/listinfo/mikrotik
> 
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

[Mikrotik] IPsec tunnel drops and requires flush

[Roy, Jerry]

Hey all,

Need your expertise. We have MikroTik 750's building IPsec tunnels using aes128 
to a Cisco router. Our script initially brings up the tunnel via a ping (runs 3 
pings every minute) and tunnel will run until the lifetime expires (I believe) 
but after it expires, it never rebuilds. We have to manually go in and flush 
the SA's or kill connections. Any ideas what we can do to fix this? Lifetimes 
for ike and IPsec are standard 24 and 8.

Thanks,

Jerry
-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

[Mikrotik] Ipsec Main Mode with dynamic sites?

[Roy, Jerry]

All,

Can main mode IPsec be used with sites that have dynamic IP assignments on a 
750? (DHCP, PPPOE)? I haven't attempted yet and we have hundreds using 
aggressive but customer wants to migrate.

Thanks!

Jerry Roy
Tolt Solutions
-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] IPSec Trouble

[Rick Smith]

what do you mean by split tunnel ?

I've got the standard ip firewall rules in as rule 0 to allow all this back
and forth traffic as un-masq'd.





On Tue, Apr 8, 2014 at 4:01 PM, Jerry Roy  wrote:

> Look at your Nat if this is split tunnel.
>
> You should nat thru tunnel and masquerade to internet
>
> *Jerry Roy*
> Sr. Systems Engineer
> MTCNA/MTCRE/MTCTCE
>
>
>  1 949 681 5054
> 1 562 305 9545 Cell
>
> Unity Network Services
>
> *An iPass Company*
> 125 Technology Drive
> Suite 100
> Irvine, CA 92618
>
>
>
>
> On Tue, Apr 8, 2014 at 12:48 PM, Rick Smith  wrote:
>
> > I get the point of initiating from the spoke to the hub...  so, I killed
> /
> > flushed ALL connections on both sides.
> > Pinged from the spoke to the other side of the hub, and everything came
> up
> > - remote peers, installed SA's, etc... but I can STILL see the individual
> > packets...   That's not good...
> >
> >
> >
> >
> > On Tue, Apr 8, 2014 at 2:57 PM, Jerry Roy  wrote:
> >
> > > Working? :)
> > >
> > > *Jerry Roy*
> > > Sr. Systems Engineer
> > > MTCNA/MTCRE/MTCTCE
> > >
> > >
> > >  1 949 681 5054
> > > 1 562 305 9545 Cell
> > >
> > > Unity Network Services
> > >
> > > *An iPass Company*
> > > 125 Technology Drive
> > > Suite 100
> > > Irvine, CA 92618
> > >
> > >
> > >
> > >
> > > On Mon, Apr 7, 2014 at 11:26 AM, Rick Smith 
> wrote:
> > >
> > > > Doylestown = Spoke side...
> > > >
> > > > Thanks jerry.
> > > >
> > > >
> > > > On Mon, Apr 7, 2014 at 12:32 PM, Jerry Roy  wrote:
> > > >
> > > > > send an export of the spoke side.
> > > > >
> > > > > Thanks
> > > > >
> > > > > *Jerry Roy*
> > > > > -- next part --
> > > > > An HTML attachment was scrubbed...
> > > > > URL: <
> > > > >
> > > >
> > >
> >
> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140407/898400f2/attachment.html
> > > > > >
> > > > > ___
> > > > > Mikrotik mailing list
> > > > > Mikrotik@mail.butchevans.com
> > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik
> > > > >
> > > > > Visit http://blog.butchevans.com/ for tutorials related to
> Mikrotik
> > > > > RouterOS
> > > > >
> > > > -- next part --
> > > > An HTML attachment was scrubbed...
> > > > URL: <
> > > >
> > >
> >
> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140407/fcad64d3/attachment.html
> > > > >
> > > > -- next part --
> > > > A non-text attachment was scrubbed...
> > > > Name: doylestown_export.rsc
> > > > Type: application/octet-stream
> > > > Size: 3125 bytes
> > > > Desc: not available
> > > > URL: <
> > > >
> > >
> >
> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140407/fcad64d3/attachment.obj
> > > > >
> > > > ___
> > > > Mikrotik mailing list
> > > > Mikrotik@mail.butchevans.com
> > > > http://mail.butchevans.com/mailman/listinfo/mikrotik
> > > >
> > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> > > > RouterOS
> > > >
> > > -- next part --
> > > An HTML attachment was scrubbed...
> > > URL: <
> > >
> >
> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140408/a1a18e67/attachment.html
> > > >
> > > -- next part --
> > > A non-text attachment was scrubbed...
> > > Name: image001.gif
> > > Type: image/gif
> > > Size: 2041 bytes
> > > Desc: not available
> > > URL: <
> > >
> >
> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140408/a1a18e67/attachment.gif
> > > >
> > > ___
> > > Mikrotik mailing list
> > > Mikrotik@mail.butchevans.com
> > > http://mail.butchevans.com/mailman/listinfo/mikrotik
> > >
> > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> > > RouterOS
> > >
> > -- next part --
> > An HTML attachment was scrubbed...
> > URL: <
> >
> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140408/31af842f/attachment.html
> > >
> > ___
> > Mikrotik mailing list
> > Mikrotik@mail.butchevans.com
> > http://mail.butchevans.com/mailman/listinfo/mikrotik
> >
> > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> > RouterOS
> >
> -- next part --
> An HTML attachment was scrubbed...
> URL: <
> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140408/123cee19/attachment.html
> >
> -- next part --
> A non-text attachment was scrubbed...
> Name: image001.gif
> Type: image/gif
> Size: 2041 bytes
> Desc: not available
> URL: <
> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140408/123cee19/attachment.gif
> >
> ___
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://mail.butchevans.com/mailman/listinfo/mikrotik
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> RouterOS
>

Re: [Mikrotik] IPSec Trouble

[Jerry Roy]

Split tunnel means allow traffic destined to the other end to be encrypted
and all the remaining traffic defined straight to the internet vs. single
tunnel which all traffic is encrypted and sent thru the tunnel to the other
side. After I looked at it, you do have split tunnel ;)

*Jerry Roy*
Sr. Systems Engineer
MTCNA/MTCRE/MTCTCE


 1 949 681 5054
1 562 305 9545 Cell

Unity Network Services

*An iPass Company*
125 Technology Drive
Suite 100
Irvine, CA 92618




On Tue, Apr 8, 2014 at 1:45 PM, Rick Smith  wrote:

> what do you mean by split tunnel ?
>
> I've got the standard ip firewall rules in as rule 0 to allow all this back
> and forth traffic as un-masq'd.
>
>
>
>
>
> On Tue, Apr 8, 2014 at 4:01 PM, Jerry Roy  wrote:
>
> > Look at your Nat if this is split tunnel.
> >
> > You should nat thru tunnel and masquerade to internet
> >
> > *Jerry Roy*
> > Sr. Systems Engineer
> > MTCNA/MTCRE/MTCTCE
> >
> >
> >  1 949 681 5054
> > 1 562 305 9545 Cell
> >
> > Unity Network Services
> >
> > *An iPass Company*
> > 125 Technology Drive
> > Suite 100
> > Irvine, CA 92618
> >
> >
> >
> >
> > On Tue, Apr 8, 2014 at 12:48 PM, Rick Smith  wrote:
> >
> > > I get the point of initiating from the spoke to the hub...  so, I
> killed
> > /
> > > flushed ALL connections on both sides.
> > > Pinged from the spoke to the other side of the hub, and everything came
> > up
> > > - remote peers, installed SA's, etc... but I can STILL see the
> individual
> > > packets...   That's not good...
> > >
> > >
> > >
> > >
> > > On Tue, Apr 8, 2014 at 2:57 PM, Jerry Roy  wrote:
> > >
> > > > Working? :)
> > > >
> > > > *Jerry Roy*
> > > > Sr. Systems Engineer
> > > > MTCNA/MTCRE/MTCTCE
> > > >
> > > >
> > > >  1 949 681 5054
> > > > 1 562 305 9545 Cell
> > > >
> > > > Unity Network Services
> > > >
> > > > *An iPass Company*
> > > > 125 Technology Drive
> > > > Suite 100
> > > > Irvine, CA 92618
> > > >
> > > >
> > > >
> > > >
> > > > On Mon, Apr 7, 2014 at 11:26 AM, Rick Smith 
> > wrote:
> > > >
> > > > > Doylestown = Spoke side...
> > > > >
> > > > > Thanks jerry.
> > > > >
> > > > >
> > > > > On Mon, Apr 7, 2014 at 12:32 PM, Jerry Roy  wrote:
> > > > >
> > > > > > send an export of the spoke side.
> > > > > >
> > > > > > Thanks
> > > > > >
> > > > > > *Jerry Roy*
> > > > > > -- next part --
> > > > > > An HTML attachment was scrubbed...
> > > > > > URL: <
> > > > > >
> > > > >
> > > >
> > >
> >
> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140407/898400f2/attachment.html
> > > > > > >
> > > > > > ___
> > > > > > Mikrotik mailing list
> > > > > > Mikrotik@mail.butchevans.com
> > > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik
> > > > > >
> > > > > > Visit http://blog.butchevans.com/ for tutorials related to
> > Mikrotik
> > > > > > RouterOS
> > > > > >
> > > > > -- next part --
> > > > > An HTML attachment was scrubbed...
> > > > > URL: <
> > > > >
> > > >
> > >
> >
> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140407/fcad64d3/attachment.html
> > > > > >
> > > > > -- next part --
> > > > > A non-text attachment was scrubbed...
> > > > > Name: doylestown_export.rsc
> > > > > Type: application/octet-stream
> > > > > Size: 3125 bytes
> > > > > Desc: not available
> > > > > URL: <
> > > > >
> > > >
> > >
> >
> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140407/fcad64d3/attachment.obj
> > > > > >
> > > > > ___
> > > > > Mikrotik mailing list
> > > > > Mikrotik@mail.butchevans.com
> > > > > http://mail.butchevans.com/mailman/listinfo/mikrotik
> > > > >
> > > > > Visit http://blog.butchevans.com/ for tutorials related to
> Mikrotik
> > > > > RouterOS
> > > > >
> > > > -- next part --
> > > > An HTML attachment was scrubbed...
> > > > URL: <
> > > >
> > >
> >
> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140408/a1a18e67/attachment.html
> > > > >
> > > > -- next part --
> > > > A non-text attachment was scrubbed...
> > > > Name: image001.gif
> > > > Type: image/gif
> > > > Size: 2041 bytes
> > > > Desc: not available
> > > > URL: <
> > > >
> > >
> >
> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140408/a1a18e67/attachment.gif
> > > > >
> > > > ___
> > > > Mikrotik mailing list
> > > > Mikrotik@mail.butchevans.com
> > > > http://mail.butchevans.com/mailman/listinfo/mikrotik
> > > >
> > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> > > > RouterOS
> > > >
> > > -- next part --
> > > An HTML attachment was scrubbed...
> > > URL: <
> > >
> >
> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140408/31af842f/attachment.html
> > > >
> > > ___
> > > Mikrotik mailing list
> > > Mikrotik@mail.butchevans.com
> 

Re: [Mikrotik] IPSec Trouble

[Jerry Roy]

Look at your Nat if this is split tunnel.

You should nat thru tunnel and masquerade to internet

*Jerry Roy*
Sr. Systems Engineer
MTCNA/MTCRE/MTCTCE


 1 949 681 5054
1 562 305 9545 Cell

Unity Network Services

*An iPass Company*
125 Technology Drive
Suite 100
Irvine, CA 92618




On Tue, Apr 8, 2014 at 12:48 PM, Rick Smith  wrote:

> I get the point of initiating from the spoke to the hub...  so, I killed /
> flushed ALL connections on both sides.
> Pinged from the spoke to the other side of the hub, and everything came up
> - remote peers, installed SA's, etc... but I can STILL see the individual
> packets...   That's not good...
>
>
>
>
> On Tue, Apr 8, 2014 at 2:57 PM, Jerry Roy  wrote:
>
> > Working? :)
> >
> > *Jerry Roy*
> > Sr. Systems Engineer
> > MTCNA/MTCRE/MTCTCE
> >
> >
> >  1 949 681 5054
> > 1 562 305 9545 Cell
> >
> > Unity Network Services
> >
> > *An iPass Company*
> > 125 Technology Drive
> > Suite 100
> > Irvine, CA 92618
> >
> >
> >
> >
> > On Mon, Apr 7, 2014 at 11:26 AM, Rick Smith  wrote:
> >
> > > Doylestown = Spoke side...
> > >
> > > Thanks jerry.
> > >
> > >
> > > On Mon, Apr 7, 2014 at 12:32 PM, Jerry Roy  wrote:
> > >
> > > > send an export of the spoke side.
> > > >
> > > > Thanks
> > > >
> > > > *Jerry Roy*
> > > > -- next part --
> > > > An HTML attachment was scrubbed...
> > > > URL: <
> > > >
> > >
> >
> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140407/898400f2/attachment.html
> > > > >
> > > > ___
> > > > Mikrotik mailing list
> > > > Mikrotik@mail.butchevans.com
> > > > http://mail.butchevans.com/mailman/listinfo/mikrotik
> > > >
> > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> > > > RouterOS
> > > >
> > > -- next part --
> > > An HTML attachment was scrubbed...
> > > URL: <
> > >
> >
> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140407/fcad64d3/attachment.html
> > > >
> > > -- next part --
> > > A non-text attachment was scrubbed...
> > > Name: doylestown_export.rsc
> > > Type: application/octet-stream
> > > Size: 3125 bytes
> > > Desc: not available
> > > URL: <
> > >
> >
> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140407/fcad64d3/attachment.obj
> > > >
> > > ___
> > > Mikrotik mailing list
> > > Mikrotik@mail.butchevans.com
> > > http://mail.butchevans.com/mailman/listinfo/mikrotik
> > >
> > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> > > RouterOS
> > >
> > -- next part --
> > An HTML attachment was scrubbed...
> > URL: <
> >
> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140408/a1a18e67/attachment.html
> > >
> > -- next part --
> > A non-text attachment was scrubbed...
> > Name: image001.gif
> > Type: image/gif
> > Size: 2041 bytes
> > Desc: not available
> > URL: <
> >
> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140408/a1a18e67/attachment.gif
> > >
> > ___
> > Mikrotik mailing list
> > Mikrotik@mail.butchevans.com
> > http://mail.butchevans.com/mailman/listinfo/mikrotik
> >
> > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> > RouterOS
> >
> -- next part --
> An HTML attachment was scrubbed...
> URL: <
> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140408/31af842f/attachment.html
> >
> ___
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://mail.butchevans.com/mailman/listinfo/mikrotik
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> RouterOS
>
-- next part --
An HTML attachment was scrubbed...
URL: 

-- next part --
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 2041 bytes
Desc: not available
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] IPSec Trouble

[Rick Smith]

I get the point of initiating from the spoke to the hub...  so, I killed /
flushed ALL connections on both sides.
Pinged from the spoke to the other side of the hub, and everything came up
- remote peers, installed SA's, etc... but I can STILL see the individual
packets...   That's not good...




On Tue, Apr 8, 2014 at 2:57 PM, Jerry Roy  wrote:

> Working? :)
>
> *Jerry Roy*
> Sr. Systems Engineer
> MTCNA/MTCRE/MTCTCE
>
>
>  1 949 681 5054
> 1 562 305 9545 Cell
>
> Unity Network Services
>
> *An iPass Company*
> 125 Technology Drive
> Suite 100
> Irvine, CA 92618
>
>
>
>
> On Mon, Apr 7, 2014 at 11:26 AM, Rick Smith  wrote:
>
> > Doylestown = Spoke side...
> >
> > Thanks jerry.
> >
> >
> > On Mon, Apr 7, 2014 at 12:32 PM, Jerry Roy  wrote:
> >
> > > send an export of the spoke side.
> > >
> > > Thanks
> > >
> > > *Jerry Roy*
> > > -- next part --
> > > An HTML attachment was scrubbed...
> > > URL: <
> > >
> >
> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140407/898400f2/attachment.html
> > > >
> > > ___
> > > Mikrotik mailing list
> > > Mikrotik@mail.butchevans.com
> > > http://mail.butchevans.com/mailman/listinfo/mikrotik
> > >
> > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> > > RouterOS
> > >
> > -- next part --
> > An HTML attachment was scrubbed...
> > URL: <
> >
> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140407/fcad64d3/attachment.html
> > >
> > -- next part --
> > A non-text attachment was scrubbed...
> > Name: doylestown_export.rsc
> > Type: application/octet-stream
> > Size: 3125 bytes
> > Desc: not available
> > URL: <
> >
> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140407/fcad64d3/attachment.obj
> > >
> > ___
> > Mikrotik mailing list
> > Mikrotik@mail.butchevans.com
> > http://mail.butchevans.com/mailman/listinfo/mikrotik
> >
> > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> > RouterOS
> >
> -- next part --
> An HTML attachment was scrubbed...
> URL: <
> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140408/a1a18e67/attachment.html
> >
> -- next part --
> A non-text attachment was scrubbed...
> Name: image001.gif
> Type: image/gif
> Size: 2041 bytes
> Desc: not available
> URL: <
> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140408/a1a18e67/attachment.gif
> >
> ___
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://mail.butchevans.com/mailman/listinfo/mikrotik
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> RouterOS
>
-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] IPSec Trouble

[Jerry Roy]

Working? :)

*Jerry Roy*
Sr. Systems Engineer
MTCNA/MTCRE/MTCTCE


 1 949 681 5054
1 562 305 9545 Cell

Unity Network Services

*An iPass Company*
125 Technology Drive
Suite 100
Irvine, CA 92618




On Mon, Apr 7, 2014 at 11:26 AM, Rick Smith  wrote:

> Doylestown = Spoke side...
>
> Thanks jerry.
>
>
> On Mon, Apr 7, 2014 at 12:32 PM, Jerry Roy  wrote:
>
> > send an export of the spoke side.
> >
> > Thanks
> >
> > *Jerry Roy*
> > -- next part --
> > An HTML attachment was scrubbed...
> > URL: <
> >
> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140407/898400f2/attachment.html
> > >
> > ___
> > Mikrotik mailing list
> > Mikrotik@mail.butchevans.com
> > http://mail.butchevans.com/mailman/listinfo/mikrotik
> >
> > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> > RouterOS
> >
> -- next part --
> An HTML attachment was scrubbed...
> URL: <
> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140407/fcad64d3/attachment.html
> >
> -- next part --
> A non-text attachment was scrubbed...
> Name: doylestown_export.rsc
> Type: application/octet-stream
> Size: 3125 bytes
> Desc: not available
> URL: <
> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140407/fcad64d3/attachment.obj
> >
> ___
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://mail.butchevans.com/mailman/listinfo/mikrotik
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> RouterOS
>
-- next part --
An HTML attachment was scrubbed...
URL: 

-- next part --
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 2041 bytes
Desc: not available
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] IPSec Trouble

[Rick Smith]

Doylestown = Spoke side...

Thanks jerry.


On Mon, Apr 7, 2014 at 12:32 PM, Jerry Roy  wrote:

> send an export of the spoke side.
>
> Thanks
>
> *Jerry Roy*
> -- next part --
> An HTML attachment was scrubbed...
> URL: <
> http://mail.butchevans.com/pipermail/mikrotik/attachments/20140407/898400f2/attachment.html
> >
> ___
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://mail.butchevans.com/mailman/listinfo/mikrotik
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> RouterOS
>
-- next part --
An HTML attachment was scrubbed...
URL: 

-- next part --
A non-text attachment was scrubbed...
Name: doylestown_export.rsc
Type: application/octet-stream
Size: 3125 bytes
Desc: not available
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] IPSec Trouble

[Jerry Roy]

Looks like the attachment was scrubbed. email to j...@ipass.com, lets see
if that will work :)

*Jerry*
-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] IPSec Trouble

[Jerry Roy]

send an export of the spoke side.

Thanks

*Jerry Roy*
-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

[Mikrotik] IPSec Trouble

[Rick Smith]

Guys,

Trying to get some ipSEC stuff running here.

We have a cloud router running in a datacenter with a public IP.  I want
remote site to site tunnels running with IPSec configs to tunnel remote
offices here.

Followed the Mikrotik Manual for IPSec Site to Site using the
192.168.80/.90 example, and it worked great on a bench.  When I try to
re-interpret with my actual IP's, I get tunneling back and forth, but
traffic is visible using Torch and when doing it by the book, it was only
showed IPSec and isakmp protocols, which is how I would expect to see
encrypted traffic.

Cloud Router Side - Custom Linux machine with Mikrotik 6.2

let's say public IP is 1.1.1.1

PPTP server running with local address 172.16.0.1 and remote 172.16.0.2 for
this user id.

Local network here is 10.254.254.0/24 - remote network is 192.168.88.0/24

10.254.254.1 is the local lan ether address on ether2



Remote Office Side is a Routerboard 1100AHx2 running 6.11

Dynamic IP Address - actually get a 10.0.0.0/24 address from Comcast

Local network here is 192.168.88.0/24, and local lan is 192.168.88.1 on
ether2

By just using PPTP tunnelling, I can route the networks perfectly.
 Everthing travels smoothly.Try to encrypt it with IPSec, and I get no
encryption on the tunnel... traffic is still being seen in the clear.
Traffic still routes, but I'm seeing the indvidual ports being opened
across the tunnel, instead of just an ipsec protocol



10.254.254.0/24 -> 1.1.1.1 < -- > DynamicIP <- 192.168.88.0/24

On thing I thought would help was having the pptp tunnel in between, with
172.16.0.1 on the cloud side and 172.16.0.2 on the remote office side, and
using those two addresses as the ipsec policy routing / peer IP's, but
that's no go either.

Anyone have suggestions ?

Thanks

Rick
-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] MikroTik IPSec/L2TP and RouterOS v6

[Kristian Hoffmann]

On 01/23/2014 11:33 PM, Scott Lambert wrote:

On Thu, Jan 23, 2014 at 11:09:16AM -0800, Kristian Hoffmann wrote:

Not sure if this applies to your configuration, but I recently ran into
the same symptom in two similar cases.  The short version is, regardless
of what the config and logs say, the IPSec packets will have a source IP
of the pref-src value for the route matching the IPSec endpoint. Example...

/ip addr add address=1.2.3.4/24 interface=wan
/ip addr add address=2.2.2.2/32 interface=wan
/ip route add dst-address=0.0.0.0/0 gateway=1.2.3.254

The pref-src for the default route will be 1.2.3.4, unless otherwise
specified.

If your remote endpoint connects to 2.2.2.2 to establish the IPSec SA,
the SA will come up and everything will look fine, but the the
L2TP/IPSec traffic will originate from the 1.2.3.4 address. Especially
if you're doing NAT-T, the router in front of the remote endpoint will
just drop the UDP packets because the connection tracking won't know
where they came from.

I'm fudging some of the details from because I'm a bit swamped and
pulling this from memory, but the underlying point is the same. If the
remote endpoint connects to 2.2.2.2, it won't work, and if you connect
to 1.2.3.4, it does.

We have a winner!!!  Have to use the IP speaking OSPF or BGP in the
direction of the client.  That makes things interesting with 8 paths
into router at the centrally located office.  In the future, I will try
to remember "MikroTik IPsec VPN concentrators must be single-homed to be
useful."

Thank you!


Glad that made sense and helped.  I wonder sometimes. ;-)

-Kristian

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] MikroTik IPSec/L2TP and RouterOS v6

[Kristian Hoffmann]

On 01/23/2014 11:58 PM, Butch Evans wrote:


This is true if you set the "generate policy" option in the IPSec 
Peer.  If you manually configure the policy, you define the source IP 
to be used as the "SA Src Address" field.  While I haven't tried it, I 
would imagine that some creative policy routes and mangle rules, you 
could cause the router to use the correct IP to reply to any given 
request with the proper IP.  This is completely untested, but 
something like this:


/ip address
add address=1.2.3.4/24 interface=wan
add address=2.2.2.2/32 interface=whatever

/ip route
add gateway=1.2.3.1 comment="default gateway"
add gateway=1.2.3.1 pref-src=2.2.2.2 routing-mark=IPSEC

/ip firewall mangle
add chain=input dst-address=2.2.2.2 \
connection-mark=no-mark \
action=mark-connection \
new-connection-mark=IN_2
add chain=output \
connection-mark=IN_2 \
action=mark-routing \
new-routing-mark=IPSEC


Something like that anyway should work.  By the way, this is one of 
the topics (policy routing) that we will cover in class shortly in the 
MTCRE course in Salt Lake coming up in February.



I tried sa-src-address and policy routing.  Neither worked for me. The 
logs say the src address is correct, but torch says otherwise.


-Kristian
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] MikroTik IPSec/L2TP and RouterOS v6

[Butch Evans]

On 01/24/2014 01:33 AM, Scott Lambert wrote:

On Thu, Jan 23, 2014 at 11:09:16AM -0800, Kristian Hoffmann wrote:

Not sure if this applies to your configuration, but I recently ran into
the same symptom in two similar cases.  The short version is, regardless
of what the config and logs say, the IPSec packets will have a source IP
of the pref-src value for the route matching the IPSec endpoint. Example...

/ip addr add address=1.2.3.4/24 interface=wan
/ip addr add address=2.2.2.2/32 interface=wan
/ip route add dst-address=0.0.0.0/0 gateway=1.2.3.254


This is true if you set the "generate policy" option in the IPSec Peer. 
 If you manually configure the policy, you define the source IP to be 
used as the "SA Src Address" field.  While I haven't tried it, I would 
imagine that some creative policy routes and mangle rules, you could 
cause the router to use the correct IP to reply to any given request 
with the proper IP.  This is completely untested, but something like this:


/ip address
add address=1.2.3.4/24 interface=wan
add address=2.2.2.2/32 interface=whatever

/ip route
add gateway=1.2.3.1 comment="default gateway"
add gateway=1.2.3.1 pref-src=2.2.2.2 routing-mark=IPSEC

/ip firewall mangle
add chain=input dst-address=2.2.2.2 \
connection-mark=no-mark \
action=mark-connection \
new-connection-mark=IN_2
add chain=output \
connection-mark=IN_2 \
action=mark-routing \
new-routing-mark=IPSEC


Something like that anyway should work.  By the way, this is one of the 
topics (policy routing) that we will cover in class shortly in the MTCRE 
course in Salt Lake coming up in February.



--
Butch Evans
702-537-0979
Network Support and Engineering
http://store.wispgear.net/
http://www.butchevans.com/
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] MikroTik IPSec/L2TP and RouterOS v6

[Scott Lambert]

On Thu, Jan 23, 2014 at 11:09:16AM -0800, Kristian Hoffmann wrote:
> Not sure if this applies to your configuration, but I recently ran into 
> the same symptom in two similar cases.  The short version is, regardless 
> of what the config and logs say, the IPSec packets will have a source IP 
> of the pref-src value for the route matching the IPSec endpoint. Example...
> 
> /ip addr add address=1.2.3.4/24 interface=wan
> /ip addr add address=2.2.2.2/32 interface=wan
> /ip route add dst-address=0.0.0.0/0 gateway=1.2.3.254
> 
> The pref-src for the default route will be 1.2.3.4, unless otherwise 
> specified.
> 
> If your remote endpoint connects to 2.2.2.2 to establish the IPSec SA, 
> the SA will come up and everything will look fine, but the the 
> L2TP/IPSec traffic will originate from the 1.2.3.4 address. Especially 
> if you're doing NAT-T, the router in front of the remote endpoint will 
> just drop the UDP packets because the connection tracking won't know 
> where they came from.
> 
> I'm fudging some of the details from because I'm a bit swamped and 
> pulling this from memory, but the underlying point is the same. If the 
> remote endpoint connects to 2.2.2.2, it won't work, and if you connect 
> to 1.2.3.4, it does.

We have a winner!!!  Have to use the IP speaking OSPF or BGP in the
direction of the client.  That makes things interesting with 8 paths
into router at the centrally located office.  In the future, I will try
to remember "MikroTik IPsec VPN concentrators must be single-homed to be
useful."

Thank you!

And I knew to look for issues like that because I have the same problem
with SNMP.  This router has multiple subnets on each path and isn't
using the subnet I thought it was on either of the directions from which
I attmepted to test.  We're in the process of moving out of some older
IP space and re-organizing the network.  I did all of my testing to the
IP in the newer subnets on the interfaces facing me.

What is so hard about sourcing packets from the same IP your client used
to contact you in the first place?  

Lacking that, why can't every service have a src-address like the radius
client has for each radius server?  A cisco-esque source-interface would
be wonderful.

ip radius source-interface Loopback0
logging source-interface Loopback0
snmp-server source-interface informs Loopback0
ntp source Loopback0
 
> I also noticed some related badness when setting up IPSec with a static 
> policy in a dual-WAN config.  Even though sa-src-address was set to the 
> second WAN address, it turns out the deciding factor was the pref-src on 
> the matching route for the outbound traffic.  I tried NAT, policy 
> routing, yelling, and the pref-src value was the only thing that would 
> change it.  Even the logs (ipsec,raw,packet) showed the correct src 
> address, but torch on the upstream routers proved the logs to be 
> incorrect.  The worst part was, once I did get it to change by setting 
> the pref-src on a static /32 route matching the remote endpoint, 
> removing the route didn't change it back.  I had to reboot the router to 
> switch it back to the first WAN address.  Suffice it to say, I should 
> set this up in a lab carefully documenting it and send it to MikroTik, 
> but who has time for that.
 
I hear you.

> On 01/21/2014 03:30 PM, Scott Lambert wrote:
> > I appologize for the length of this e-mail.  I didn't want to leave out
> > any of the work I've already done trying to troubleshoot this.  I really
> > appreciate anyone willing to slog through it.
> >
> > I am having fits with my IPSect/L2TP VPNs I use to get into various
> > places.  Someone posted a recipe to this list which just worked for
> > RouterOS 5.x and I have been running that on a few routers for a while
> > now.  It just worked so I never actually spent the time to learn what
> > was what.  I have been trying to correct that laziness over the past few
> > days and nights.  But I am out of time and hitting a wall now.
> >
> > Unfortunately, I have been upgrading a few of the test routers to 6.x
> > and now need to setup VPNs on a couple of CCRs.  I have not had to use
> > the IPSec VPNs since the upgrade to 6.x, or at least the upgrade to 6.5
> > and up.  I do not have logs of the last time I used the VPNs.
> >
> > Where I have 6.5 and up, I cannot seem to get ISAKMP to complete.
> >
> > I only have 6.4 on the new CCR and have configured it to be the moral
> > equivalent of the config on my remaining functional RouterOS 5.21
> > 493G site.  I could not get ISAKMP to come up on the CCR with 6.5.  I
> > upgraded it to 6.7.  Still toast.
> >
> > I am also trying to get a site to site tunnel running betw

Re: [Mikrotik] MikroTik IPSec/L2TP and RouterOS v6

[Kristian Hoffmann]

Not sure if this applies to your configuration, but I recently ran into 
the same symptom in two similar cases.  The short version is, regardless 
of what the config and logs say, the IPSec packets will have a source IP 
of the pref-src value for the route matching the IPSec endpoint. Example...


/ip addr add address=1.2.3.4/24 interface=wan
/ip addr add address=2.2.2.2/32 interface=wan
/ip route add dst-address=0.0.0.0/0 gateway=1.2.3.254

The pref-src for the default route will be 1.2.3.4, unless otherwise 
specified.


If your remote endpoint connects to 2.2.2.2 to establish the IPSec SA, 
the SA will come up and everything will look fine, but the the 
L2TP/IPSec traffic will originate from the 1.2.3.4 address. Especially 
if you're doing NAT-T, the router in front of the remote endpoint will 
just drop the UDP packets because the connection tracking won't know 
where they came from.


I'm fudging some of the details from because I'm a bit swamped and 
pulling this from memory, but the underlying point is the same. If the 
remote endpoint connects to 2.2.2.2, it won't work, and if you connect 
to 1.2.3.4, it does.


I also noticed some related badness when setting up IPSec with a static 
policy in a dual-WAN config.  Even though sa-src-address was set to the 
second WAN address, it turns out the deciding factor was the pref-src on 
the matching route for the outbound traffic.  I tried NAT, policy 
routing, yelling, and the pref-src value was the only thing that would 
change it.  Even the logs (ipsec,raw,packet) showed the correct src 
address, but torch on the upstream routers proved the logs to be 
incorrect.  The worst part was, once I did get it to change by setting 
the pref-src on a static /32 route matching the remote endpoint, 
removing the route didn't change it back.  I had to reboot the router to 
switch it back to the first WAN address.  Suffice it to say, I should 
set this up in a lab carefully documenting it and send it to MikroTik, 
but who has time for that.



hth,

-Kristian

On 01/21/2014 03:30 PM, Scott Lambert wrote:

I appologize for the length of this e-mail.  I didn't want to leave out
any of the work I've already done trying to troubleshoot this.  I really
appreciate anyone willing to slog through it.

I am having fits with my IPSect/L2TP VPNs I use to get into various
places.  Someone posted a recipe to this list which just worked for
RouterOS 5.x and I have been running that on a few routers for a while
now.  It just worked so I never actually spent the time to learn what
was what.  I have been trying to correct that laziness over the past few
days and nights.  But I am out of time and hitting a wall now.

Unfortunately, I have been upgrading a few of the test routers to 6.x
and now need to setup VPNs on a couple of CCRs.  I have not had to use
the IPSec VPNs since the upgrade to 6.x, or at least the upgrade to 6.5
and up.  I do not have logs of the last time I used the VPNs.

Where I have 6.5 and up, I cannot seem to get ISAKMP to complete.

I only have 6.4 on the new CCR and have configured it to be the moral
equivalent of the config on my remaining functional RouterOS 5.21
493G site.  I could not get ISAKMP to come up on the CCR with 6.5.  I
upgraded it to 6.7.  Still toast.

I am also trying to get a site to site tunnel running between the CCR
and a CiscoASA.  Never got a successful ISAKMP link on 6.5 or 6.7.

So, I went down to 6.4.  I instantly had a good ISAKMP SA with the
CiscoASA.  I am stil working out some issues with passing traffic on
that tunnel.  Is IPsec completely broken above 6.4?

I am also finally getting to the L2TP negotiation with my laptop.  I
have a priority need to get the IPsec/L2TP road warrior tunnel up before
I finish with the CiscoASA.

>From what I can see in the logs, IPsec is happy.  I think the MikroTik
is happy with the L2TP request sent by the laptop.  But it looks like
the laptop never acknowleges hearing the MikroTik's ACK.  I have triple
and quadruple checked the secrets.  I have even changed the secrets a
few times, shortening them, to see if that would result in any different
error messages.

If I connect the laptop to the IPsec/L2TP on the RouterOS 5.21 box, the
VPN is fully negotiated and passing traffic in less than 3 seconds.  So
that tells me I should not have issues with the firewall behind which
the laptop lives.

I have been trying to use info in this article to understand where L2TP
is getting stuck.

   
https://www.informit.com/library/content.aspx?b=Troubleshooting_VPNs&seqNum=34

C.D.1.22 and A.B.32.129 are both on the CCR.  C.D.1.22 faces the
Internet and A.B.32.129 is the public IP for the network into which I am
trying to VPN.  I have the Site to Site tunnel using C.D.1.22 because
that is closer to the ASA.  I have tried with the IP on the CCR which is
closest to the Laptop's router with the same results.

When I connect to the RouterOS 6.4 CCR, here is what the MikroTik shows:

16:29:07 firewall,info input: in:vlan10

Re: [Mikrotik] MikroTik IPSec/L2TP and RouterOS v6

[Rory McCann]

I don't use L2TP so I can't provide much insight on your existing 
config. I did however follow this guide on a test router and was able to 
make the configuration work as expected:

http://www.nasa-security.net/mikrotik/mikrotik-l2tp-with-ipsec/

I'm on 6.7, so this is current.

Rory McCann
MKAP Technology Solutions
Web: www.mkap.net

On 1/21/2014 5:30 PM, Scott Lambert wrote:

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

[Mikrotik] MikroTik IPSec/L2TP and RouterOS v6

[Scott Lambert]

I appologize for the length of this e-mail.  I didn't want to leave out
any of the work I've already done trying to troubleshoot this.  I really
appreciate anyone willing to slog through it.

I am having fits with my IPSect/L2TP VPNs I use to get into various
places.  Someone posted a recipe to this list which just worked for
RouterOS 5.x and I have been running that on a few routers for a while
now.  It just worked so I never actually spent the time to learn what
was what.  I have been trying to correct that laziness over the past few
days and nights.  But I am out of time and hitting a wall now.

Unfortunately, I have been upgrading a few of the test routers to 6.x
and now need to setup VPNs on a couple of CCRs.  I have not had to use
the IPSec VPNs since the upgrade to 6.x, or at least the upgrade to 6.5
and up.  I do not have logs of the last time I used the VPNs.

Where I have 6.5 and up, I cannot seem to get ISAKMP to complete.

I only have 6.4 on the new CCR and have configured it to be the moral
equivalent of the config on my remaining functional RouterOS 5.21
493G site.  I could not get ISAKMP to come up on the CCR with 6.5.  I
upgraded it to 6.7.  Still toast.

I am also trying to get a site to site tunnel running between the CCR
and a CiscoASA.  Never got a successful ISAKMP link on 6.5 or 6.7.

So, I went down to 6.4.  I instantly had a good ISAKMP SA with the
CiscoASA.  I am stil working out some issues with passing traffic on
that tunnel.  Is IPsec completely broken above 6.4?

I am also finally getting to the L2TP negotiation with my laptop.  I
have a priority need to get the IPsec/L2TP road warrior tunnel up before
I finish with the CiscoASA.

>From what I can see in the logs, IPsec is happy.  I think the MikroTik
is happy with the L2TP request sent by the laptop.  But it looks like
the laptop never acknowleges hearing the MikroTik's ACK.  I have triple
and quadruple checked the secrets.  I have even changed the secrets a
few times, shortening them, to see if that would result in any different
error messages.

If I connect the laptop to the IPsec/L2TP on the RouterOS 5.21 box, the
VPN is fully negotiated and passing traffic in less than 3 seconds.  So
that tells me I should not have issues with the firewall behind which
the laptop lives.

I have been trying to use info in this article to understand where L2TP
is getting stuck.

  https://www.informit.com/library/content.aspx?b=Troubleshooting_VPNs&seqNum=34

C.D.1.22 and A.B.32.129 are both on the CCR.  C.D.1.22 faces the
Internet and A.B.32.129 is the public IP for the network into which I am
trying to VPN.  I have the Site to Site tunnel using C.D.1.22 because
that is closer to the ASA.  I have tried with the IP on the CCR which is
closest to the Laptop's router with the same results.

When I connect to the RouterOS 6.4 CCR, here is what the MikroTik shows:

16:29:07 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8, 
proto UDP, A.B.34.126:500->A.B.32.129:500, len 328
16:29:07 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8, 
proto UDP, A.B.34.126:500->A.B.32.129:500, len 256
16:29:07 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8, 
proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 132
16:29:08 l2tp,debug,packet rcvd control message from A.B.34.126:51593
16:29:08 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
16:29:08 l2tp,debug,packet (M) Message-Type=SCCRQ  
   [ My laptop sent a request to start the control 
connection (SCCRQ) ]
16:29:08 l2tp,debug,packet (M) Protocol-Version=0x01:00
16:29:08 l2tp,debug,packet (M) Framing-Capabilities=0x3
16:29:08 l2tp,debug,packet (M) Host-Name=""
16:29:08 l2tp,debug,packet (M) Assigned-Tunnel-ID=62
16:29:08 l2tp,debug,packet (M) Receive-Window-Size=4
16:29:08 l2tp,info first L2TP UDP packet received from A.B.34.126
16:29:08 l2tp,debug tunnel 12 entering state: wait-ctl-conn
16:29:08 l2tp,debug,packet sent control message to A.B.34.126:51593
16:29:08 l2tp,debug,packet tunnel-id=62, session-id=0, ns=0, nr=1
16:29:08 l2tp,debug,packet (M) Message-Type=SCCRP
   [ My CCR likes my request and is accepting the control 
connecion (SCCRP) ]
16:29:08 l2tp,debug,packet (M) Protocol-Version=0x01:00
16:29:08 l2tp,debug,packet (M) Framing-Capabilities=0x1
16:29:08 l2tp,debug,packet (M) Bearer-Capabilities=0x0
16:29:08 l2tp,debug,packet Firmware-Revision=0x1
16:29:08 l2tp,debug,packet (M) Host-Name="gw2.cwy.domain"
16:29:08 l2tp,debug,packet Vendor-Name="MikroTik"
16:29:08 l2tp,debug,packet (M) Assigned-Tunnel-ID=12
16:29:08 l2tp,debug,packet (M) Receive-Window-Size=4
16:29:08 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8, 
proto UDP, A.B.34.126:4500->A.B.32.129:4500, len 284
16:29:08 firewall,info input: in:vlan101 out:(none), src-mac 00:0c:42:bd:5e:b8, 
proto UDP, A.B.34.126:4500->A.B.32.129:4500

Re: [Mikrotik] IPsec issue

[Josh Luthman]

Sounds like the tunnel isn't up to me and the MT is pushing traffic.  You
could do a packet sniffer on the ethernet port that the IPSec is attempting
on.

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373


On Wed, Jun 26, 2013 at 2:31 PM, Jerry Roy  wrote:

> Hi MT Guru's :)
>
> Need your input. Pulling what little hair I have left out on this one. We
> have 100 or so sites with MT750 IPsec tunnel back to a Juniper 5200. Four
> of these sites show IPsec SA's only showing traffic in incrementing in one
> direction (from MT to Juniper aggressive mode). The Juniper shows traffic
> is flowing in both directions. The MT shows zero bytes received from
> Juniper but bytes are incrementing from MT to Juniper
>
> What tool on the MT would be the best way to troubleshoot this? Packet
> sniffer?
>
> Thanks In Advance!
>
> *Jerry Roy*
> Sr. Systems Engineer
> MTCNA/MTCRE/MTCTCE
>
>
> **
> -- next part --
> An HTML attachment was scrubbed...
> URL: <
> http://mail.butchevans.com/pipermail/mikrotik/attachments/20130626/dac3caf7/attachment.html
> >
> ___
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://mail.butchevans.com/mailman/listinfo/mikrotik
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> RouterOS
>
-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

[Mikrotik] IPsec issue

[Jerry Roy]

Hi MT Guru's :)

Need your input. Pulling what little hair I have left out on this one. We
have 100 or so sites with MT750 IPsec tunnel back to a Juniper 5200. Four
of these sites show IPsec SA's only showing traffic in incrementing in one
direction (from MT to Juniper aggressive mode). The Juniper shows traffic
is flowing in both directions. The MT shows zero bytes received from
Juniper but bytes are incrementing from MT to Juniper

What tool on the MT would be the best way to troubleshoot this? Packet
sniffer?

Thanks In Advance!

*Jerry Roy*
Sr. Systems Engineer
MTCNA/MTCRE/MTCTCE


**
-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] ipsec issue

[Jerry Roy]

I just realized this was not included.

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no
enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024
add auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m
name=juniper pfs-group=none
/ip ipsec peer
add address=216.231.x.x/32 auth-method=pre-shared-key dh-group=modp1024
disabled=no dpd-interval=1m dpd-maximum-failures=2 \
enc-algorithm=3des exchange-mode=aggressive generate-policy=no
hash-algorithm=sha1 lifebytes=0 lifetime=10h my-id-user-fqdn=\
cs750...@xxx.com nat-traversal=yes port=500 proposal-check=obey
send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=10.94.64.16/29 dst-port=any
ipsec-protocols=esp level=require priority=0 proposal=\
juniper protocol=all sa-dst-address=216.231.x.x sa-src-address=0.0.0.0
src-address=5.1.1.10/32 src-port=any tunnel=yes
add action=encrypt disabled=no dst-address=10.94.64.16/29 dst-port=any
ipsec-protocols=esp level=require priority=0 proposal=\
juniper protocol=all sa-dst-address=216.231.x.x sa-src-address=0.0.0.0
src-address=192.168.100.0/24 src-port=any tunnel=\
yes

*Jerry Roy*
Sr. Systems Engineer
MTCNA/MTCRE/MTCTCE

 

1 949 681 5054
1 562 305 9545 Cell

Managed Network Services

*An iPass Company*
125 Technology Drive Suite 100
Irvine, CA 92618

*Read and share our white paper - *The Next Generation Network:
"Why the Distributed Enterprise Should Consider Multi-circuit WAN VPN
Solutions" 

*iPass.com/blog* *|
**facebook.com/iPass*
*|**twitter.com/iPass *




On Tue, Oct 23, 2012 at 4:23 PM, Jerry Roy  wrote:

> All,
>
> We have an IPSec hub and spoke design. I have a 750GL (spoke) that is
> connected via IPsec back to a Juniper (Hub). I initiate the connection from
> the 750 and it creates a tunnel (2 SA's) and then I can ping to a device
> sitting behind the Juniper. If I try and ping back from the device behind
> the Juniper to a loopback address applied to the 750, it creates another
> set of SA's (now I have 4 SA's). This should not happen. The spokes should
> be the initiator and ONLY the initiator because all spoke locations (750's)
> are either static, dhcp or pppoe. My question is since the SA is already
> created by the spoke as the initiator (I have 2 SA's per connection to be
> exact) should the traffic from behind the Juniper already utilize the
> tunnel that was created by the spoke? Why does another tunnel (2 SA's) get
> created? If I clear the connection on the Juniper and start a ping from the
> device sitting behind it to the spoke, it creates a tunnel and then I start
> a ping from the spoke top the device behind the Juniper, it utilized the
> existing tunnel and passes traffic. A second set of SA's does not get
> created.
>
>
> # oct/23/2012 21:27:52 by RouterOS 5.21
> # software id = 182Q-
> #
> /interface bridge
> add name=loopback1
> /interface ethernet
>  set 0 name=ether1-gateway
> set 1 name=ether2-master-local
> set 2 master-port=ether2-master-local name=ether3-slave-local
> set 3 master-port=ether2-master-local name=ether4-slave-local
> set 4 master-port=ether2-master-local name=ether5-slave-local
> /ip hotspot user profile
> set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
> /ip ipsec proposal
> add name=juniper pfs-group=none
> /ip pool
> add name=default-dhcp ranges=192.168.100.10-192.168.100.254
> /ip dhcp-server
> add add-arp=yes address-pool=default-dhcp disabled=no
> interface=ether2-master-local name=default
> /ip address
> add address=192.168.100.1/24 comment="default configuration"
> interface=ether2-master-local
> add address=50.104.x.x/30 interface=ether1-gateway
> add address=5.1.1.10/32 interface=loopback1 network=5.1.1.10
> /ip dhcp-server network
> add address=192.168.100.0/24 comment="default configuration"
> dns-server=208.67.220.220,208.67.222.222 gateway=192.168.100.1
> /ip dns
> set allow-remote-requests=yes servers=208.67.220.220,208.67.222.222
> /ip dns static
> add address=192.168.88.1 name=router
> /ip firewall filter
> add chain=input comment="default configuration" protocol=icmp
> add chain=input comment="default configuration"
> connection-state=established
> add chain=input comment="default configuration" connection-state=related
> add chain=input dst-address=5.1.1.10 dst-port=161 protocol=udp src-address=
> 10.94.64.16/29
> add chain=input dst-port=22,80,443,8291 protocol=tcp
> src-address=68.167.x.x/24
> add chain=input dst-port=22,80,443,8291 protocol=tcp
> src-address=68.106.x.x/26
> add chain=input dst-port=22,80,443,8291 protocol=tcp src-address=68.106.x.x
> add chain=input dst-port=22,80,443,8291 protocol=tcp
> src-address=10.94.x.x/29
> add chain=input dst-port=22,80,443,8291 protocol=tcp
> src-address=216.231.x.x/24
> add chain=input dst-port=22,80,443,8291 pro

[Mikrotik] ipsec issue

[Jerry Roy]

All,

We have an IPSec hub and spoke design. I have a 750GL (spoke) that is
connected via IPsec back to a Juniper (Hub). I initiate the connection from
the 750 and it creates a tunnel (2 SA's) and then I can ping to a device
sitting behind the Juniper. If I try and ping back from the device behind
the Juniper to a loopback address applied to the 750, it creates another
set of SA's (now I have 4 SA's). This should not happen. The spokes should
be the initiator and ONLY the initiator because all spoke locations (750's)
are either static, dhcp or pppoe. My question is since the SA is already
created by the spoke as the initiator (I have 2 SA's per connection to be
exact) should the traffic from behind the Juniper already utilize the
tunnel that was created by the spoke? Why does another tunnel (2 SA's) get
created? If I clear the connection on the Juniper and start a ping from the
device sitting behind it to the spoke, it creates a tunnel and then I start
a ping from the spoke top the device behind the Juniper, it utilized the
existing tunnel and passes traffic. A second set of SA's does not get
created.


# oct/23/2012 21:27:52 by RouterOS 5.21
# software id = 182Q-
#
/interface bridge
add name=loopback1
/interface ethernet
 set 0 name=ether1-gateway
set 1 name=ether2-master-local
set 2 master-port=ether2-master-local name=ether3-slave-local
set 3 master-port=ether2-master-local name=ether4-slave-local
set 4 master-port=ether2-master-local name=ether5-slave-local
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip ipsec proposal
add name=juniper pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.100.10-192.168.100.254
/ip dhcp-server
add add-arp=yes address-pool=default-dhcp disabled=no
interface=ether2-master-local name=default
/ip address
add address=192.168.100.1/24 comment="default configuration"
interface=ether2-master-local
add address=50.104.x.x/30 interface=ether1-gateway
add address=5.1.1.10/32 interface=loopback1 network=5.1.1.10
/ip dhcp-server network
add address=192.168.100.0/24 comment="default configuration"
dns-server=208.67.220.220,208.67.222.222 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=208.67.220.220,208.67.222.222
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=input dst-address=5.1.1.10 dst-port=161 protocol=udp src-address=
10.94.64.16/29
add chain=input dst-port=22,80,443,8291 protocol=tcp
src-address=68.167.x.x/24
add chain=input dst-port=22,80,443,8291 protocol=tcp
src-address=68.106.x.x/26
add chain=input dst-port=22,80,443,8291 protocol=tcp src-address=68.106.x.x
add chain=input dst-port=22,80,443,8291 protocol=tcp
src-address=10.94.x.x/29
add chain=input dst-port=22,80,443,8291 protocol=tcp
src-address=216.231.x.x/24
add chain=input dst-port=22,80,443,8291 protocol=tcp
src-address=216.231.x.x/24
add chain=input dst-port=22,80,443,8291 protocol=tcp src-address=76.168.x.x
add action=drop chain=input comment="default configuration"
in-interface=ether1-gateway
/ip firewall nat
add chain=srcnat dst-address=10.94.64.16/29 src-address=192.168.100.0/24
add action=masquerade chain=srcnat comment="default configuration"
out-interface=ether1-gateway src-address=192.168.100.0/24
/ip firewall service-port
set sip disabled=yes
/ip ipsec peer
add address=216.231.198.14/32 dpd-interval=1m dpd-maximum-failures=2
exchange-mode=aggressive hash-algorithm=sha1 lifetime=10h \
my-id-user-fqdn=cs750...@x.com 
/ip ipsec policy
add dst-address=10.94.64.16/29 proposal=juniper
sa-dst-address=216.231.x.x sa-src-address=0.0.0.0 src-address=5.1.1.10/32 \
tunnel=yes
add dst-address=10.94.64.16/29 proposal=juniper
sa-dst-address=216.231.x.x sa-src-address=0.0.0.0 src-address=
192.168.100.0/24 \
tunnel=yes
/ip neighbor discovery
set ether1-gateway disabled=yes
/ip route
add distance=1 gateway=50.104.x.x
/system identity
set name=CS750-10
/system logging
add topics=snmp
/system ntp client
set enabled=yes mode=unicast primary-ntp=50.116.38.157
secondary-ntp=208.38.65.35
/system scheduler
add interval=10s name=schedule1 on-event=ping-vpn
policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api
\
start-date=may/15/2012 start-time=22:08:12
/system script
add name=ping-vpn
policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api
source=\
":put [/ping interface=loopback1 10.94.64.19 count=5]"
add name=email-reboots
policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api
source=":while ( [:pick [/syst\
em clock get date] 7 11]<\"2003\" ) do={ :delay 10s }\r\
\n/log info \"time updated; uptime: \$[/system resource get uptime]\"\r\
\n:local es \"\$[/system identity get name] rebooted on \$[/system
clock get 

Re: [Mikrotik] IPSec Client

[Jacob Heider]

Generally, I do PPTP, but you should be able to do L2TP+IPSEC: 
http://wiki.mikrotik.com/wiki/MikroTik_RouterOS_and_Windows_XP_IPSec/L2TP



TJ Burbank 
August 27, 2012 10:03
What does everybody use for IPSec Remote End User Client Software to
terminate to a MikroTik Router?

I do a lot of Branch Office setups (Tik to Tik) but have never done a Tik
to Windows or Tik to Mac OSX setup.

-TJ
-- next part --
An HTML attachment was scrubbed...
URL: 


___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik 
RouterOS



-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

[Mikrotik] IPSec Client

[TJ Burbank]

What does everybody use for IPSec Remote End User Client Software to
terminate to a MikroTik Router?

I do a lot of Branch Office setups (Tik to Tik) but have never done a Tik
to Windows or Tik to Mac OSX setup.

-TJ
-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] IPSec for mobile

[Sim]

Very strange.. but the problem isn't Mikrotik but WiFi/iPhone.
Try to connect with Windows PC/Client and check latency

2012/8/22 Meftah Tayeb :
> DUDE, local!
> *LOCAL* BACKBONE!
> is my own routers i'm simulating it here befaure i travel
> but latency is very HIGH :-P
>
> - Original Message - From: "Sim" 
> To: "Mikrotik discussions" 
> Sent: Wednesday, August 22, 2012 9:55 PM
>
> Subject: Re: [Mikrotik] IPSec for mobile
>
>
>> Reduce lacency?
>>
>> Contact your 3G/WiFi/Provider ;-
>>
>> Bye!
>>
>> 2012/8/22 Meftah Tayeb :
>>>
>>> DUDE, you rocks
>>> i'm connected to my VPN!
>>> but, but; evean in a local network... i have latency of 130MS!
>>> :P
>>> anyway how can i reduce it please?
>>> thank you
>>>
>>> - Original Message - From: "Sim" 
>>> To: "Mikrotik discussions" 
>>> Sent: Wednesday, August 22, 2012 9:50 PM
>>>
>>> Subject: Re: [Mikrotik] IPSec for mobile
>>>
>>>
>>>> For security reason L2TP isn't good.
>>>> Ipsec + L2TP is the only way supported by iPhone (it ask you
>>>> "security/secret" and not only password).
>>>>
>>>> You can also check this:
>>>>
>>>> http://wiki.mikrotik.com/wiki/MikroTik_RouterOS_and_Windows_XP_IPSec/L2TP
>>>>
>>>> My post was for all device tested with : WindowsXP, 7, iPhone and
>>>> Android!
>>>>
>>>> Check:
>>>> "Do not forget to allow:
>>>> - UDP 500 (Dst.Port),
>>>> - UDP 1701,
>>>> - UDP 4500 (Nat-Traversal)
>>>> - and Protocol 50 (ESP)
>>>> in the firewall filter settings. (Input chain, accept). "
>>>>
>>>>
>>>> 2012/8/22 Meftah Tayeb :
>>>>>
>>>>>
>>>>> question, sim
>>>>> is l2tp itself alone good?
>>>>> i think it's working only L2TP.
>>>>>
>>>>> - Original Message - From: "Sim" 
>>>>> To: "Mikrotik discussions" 
>>>>> Sent: Wednesday, August 22, 2012 9:41 PM
>>>>>
>>>>> Subject: Re: [Mikrotik] IPSec for mobile
>>>>>
>>>>>
>>>>>> The config posted in precedent email is correct and work in my 3
>>>>>> Mikrotik.
>>>>>> Have you opened/forwarded corrected port/proto?
>>>>>>
>>>>>>
>>>>>> 2012/8/22 Meftah Tayeb :
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ok so
>>>>>>> i did your suggestion but l2tp server not replying
>>>>>>> log:
>>>>>>> Telnet 172.28.2.1
>>>>>>> 19:28:32 ipsec,debug,packet encryption(aes)
>>>>>>> 19:28:32 ipsec,debug,packet hmac(hmac_sha1)
>>>>>>> 19:28:32 ipsec,debug,packet call pfkey_send_update_nat
>>>>>>> 19:28:32 ipsec,debug,packet pfkey update sent.
>>>>>>> 19:28:32 ipsec,debug,packet encryption(aes)
>>>>>>> 19:28:32 ipsec,debug,packet hmac(hmac_sha1)
>>>>>>> 19:28:32 ipsec,debug,packet call pfkey_send_add_nat
>>>>>>> 19:28:32 ipsec,debug,packet pfkey add sent.
>>>>>>> 19:28:32 ipsec,debug,packet call pfkey_send_spdupdate2
>>>>>>> 19:28:32 ipsec,debug,packet pfkey spdupdate2(inbound) sent.
>>>>>>> 19:28:32 ipsec,debug,packet call pfkey_send_spdupdate2
>>>>>>> 19:28:32 ipsec,debug,packet pfkey spdupdate2(outbound) sent.
>>>>>>> 19:28:32 ipsec IPsec-SA established: ESP/Transport
>>>>>>> 172.28.1.5[0]->41.221.20.110[0] spi=40327812(0x26
>>>>>>> 75a84)
>>>>>>> 19:28:32 ipsec,debug ===
>>>>>>> 19:28:32 ipsec IPsec-SA established: ESP/Transport
>>>>>>> 41.221.20.110[0]->172.28.1.5[0] spi=48155402(0x2d
>>>>>>> ecb0a)
>>>>>>> 19:28:32 ipsec,debug ===
>>>>>>> 19:28:32 ipsec,debug,packet such policy does not already exist:
>>>>>>> 172.28.1.5/32[0] 41.221.20.110/32[0]
>>>>>>> proto=udp dir=in
>>>>>>> 19:28:32 ipsec,debug,packet such policy does not already exist:
>>>>>>> 41.221.20.110/32[0] 172.28.1.5/3

Re: [Mikrotik] IPSec for mobile

[Meftah Tayeb]

DUDE, local!
*LOCAL* BACKBONE!
is my own routers i'm simulating it here befaure i travel
but latency is very HIGH :-P
- Original Message - 
From: "Sim" 

To: "Mikrotik discussions" 
Sent: Wednesday, August 22, 2012 9:55 PM
Subject: Re: [Mikrotik] IPSec for mobile



Reduce lacency?

Contact your 3G/WiFi/Provider ;-

Bye!

2012/8/22 Meftah Tayeb :

DUDE, you rocks
i'm connected to my VPN!
but, but; evean in a local network... i have latency of 130MS!
:P
anyway how can i reduce it please?
thank you

- Original Message - From: "Sim" 
To: "Mikrotik discussions" 
Sent: Wednesday, August 22, 2012 9:50 PM

Subject: Re: [Mikrotik] IPSec for mobile



For security reason L2TP isn't good.
Ipsec + L2TP is the only way supported by iPhone (it ask you
"security/secret" and not only password).

You can also check this:
http://wiki.mikrotik.com/wiki/MikroTik_RouterOS_and_Windows_XP_IPSec/L2TP

My post was for all device tested with : WindowsXP, 7, iPhone and 
Android!


Check:
"Do not forget to allow:
- UDP 500 (Dst.Port),
- UDP 1701,
- UDP 4500 (Nat-Traversal)
- and Protocol 50 (ESP)
in the firewall filter settings. (Input chain, accept). "


2012/8/22 Meftah Tayeb :


question, sim
is l2tp itself alone good?
i think it's working only L2TP.

- Original Message - From: "Sim" 
To: "Mikrotik discussions" 
Sent: Wednesday, August 22, 2012 9:41 PM

Subject: Re: [Mikrotik] IPSec for mobile



The config posted in precedent email is correct and work in my 3
Mikrotik.
Have you opened/forwarded corrected port/proto?


2012/8/22 Meftah Tayeb :



ok so
i did your suggestion but l2tp server not replying
log:
Telnet 172.28.2.1
19:28:32 ipsec,debug,packet encryption(aes)
19:28:32 ipsec,debug,packet hmac(hmac_sha1)
19:28:32 ipsec,debug,packet call pfkey_send_update_nat
19:28:32 ipsec,debug,packet pfkey update sent.
19:28:32 ipsec,debug,packet encryption(aes)
19:28:32 ipsec,debug,packet hmac(hmac_sha1)
19:28:32 ipsec,debug,packet call pfkey_send_add_nat
19:28:32 ipsec,debug,packet pfkey add sent.
19:28:32 ipsec,debug,packet call pfkey_send_spdupdate2
19:28:32 ipsec,debug,packet pfkey spdupdate2(inbound) sent.
19:28:32 ipsec,debug,packet call pfkey_send_spdupdate2
19:28:32 ipsec,debug,packet pfkey spdupdate2(outbound) sent.
19:28:32 ipsec IPsec-SA established: ESP/Transport
172.28.1.5[0]->41.221.20.110[0] spi=40327812(0x26
75a84)
19:28:32 ipsec,debug ===
19:28:32 ipsec IPsec-SA established: ESP/Transport
41.221.20.110[0]->172.28.1.5[0] spi=48155402(0x2d
ecb0a)
19:28:32 ipsec,debug ===
19:28:32 ipsec,debug,packet such policy does not already exist:
172.28.1.5/32[0] 41.221.20.110/32[0]
proto=udp dir=in
19:28:32 ipsec,debug,packet such policy does not already exist:
41.221.20.110/32[0] 172.28.1.5/32[0]
proto=udp dir=out
19:28:33 l2tp,debug,packet rcvd control message from 172.28.1.5:54077
19:28:33 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
19:28:33 l2tp,debug,packet (M) Message-Type=SCCRQ
19:28:33 l2tp,debug,packet (M) Protocol-Version=0x01:00
19:28:33 l2tp,debug,packet (M) Framing-Capabilities=0x3
19:28:33 l2tp,debug,packet (M)
Host-Name=0x69:50:68:6f:6e:65:2d:64:65:2d:54:41:59:45:42:00
19:28:33 l2tp,debug,packet (M) Assigned-Tunnel-ID=3
19:28:33 l2tp,debug,packet (M) Receive-Window-Size=4
19:28:33 l2tp,info first L2TP UDP packet received from 172.28.1.5
19:28:33 l2tp,debug tunnel 2 entering state: wait-ctl-conn
19:28:33 l2tp,debug,packet sent control message to 172.28.1.5:54077
19:28:33 l2tp,debug,packet tunnel-id=3, session-id=0, ns=0, nr=1
19:28:33 l2tp,debug,packet (M) Message-Type=SCCRP
19:28:33 l2tp,debug,packet (M) Protocol-Version=0x01:00
19:28:33 l2tp,debug,packet (M) Framing-Capabilities=0x1
19:28:33 l2tp,debug,packet (M) Bearer-Capabilities=0x0
19:28:33 l2tp,debug,packet Firmware-Revision=0x1
19:28:33 l2tp,debug,packet (M) Host-Name="Edge01-493-Alger"
19:28:33 l2tp,debug,packet Vendor-Name="MikroTik"
19:28:33 l2tp,debug,packet (M) Assigned-Tunnel-ID=2
19:28:33 l2tp,debug,packet (M) Receive-Window-Size=4
[admin@Edge01-493-Alger] /ppp secret>


- Original Message - From: "Sim" 
To: "Mikrotik discussions" 
Sent: Wednesday, August 22, 2012 4:44 PM

Subject: Re: [Mikrotik] IPSec for mobile



iPhone IPsec is for Cisco (see logo).

Use L2TP+IPsec (first choice on your mobile device)

Regards

2012/8/22 Meftah Tayeb :




thank you a lot !
is L2TP required?
or IPSec can work alone ?

- Original Message - From: "Sim" 
To: "Mikrotik discussions" 
Sent: Wednesday, August 22, 2012 4:39 PM
Subject: Re: [Mikrotik] IPSec for mobile




Hi, this is that you need :-)

# Server & Preshared (1234567abcdef) config
/interface l2tp-server server set enabled=yes

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no
enc-algorithms

Re: [Mikrotik] IPSec for mobile

[Sim]

Reduce lacency?

Contact your 3G/WiFi/Provider ;-

Bye!

2012/8/22 Meftah Tayeb :
> DUDE, you rocks
> i'm connected to my VPN!
> but, but; evean in a local network... i have latency of 130MS!
> :P
> anyway how can i reduce it please?
> thank you
>
> - Original Message - From: "Sim" 
> To: "Mikrotik discussions" 
> Sent: Wednesday, August 22, 2012 9:50 PM
>
> Subject: Re: [Mikrotik] IPSec for mobile
>
>
>> For security reason L2TP isn't good.
>> Ipsec + L2TP is the only way supported by iPhone (it ask you
>> "security/secret" and not only password).
>>
>> You can also check this:
>> http://wiki.mikrotik.com/wiki/MikroTik_RouterOS_and_Windows_XP_IPSec/L2TP
>>
>> My post was for all device tested with : WindowsXP, 7, iPhone and Android!
>>
>> Check:
>> "Do not forget to allow:
>> - UDP 500 (Dst.Port),
>> - UDP 1701,
>> - UDP 4500 (Nat-Traversal)
>> - and Protocol 50 (ESP)
>> in the firewall filter settings. (Input chain, accept). "
>>
>>
>> 2012/8/22 Meftah Tayeb :
>>>
>>> question, sim
>>> is l2tp itself alone good?
>>> i think it's working only L2TP.
>>>
>>> - Original Message - From: "Sim" 
>>> To: "Mikrotik discussions" 
>>> Sent: Wednesday, August 22, 2012 9:41 PM
>>>
>>> Subject: Re: [Mikrotik] IPSec for mobile
>>>
>>>
>>>> The config posted in precedent email is correct and work in my 3
>>>> Mikrotik.
>>>> Have you opened/forwarded corrected port/proto?
>>>>
>>>>
>>>> 2012/8/22 Meftah Tayeb :
>>>>>
>>>>>
>>>>> ok so
>>>>> i did your suggestion but l2tp server not replying
>>>>> log:
>>>>> Telnet 172.28.2.1
>>>>> 19:28:32 ipsec,debug,packet encryption(aes)
>>>>> 19:28:32 ipsec,debug,packet hmac(hmac_sha1)
>>>>> 19:28:32 ipsec,debug,packet call pfkey_send_update_nat
>>>>> 19:28:32 ipsec,debug,packet pfkey update sent.
>>>>> 19:28:32 ipsec,debug,packet encryption(aes)
>>>>> 19:28:32 ipsec,debug,packet hmac(hmac_sha1)
>>>>> 19:28:32 ipsec,debug,packet call pfkey_send_add_nat
>>>>> 19:28:32 ipsec,debug,packet pfkey add sent.
>>>>> 19:28:32 ipsec,debug,packet call pfkey_send_spdupdate2
>>>>> 19:28:32 ipsec,debug,packet pfkey spdupdate2(inbound) sent.
>>>>> 19:28:32 ipsec,debug,packet call pfkey_send_spdupdate2
>>>>> 19:28:32 ipsec,debug,packet pfkey spdupdate2(outbound) sent.
>>>>> 19:28:32 ipsec IPsec-SA established: ESP/Transport
>>>>> 172.28.1.5[0]->41.221.20.110[0] spi=40327812(0x26
>>>>> 75a84)
>>>>> 19:28:32 ipsec,debug ===
>>>>> 19:28:32 ipsec IPsec-SA established: ESP/Transport
>>>>> 41.221.20.110[0]->172.28.1.5[0] spi=48155402(0x2d
>>>>> ecb0a)
>>>>> 19:28:32 ipsec,debug ===
>>>>> 19:28:32 ipsec,debug,packet such policy does not already exist:
>>>>> 172.28.1.5/32[0] 41.221.20.110/32[0]
>>>>> proto=udp dir=in
>>>>> 19:28:32 ipsec,debug,packet such policy does not already exist:
>>>>> 41.221.20.110/32[0] 172.28.1.5/32[0]
>>>>> proto=udp dir=out
>>>>> 19:28:33 l2tp,debug,packet rcvd control message from 172.28.1.5:54077
>>>>> 19:28:33 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
>>>>> 19:28:33 l2tp,debug,packet (M) Message-Type=SCCRQ
>>>>> 19:28:33 l2tp,debug,packet (M) Protocol-Version=0x01:00
>>>>> 19:28:33 l2tp,debug,packet (M) Framing-Capabilities=0x3
>>>>> 19:28:33 l2tp,debug,packet (M)
>>>>> Host-Name=0x69:50:68:6f:6e:65:2d:64:65:2d:54:41:59:45:42:00
>>>>> 19:28:33 l2tp,debug,packet (M) Assigned-Tunnel-ID=3
>>>>> 19:28:33 l2tp,debug,packet (M) Receive-Window-Size=4
>>>>> 19:28:33 l2tp,info first L2TP UDP packet received from 172.28.1.5
>>>>> 19:28:33 l2tp,debug tunnel 2 entering state: wait-ctl-conn
>>>>> 19:28:33 l2tp,debug,packet sent control message to 172.28.1.5:54077
>>>>> 19:28:33 l2tp,debug,packet tunnel-id=3, session-id=0, ns=0, nr=1
>>>>> 19:28:33 l2tp,debug,packet (M) Message-Type=SCCRP
>>>>> 19:28:33 l2tp,debug,packet (M) Protocol-Version=0x01:00
>>>>> 19:28:33 l2tp,debug,packe

Re: [Mikrotik] IPSec for mobile

[Meftah Tayeb]

DUDE, you rocks
i'm connected to my VPN!
but, but; evean in a local network... i have latency of 130MS!
:P
anyway how can i reduce it please?
thank you
- Original Message - 
From: "Sim" 

To: "Mikrotik discussions" 
Sent: Wednesday, August 22, 2012 9:50 PM
Subject: Re: [Mikrotik] IPSec for mobile



For security reason L2TP isn't good.
Ipsec + L2TP is the only way supported by iPhone (it ask you
"security/secret" and not only password).

You can also check this:
http://wiki.mikrotik.com/wiki/MikroTik_RouterOS_and_Windows_XP_IPSec/L2TP

My post was for all device tested with : WindowsXP, 7, iPhone and Android!

Check:
"Do not forget to allow:
- UDP 500 (Dst.Port),
- UDP 1701,
- UDP 4500 (Nat-Traversal)
- and Protocol 50 (ESP)
in the firewall filter settings. (Input chain, accept). "


2012/8/22 Meftah Tayeb :

question, sim
is l2tp itself alone good?
i think it's working only L2TP.

- Original Message - From: "Sim" 
To: "Mikrotik discussions" 
Sent: Wednesday, August 22, 2012 9:41 PM

Subject: Re: [Mikrotik] IPSec for mobile


The config posted in precedent email is correct and work in my 3 
Mikrotik.

Have you opened/forwarded corrected port/proto?


2012/8/22 Meftah Tayeb :


ok so
i did your suggestion but l2tp server not replying
log:
Telnet 172.28.2.1
19:28:32 ipsec,debug,packet encryption(aes)
19:28:32 ipsec,debug,packet hmac(hmac_sha1)
19:28:32 ipsec,debug,packet call pfkey_send_update_nat
19:28:32 ipsec,debug,packet pfkey update sent.
19:28:32 ipsec,debug,packet encryption(aes)
19:28:32 ipsec,debug,packet hmac(hmac_sha1)
19:28:32 ipsec,debug,packet call pfkey_send_add_nat
19:28:32 ipsec,debug,packet pfkey add sent.
19:28:32 ipsec,debug,packet call pfkey_send_spdupdate2
19:28:32 ipsec,debug,packet pfkey spdupdate2(inbound) sent.
19:28:32 ipsec,debug,packet call pfkey_send_spdupdate2
19:28:32 ipsec,debug,packet pfkey spdupdate2(outbound) sent.
19:28:32 ipsec IPsec-SA established: ESP/Transport
172.28.1.5[0]->41.221.20.110[0] spi=40327812(0x26
75a84)
19:28:32 ipsec,debug ===
19:28:32 ipsec IPsec-SA established: ESP/Transport
41.221.20.110[0]->172.28.1.5[0] spi=48155402(0x2d
ecb0a)
19:28:32 ipsec,debug ===
19:28:32 ipsec,debug,packet such policy does not already exist:
172.28.1.5/32[0] 41.221.20.110/32[0]
proto=udp dir=in
19:28:32 ipsec,debug,packet such policy does not already exist:
41.221.20.110/32[0] 172.28.1.5/32[0]
proto=udp dir=out
19:28:33 l2tp,debug,packet rcvd control message from 172.28.1.5:54077
19:28:33 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
19:28:33 l2tp,debug,packet (M) Message-Type=SCCRQ
19:28:33 l2tp,debug,packet (M) Protocol-Version=0x01:00
19:28:33 l2tp,debug,packet (M) Framing-Capabilities=0x3
19:28:33 l2tp,debug,packet (M)
Host-Name=0x69:50:68:6f:6e:65:2d:64:65:2d:54:41:59:45:42:00
19:28:33 l2tp,debug,packet (M) Assigned-Tunnel-ID=3
19:28:33 l2tp,debug,packet (M) Receive-Window-Size=4
19:28:33 l2tp,info first L2TP UDP packet received from 172.28.1.5
19:28:33 l2tp,debug tunnel 2 entering state: wait-ctl-conn
19:28:33 l2tp,debug,packet sent control message to 172.28.1.5:54077
19:28:33 l2tp,debug,packet tunnel-id=3, session-id=0, ns=0, nr=1
19:28:33 l2tp,debug,packet (M) Message-Type=SCCRP
19:28:33 l2tp,debug,packet (M) Protocol-Version=0x01:00
19:28:33 l2tp,debug,packet (M) Framing-Capabilities=0x1
19:28:33 l2tp,debug,packet (M) Bearer-Capabilities=0x0
19:28:33 l2tp,debug,packet Firmware-Revision=0x1
19:28:33 l2tp,debug,packet (M) Host-Name="Edge01-493-Alger"
19:28:33 l2tp,debug,packet Vendor-Name="MikroTik"
19:28:33 l2tp,debug,packet (M) Assigned-Tunnel-ID=2
19:28:33 l2tp,debug,packet (M) Receive-Window-Size=4
[admin@Edge01-493-Alger] /ppp secret>


- Original Message - From: "Sim" 
To: "Mikrotik discussions" 
Sent: Wednesday, August 22, 2012 4:44 PM

Subject: Re: [Mikrotik] IPSec for mobile



iPhone IPsec is for Cisco (see logo).

Use L2TP+IPsec (first choice on your mobile device)

Regards

2012/8/22 Meftah Tayeb :



thank you a lot !
is L2TP required?
or IPSec can work alone ?

- Original Message - From: "Sim" 
To: "Mikrotik discussions" 
Sent: Wednesday, August 22, 2012 4:39 PM
Subject: Re: [Mikrotik] IPSec for mobile




Hi, this is that you need :-)

# Server & Preshared (1234567abcdef) config
/interface l2tp-server server set enabled=yes

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no
enc-algorithms=3des,aes-256 \
lifetime=30m name=default pfs-group=modp1024

/ip ipsec peer add address=0.0.0.0/0 auth-method=pre-shared-key
dh-group=modp1024 disabled=no \
dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des
exchange-mode=main-l2tp generate-policy=yes \
hash-algorithm=sha1 lifetime=1d my-id-user-fqdn="" nat-traversal=yes
port=500 secret=1234567abcdef send-initial-con

Re: [Mikrotik] IPSec for mobile

[Sim]

For security reason L2TP isn't good.
Ipsec + L2TP is the only way supported by iPhone (it ask you
"security/secret" and not only password).

You can also check this:
http://wiki.mikrotik.com/wiki/MikroTik_RouterOS_and_Windows_XP_IPSec/L2TP

My post was for all device tested with : WindowsXP, 7, iPhone and Android!

Check:
"Do not forget to allow:
- UDP 500 (Dst.Port),
- UDP 1701,
- UDP 4500 (Nat-Traversal)
- and Protocol 50 (ESP)
in the firewall filter settings. (Input chain, accept). "


2012/8/22 Meftah Tayeb :
> question, sim
> is l2tp itself alone good?
> i think it's working only L2TP.
>
> - Original Message - From: "Sim" 
> To: "Mikrotik discussions" 
> Sent: Wednesday, August 22, 2012 9:41 PM
>
> Subject: Re: [Mikrotik] IPSec for mobile
>
>
>> The config posted in precedent email is correct and work in my 3 Mikrotik.
>> Have you opened/forwarded corrected port/proto?
>>
>>
>> 2012/8/22 Meftah Tayeb :
>>>
>>> ok so
>>> i did your suggestion but l2tp server not replying
>>> log:
>>> Telnet 172.28.2.1
>>> 19:28:32 ipsec,debug,packet encryption(aes)
>>> 19:28:32 ipsec,debug,packet hmac(hmac_sha1)
>>> 19:28:32 ipsec,debug,packet call pfkey_send_update_nat
>>> 19:28:32 ipsec,debug,packet pfkey update sent.
>>> 19:28:32 ipsec,debug,packet encryption(aes)
>>> 19:28:32 ipsec,debug,packet hmac(hmac_sha1)
>>> 19:28:32 ipsec,debug,packet call pfkey_send_add_nat
>>> 19:28:32 ipsec,debug,packet pfkey add sent.
>>> 19:28:32 ipsec,debug,packet call pfkey_send_spdupdate2
>>> 19:28:32 ipsec,debug,packet pfkey spdupdate2(inbound) sent.
>>> 19:28:32 ipsec,debug,packet call pfkey_send_spdupdate2
>>> 19:28:32 ipsec,debug,packet pfkey spdupdate2(outbound) sent.
>>> 19:28:32 ipsec IPsec-SA established: ESP/Transport
>>> 172.28.1.5[0]->41.221.20.110[0] spi=40327812(0x26
>>> 75a84)
>>> 19:28:32 ipsec,debug ===
>>> 19:28:32 ipsec IPsec-SA established: ESP/Transport
>>> 41.221.20.110[0]->172.28.1.5[0] spi=48155402(0x2d
>>> ecb0a)
>>> 19:28:32 ipsec,debug ===
>>> 19:28:32 ipsec,debug,packet such policy does not already exist:
>>> 172.28.1.5/32[0] 41.221.20.110/32[0]
>>> proto=udp dir=in
>>> 19:28:32 ipsec,debug,packet such policy does not already exist:
>>> 41.221.20.110/32[0] 172.28.1.5/32[0]
>>> proto=udp dir=out
>>> 19:28:33 l2tp,debug,packet rcvd control message from 172.28.1.5:54077
>>> 19:28:33 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
>>> 19:28:33 l2tp,debug,packet (M) Message-Type=SCCRQ
>>> 19:28:33 l2tp,debug,packet (M) Protocol-Version=0x01:00
>>> 19:28:33 l2tp,debug,packet (M) Framing-Capabilities=0x3
>>> 19:28:33 l2tp,debug,packet (M)
>>> Host-Name=0x69:50:68:6f:6e:65:2d:64:65:2d:54:41:59:45:42:00
>>> 19:28:33 l2tp,debug,packet (M) Assigned-Tunnel-ID=3
>>> 19:28:33 l2tp,debug,packet (M) Receive-Window-Size=4
>>> 19:28:33 l2tp,info first L2TP UDP packet received from 172.28.1.5
>>> 19:28:33 l2tp,debug tunnel 2 entering state: wait-ctl-conn
>>> 19:28:33 l2tp,debug,packet sent control message to 172.28.1.5:54077
>>> 19:28:33 l2tp,debug,packet tunnel-id=3, session-id=0, ns=0, nr=1
>>> 19:28:33 l2tp,debug,packet (M) Message-Type=SCCRP
>>> 19:28:33 l2tp,debug,packet (M) Protocol-Version=0x01:00
>>> 19:28:33 l2tp,debug,packet (M) Framing-Capabilities=0x1
>>> 19:28:33 l2tp,debug,packet (M) Bearer-Capabilities=0x0
>>> 19:28:33 l2tp,debug,packet Firmware-Revision=0x1
>>> 19:28:33 l2tp,debug,packet (M) Host-Name="Edge01-493-Alger"
>>> 19:28:33 l2tp,debug,packet Vendor-Name="MikroTik"
>>> 19:28:33 l2tp,debug,packet (M) Assigned-Tunnel-ID=2
>>> 19:28:33 l2tp,debug,packet (M) Receive-Window-Size=4
>>> [admin@Edge01-493-Alger] /ppp secret>
>>>
>>>
>>> - Original Message - From: "Sim" 
>>> To: "Mikrotik discussions" 
>>> Sent: Wednesday, August 22, 2012 4:44 PM
>>>
>>> Subject: Re: [Mikrotik] IPSec for mobile
>>>
>>>
>>>> iPhone IPsec is for Cisco (see logo).
>>>>
>>>> Use L2TP+IPsec (first choice on your mobile device)
>>>>
>>>> Regards
>>>>
>>>> 2012/8/22 Meftah Tayeb :
>>>>>
>>>>>
>>>>> thank you a lot !
>>>>> is L2TP required?
>>>>> or IPSec can work alone ?

Re: [Mikrotik] IPSec for mobile

[Meftah Tayeb]

question, sim
is l2tp itself alone good?
i think it's working only L2TP.
- Original Message - 
From: "Sim" 

To: "Mikrotik discussions" 
Sent: Wednesday, August 22, 2012 9:41 PM
Subject: Re: [Mikrotik] IPSec for mobile



The config posted in precedent email is correct and work in my 3 Mikrotik.
Have you opened/forwarded corrected port/proto?


2012/8/22 Meftah Tayeb :

ok so
i did your suggestion but l2tp server not replying
log:
Telnet 172.28.2.1
19:28:32 ipsec,debug,packet encryption(aes)
19:28:32 ipsec,debug,packet hmac(hmac_sha1)
19:28:32 ipsec,debug,packet call pfkey_send_update_nat
19:28:32 ipsec,debug,packet pfkey update sent.
19:28:32 ipsec,debug,packet encryption(aes)
19:28:32 ipsec,debug,packet hmac(hmac_sha1)
19:28:32 ipsec,debug,packet call pfkey_send_add_nat
19:28:32 ipsec,debug,packet pfkey add sent.
19:28:32 ipsec,debug,packet call pfkey_send_spdupdate2
19:28:32 ipsec,debug,packet pfkey spdupdate2(inbound) sent.
19:28:32 ipsec,debug,packet call pfkey_send_spdupdate2
19:28:32 ipsec,debug,packet pfkey spdupdate2(outbound) sent.
19:28:32 ipsec IPsec-SA established: ESP/Transport
172.28.1.5[0]->41.221.20.110[0] spi=40327812(0x26
75a84)
19:28:32 ipsec,debug ===
19:28:32 ipsec IPsec-SA established: ESP/Transport
41.221.20.110[0]->172.28.1.5[0] spi=48155402(0x2d
ecb0a)
19:28:32 ipsec,debug ===
19:28:32 ipsec,debug,packet such policy does not already exist:
172.28.1.5/32[0] 41.221.20.110/32[0]
proto=udp dir=in
19:28:32 ipsec,debug,packet such policy does not already exist:
41.221.20.110/32[0] 172.28.1.5/32[0]
proto=udp dir=out
19:28:33 l2tp,debug,packet rcvd control message from 172.28.1.5:54077
19:28:33 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
19:28:33 l2tp,debug,packet (M) Message-Type=SCCRQ
19:28:33 l2tp,debug,packet (M) Protocol-Version=0x01:00
19:28:33 l2tp,debug,packet (M) Framing-Capabilities=0x3
19:28:33 l2tp,debug,packet (M)
Host-Name=0x69:50:68:6f:6e:65:2d:64:65:2d:54:41:59:45:42:00
19:28:33 l2tp,debug,packet (M) Assigned-Tunnel-ID=3
19:28:33 l2tp,debug,packet (M) Receive-Window-Size=4
19:28:33 l2tp,info first L2TP UDP packet received from 172.28.1.5
19:28:33 l2tp,debug tunnel 2 entering state: wait-ctl-conn
19:28:33 l2tp,debug,packet sent control message to 172.28.1.5:54077
19:28:33 l2tp,debug,packet tunnel-id=3, session-id=0, ns=0, nr=1
19:28:33 l2tp,debug,packet (M) Message-Type=SCCRP
19:28:33 l2tp,debug,packet (M) Protocol-Version=0x01:00
19:28:33 l2tp,debug,packet (M) Framing-Capabilities=0x1
19:28:33 l2tp,debug,packet (M) Bearer-Capabilities=0x0
19:28:33 l2tp,debug,packet Firmware-Revision=0x1
19:28:33 l2tp,debug,packet (M) Host-Name="Edge01-493-Alger"
19:28:33 l2tp,debug,packet Vendor-Name="MikroTik"
19:28:33 l2tp,debug,packet (M) Assigned-Tunnel-ID=2
19:28:33 l2tp,debug,packet (M) Receive-Window-Size=4
[admin@Edge01-493-Alger] /ppp secret>


- Original Message - From: "Sim" 
To: "Mikrotik discussions" 
Sent: Wednesday, August 22, 2012 4:44 PM

Subject: Re: [Mikrotik] IPSec for mobile



iPhone IPsec is for Cisco (see logo).

Use L2TP+IPsec (first choice on your mobile device)

Regards

2012/8/22 Meftah Tayeb :


thank you a lot !
is L2TP required?
or IPSec can work alone ?

- Original Message - From: "Sim" 
To: "Mikrotik discussions" 
Sent: Wednesday, August 22, 2012 4:39 PM
Subject: Re: [Mikrotik] IPSec for mobile




Hi, this is that you need :-)

# Server & Preshared (1234567abcdef) config
/interface l2tp-server server set enabled=yes

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no
enc-algorithms=3des,aes-256 \
lifetime=30m name=default pfs-group=modp1024

/ip ipsec peer add address=0.0.0.0/0 auth-method=pre-shared-key
dh-group=modp1024 disabled=no \
dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des
exchange-mode=main-l2tp generate-policy=yes \
hash-algorithm=sha1 lifetime=1d my-id-user-fqdn="" nat-traversal=yes
port=500 secret=1234567abcdef send-initial-contact=yes

# ADD Client (change user, psw, ips)
/ppp secret add name=user password=12345 profile=default-encryption
local-address=192.168.255.10 remote-address=192.168.255.254
service=l2tp


# Debug
/system logging add action=memory topics=l2tp
/system logging add action=memory topics=ipsec


Regards


2012/8/22 Meftah Tayeb :



hello folks
i'm traveling these days and i'lle love to be in my home network
i have a iPhone4S
i want to do IPSec or L2TP (no pptp) into my rb493G
any idea please?
IPSec look very complicated... no OpenVPN in iOs. no Jailbreack.
thank you
   Meftah Tayeb
IT Consulting
http://www.tmvoip.com/ phone: +21321656139
Mobile: +213660347746

__ Information from ESET NOD32 Antivirus, version of virus
signature
database 7404 (20120821) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



___

Re: [Mikrotik] IPSec for mobile

[Sim]

The config posted in precedent email is correct and work in my 3 Mikrotik.
Have you opened/forwarded corrected port/proto?


2012/8/22 Meftah Tayeb :
> ok so
> i did your suggestion but l2tp server not replying
> log:
> Telnet 172.28.2.1
> 19:28:32 ipsec,debug,packet encryption(aes)
> 19:28:32 ipsec,debug,packet hmac(hmac_sha1)
> 19:28:32 ipsec,debug,packet call pfkey_send_update_nat
> 19:28:32 ipsec,debug,packet pfkey update sent.
> 19:28:32 ipsec,debug,packet encryption(aes)
> 19:28:32 ipsec,debug,packet hmac(hmac_sha1)
> 19:28:32 ipsec,debug,packet call pfkey_send_add_nat
> 19:28:32 ipsec,debug,packet pfkey add sent.
> 19:28:32 ipsec,debug,packet call pfkey_send_spdupdate2
> 19:28:32 ipsec,debug,packet pfkey spdupdate2(inbound) sent.
> 19:28:32 ipsec,debug,packet call pfkey_send_spdupdate2
> 19:28:32 ipsec,debug,packet pfkey spdupdate2(outbound) sent.
> 19:28:32 ipsec IPsec-SA established: ESP/Transport
> 172.28.1.5[0]->41.221.20.110[0] spi=40327812(0x26
> 75a84)
> 19:28:32 ipsec,debug ===
> 19:28:32 ipsec IPsec-SA established: ESP/Transport
> 41.221.20.110[0]->172.28.1.5[0] spi=48155402(0x2d
> ecb0a)
> 19:28:32 ipsec,debug ===
> 19:28:32 ipsec,debug,packet such policy does not already exist:
> 172.28.1.5/32[0] 41.221.20.110/32[0]
> proto=udp dir=in
> 19:28:32 ipsec,debug,packet such policy does not already exist:
> 41.221.20.110/32[0] 172.28.1.5/32[0]
> proto=udp dir=out
> 19:28:33 l2tp,debug,packet rcvd control message from 172.28.1.5:54077
> 19:28:33 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
> 19:28:33 l2tp,debug,packet (M) Message-Type=SCCRQ
> 19:28:33 l2tp,debug,packet (M) Protocol-Version=0x01:00
> 19:28:33 l2tp,debug,packet (M) Framing-Capabilities=0x3
> 19:28:33 l2tp,debug,packet (M)
> Host-Name=0x69:50:68:6f:6e:65:2d:64:65:2d:54:41:59:45:42:00
> 19:28:33 l2tp,debug,packet (M) Assigned-Tunnel-ID=3
> 19:28:33 l2tp,debug,packet (M) Receive-Window-Size=4
> 19:28:33 l2tp,info first L2TP UDP packet received from 172.28.1.5
> 19:28:33 l2tp,debug tunnel 2 entering state: wait-ctl-conn
> 19:28:33 l2tp,debug,packet sent control message to 172.28.1.5:54077
> 19:28:33 l2tp,debug,packet tunnel-id=3, session-id=0, ns=0, nr=1
> 19:28:33 l2tp,debug,packet (M) Message-Type=SCCRP
> 19:28:33 l2tp,debug,packet (M) Protocol-Version=0x01:00
> 19:28:33 l2tp,debug,packet (M) Framing-Capabilities=0x1
> 19:28:33 l2tp,debug,packet (M) Bearer-Capabilities=0x0
> 19:28:33 l2tp,debug,packet Firmware-Revision=0x1
> 19:28:33 l2tp,debug,packet (M) Host-Name="Edge01-493-Alger"
> 19:28:33 l2tp,debug,packet Vendor-Name="MikroTik"
> 19:28:33 l2tp,debug,packet (M) Assigned-Tunnel-ID=2
> 19:28:33 l2tp,debug,packet (M) Receive-Window-Size=4
> [admin@Edge01-493-Alger] /ppp secret>
>
>
> - Original Message - From: "Sim" 
> To: "Mikrotik discussions" 
> Sent: Wednesday, August 22, 2012 4:44 PM
>
> Subject: Re: [Mikrotik] IPSec for mobile
>
>
>> iPhone IPsec is for Cisco (see logo).
>>
>> Use L2TP+IPsec (first choice on your mobile device)
>>
>> Regards
>>
>> 2012/8/22 Meftah Tayeb :
>>>
>>> thank you a lot !
>>> is L2TP required?
>>> or IPSec can work alone ?
>>>
>>> - Original Message - From: "Sim" 
>>> To: "Mikrotik discussions" 
>>> Sent: Wednesday, August 22, 2012 4:39 PM
>>> Subject: Re: [Mikrotik] IPSec for mobile
>>>
>>>
>>>
>>>> Hi, this is that you need :-)
>>>>
>>>> # Server & Preshared (1234567abcdef) config
>>>> /interface l2tp-server server set enabled=yes
>>>>
>>>> /ip ipsec proposal
>>>> set [ find default=yes ] auth-algorithms=sha1 disabled=no
>>>> enc-algorithms=3des,aes-256 \
>>>> lifetime=30m name=default pfs-group=modp1024
>>>>
>>>> /ip ipsec peer add address=0.0.0.0/0 auth-method=pre-shared-key
>>>> dh-group=modp1024 disabled=no \
>>>> dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des
>>>> exchange-mode=main-l2tp generate-policy=yes \
>>>> hash-algorithm=sha1 lifetime=1d my-id-user-fqdn="" nat-traversal=yes
>>>> port=500 secret=1234567abcdef send-initial-contact=yes
>>>>
>>>> # ADD Client (change user, psw, ips)
>>>> /ppp secret add name=user password=12345 profile=default-encryption
>>>> local-address=192.168.255.10 remote-address=192.168.255.254
>>>> service=l2tp
>>>>
>>>>
>>>> # Debug
>>>> /system loggin

Re: [Mikrotik] IPSec for mobile

[Meftah Tayeb]

ok so
i did your suggestion but l2tp server not replying
log:
Telnet 172.28.2.1
19:28:32 ipsec,debug,packet encryption(aes)
19:28:32 ipsec,debug,packet hmac(hmac_sha1)
19:28:32 ipsec,debug,packet call pfkey_send_update_nat
19:28:32 ipsec,debug,packet pfkey update sent.
19:28:32 ipsec,debug,packet encryption(aes)
19:28:32 ipsec,debug,packet hmac(hmac_sha1)
19:28:32 ipsec,debug,packet call pfkey_send_add_nat
19:28:32 ipsec,debug,packet pfkey add sent.
19:28:32 ipsec,debug,packet call pfkey_send_spdupdate2
19:28:32 ipsec,debug,packet pfkey spdupdate2(inbound) sent.
19:28:32 ipsec,debug,packet call pfkey_send_spdupdate2
19:28:32 ipsec,debug,packet pfkey spdupdate2(outbound) sent.
19:28:32 ipsec IPsec-SA established: ESP/Transport 
172.28.1.5[0]->41.221.20.110[0] spi=40327812(0x26

75a84)
19:28:32 ipsec,debug ===
19:28:32 ipsec IPsec-SA established: ESP/Transport 
41.221.20.110[0]->172.28.1.5[0] spi=48155402(0x2d

ecb0a)
19:28:32 ipsec,debug ===
19:28:32 ipsec,debug,packet such policy does not already exist: 
172.28.1.5/32[0] 41.221.20.110/32[0]

proto=udp dir=in
19:28:32 ipsec,debug,packet such policy does not already exist: 
41.221.20.110/32[0] 172.28.1.5/32[0]

proto=udp dir=out
19:28:33 l2tp,debug,packet rcvd control message from 172.28.1.5:54077
19:28:33 l2tp,debug,packet tunnel-id=0, session-id=0, ns=0, nr=0
19:28:33 l2tp,debug,packet (M) Message-Type=SCCRQ
19:28:33 l2tp,debug,packet (M) Protocol-Version=0x01:00
19:28:33 l2tp,debug,packet (M) Framing-Capabilities=0x3
19:28:33 l2tp,debug,packet (M) 
Host-Name=0x69:50:68:6f:6e:65:2d:64:65:2d:54:41:59:45:42:00

19:28:33 l2tp,debug,packet (M) Assigned-Tunnel-ID=3
19:28:33 l2tp,debug,packet (M) Receive-Window-Size=4
19:28:33 l2tp,info first L2TP UDP packet received from 172.28.1.5
19:28:33 l2tp,debug tunnel 2 entering state: wait-ctl-conn
19:28:33 l2tp,debug,packet sent control message to 172.28.1.5:54077
19:28:33 l2tp,debug,packet tunnel-id=3, session-id=0, ns=0, nr=1
19:28:33 l2tp,debug,packet (M) Message-Type=SCCRP
19:28:33 l2tp,debug,packet (M) Protocol-Version=0x01:00
19:28:33 l2tp,debug,packet (M) Framing-Capabilities=0x1
19:28:33 l2tp,debug,packet (M) Bearer-Capabilities=0x0
19:28:33 l2tp,debug,packet Firmware-Revision=0x1
19:28:33 l2tp,debug,packet (M) Host-Name="Edge01-493-Alger"
19:28:33 l2tp,debug,packet Vendor-Name="MikroTik"
19:28:33 l2tp,debug,packet (M) Assigned-Tunnel-ID=2
19:28:33 l2tp,debug,packet (M) Receive-Window-Size=4
[admin@Edge01-493-Alger] /ppp secret>

- Original Message - 
From: "Sim" 

To: "Mikrotik discussions" 
Sent: Wednesday, August 22, 2012 4:44 PM
Subject: Re: [Mikrotik] IPSec for mobile



iPhone IPsec is for Cisco (see logo).

Use L2TP+IPsec (first choice on your mobile device)

Regards

2012/8/22 Meftah Tayeb :

thank you a lot !
is L2TP required?
or IPSec can work alone ?

- Original Message - From: "Sim" 
To: "Mikrotik discussions" 
Sent: Wednesday, August 22, 2012 4:39 PM
Subject: Re: [Mikrotik] IPSec for mobile




Hi, this is that you need :-)

# Server & Preshared (1234567abcdef) config
/interface l2tp-server server set enabled=yes

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no
enc-algorithms=3des,aes-256 \
lifetime=30m name=default pfs-group=modp1024

/ip ipsec peer add address=0.0.0.0/0 auth-method=pre-shared-key
dh-group=modp1024 disabled=no \
dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des
exchange-mode=main-l2tp generate-policy=yes \
hash-algorithm=sha1 lifetime=1d my-id-user-fqdn="" nat-traversal=yes
port=500 secret=1234567abcdef send-initial-contact=yes

# ADD Client (change user, psw, ips)
/ppp secret add name=user password=12345 profile=default-encryption
local-address=192.168.255.10 remote-address=192.168.255.254
service=l2tp


# Debug
/system logging add action=memory topics=l2tp
/system logging add action=memory topics=ipsec


Regards


2012/8/22 Meftah Tayeb :


hello folks
i'm traveling these days and i'lle love to be in my home network
i have a iPhone4S
i want to do IPSec or L2TP (no pptp) into my rb493G
any idea please?
IPSec look very complicated... no OpenVPN in iOs. no Jailbreack.
thank you
   Meftah Tayeb
IT Consulting
http://www.tmvoip.com/ phone: +21321656139
Mobile: +213660347746

__ Information from ESET NOD32 Antivirus, version of virus
signature
database 7404 (20120821) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS


___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ 

Re: [Mikrotik] IPSec for mobile

[Sim]

You can use "send all traffic" over iPhone or use the same internal
IPs (with proxyarp)

2012/8/22 Ty Featherling :
> How are the IP addresses at the end siginificant. That is the part I can't
> wrap my head around with tunnels. I get the it will assign IPs to the
> endpoints on the tunnel but are they just arbitrary, non-routable
> addresses? Is the iPhone in this case going to find itself attached to this
> router but with a 192.168.255.254 address? Do you then need to src.nat your
> way out into the world beyond?
>
> -Ty
>
> On Wed, Aug 22, 2012 at 8:39 AM, Sim  wrote:
>
>> Hi, this is that you need :-)
>>
>> # Server & Preshared (1234567abcdef) config
>> /interface l2tp-server server set enabled=yes
>>
>> /ip ipsec proposal
>> set [ find default=yes ] auth-algorithms=sha1 disabled=no
>> enc-algorithms=3des,aes-256 \
>> lifetime=30m name=default pfs-group=modp1024
>>
>> /ip ipsec peer add address=0.0.0.0/0 auth-method=pre-shared-key
>> dh-group=modp1024 disabled=no \
>> dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des
>> exchange-mode=main-l2tp generate-policy=yes \
>> hash-algorithm=sha1 lifetime=1d my-id-user-fqdn="" nat-traversal=yes
>> port=500 secret=1234567abcdef send-initial-contact=yes
>>
>> # ADD Client (change user, psw, ips)
>> /ppp secret add name=user password=12345 profile=default-encryption
>> local-address=192.168.255.10 remote-address=192.168.255.254
>> service=l2tp
>>
>>
>> # Debug
>> /system logging add action=memory topics=l2tp
>> /system logging add action=memory topics=ipsec
>>
>>
>> Regards
>>
>>
>> 2012/8/22 Meftah Tayeb :
>> > hello folks
>> > i'm traveling these days and i'lle love to be in my home network
>> > i have a iPhone4S
>> > i want to do IPSec or L2TP (no pptp) into my rb493G
>> > any idea please?
>> > IPSec look very complicated... no OpenVPN in iOs. no Jailbreack.
>> > thank you
>> >Meftah Tayeb
>> > IT Consulting
>> > http://www.tmvoip.com/ phone: +21321656139
>> > Mobile: +213660347746
>> >
>> > __ Information from ESET NOD32 Antivirus, version of virus
>> signature
>> > database 7404 (20120821) __
>> >
>> > The message was checked by ESET NOD32 Antivirus.
>> >
>> > http://www.eset.com
>> >
>> >
>> >
>> > ___
>> > Mikrotik mailing list
>> > Mikrotik@mail.butchevans.com
>> > http://www.butchevans.com/mailman/listinfo/mikrotik
>> >
>> > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
>> RouterOS
>> ___
>> Mikrotik mailing list
>> Mikrotik@mail.butchevans.com
>> http://www.butchevans.com/mailman/listinfo/mikrotik
>>
>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
>> RouterOS
>>
> -- next part --
> An HTML attachment was scrubbed...
> URL: 
> 
> ___
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://www.butchevans.com/mailman/listinfo/mikrotik
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] IPSec for mobile

[Ty Featherling]

How are the IP addresses at the end siginificant. That is the part I can't
wrap my head around with tunnels. I get the it will assign IPs to the
endpoints on the tunnel but are they just arbitrary, non-routable
addresses? Is the iPhone in this case going to find itself attached to this
router but with a 192.168.255.254 address? Do you then need to src.nat your
way out into the world beyond?

-Ty

On Wed, Aug 22, 2012 at 8:39 AM, Sim  wrote:

> Hi, this is that you need :-)
>
> # Server & Preshared (1234567abcdef) config
> /interface l2tp-server server set enabled=yes
>
> /ip ipsec proposal
> set [ find default=yes ] auth-algorithms=sha1 disabled=no
> enc-algorithms=3des,aes-256 \
> lifetime=30m name=default pfs-group=modp1024
>
> /ip ipsec peer add address=0.0.0.0/0 auth-method=pre-shared-key
> dh-group=modp1024 disabled=no \
> dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des
> exchange-mode=main-l2tp generate-policy=yes \
> hash-algorithm=sha1 lifetime=1d my-id-user-fqdn="" nat-traversal=yes
> port=500 secret=1234567abcdef send-initial-contact=yes
>
> # ADD Client (change user, psw, ips)
> /ppp secret add name=user password=12345 profile=default-encryption
> local-address=192.168.255.10 remote-address=192.168.255.254
> service=l2tp
>
>
> # Debug
> /system logging add action=memory topics=l2tp
> /system logging add action=memory topics=ipsec
>
>
> Regards
>
>
> 2012/8/22 Meftah Tayeb :
> > hello folks
> > i'm traveling these days and i'lle love to be in my home network
> > i have a iPhone4S
> > i want to do IPSec or L2TP (no pptp) into my rb493G
> > any idea please?
> > IPSec look very complicated... no OpenVPN in iOs. no Jailbreack.
> > thank you
> >Meftah Tayeb
> > IT Consulting
> > http://www.tmvoip.com/ phone: +21321656139
> > Mobile: +213660347746
> >
> > __ Information from ESET NOD32 Antivirus, version of virus
> signature
> > database 7404 (20120821) __
> >
> > The message was checked by ESET NOD32 Antivirus.
> >
> > http://www.eset.com
> >
> >
> >
> > ___
> > Mikrotik mailing list
> > Mikrotik@mail.butchevans.com
> > http://www.butchevans.com/mailman/listinfo/mikrotik
> >
> > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> RouterOS
> ___
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://www.butchevans.com/mailman/listinfo/mikrotik
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> RouterOS
>
-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] IPSec for mobile

[Meftah Tayeb]

thank you DUDE, shortly!
- Original Message - 
From: "Sim" 

To: "Mikrotik discussions" 
Sent: Wednesday, August 22, 2012 4:44 PM
Subject: Re: [Mikrotik] IPSec for mobile



iPhone IPsec is for Cisco (see logo).

Use L2TP+IPsec (first choice on your mobile device)

Regards

2012/8/22 Meftah Tayeb :

thank you a lot !
is L2TP required?
or IPSec can work alone ?

- Original Message - From: "Sim" 
To: "Mikrotik discussions" 
Sent: Wednesday, August 22, 2012 4:39 PM
Subject: Re: [Mikrotik] IPSec for mobile




Hi, this is that you need :-)

# Server & Preshared (1234567abcdef) config
/interface l2tp-server server set enabled=yes

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no
enc-algorithms=3des,aes-256 \
lifetime=30m name=default pfs-group=modp1024

/ip ipsec peer add address=0.0.0.0/0 auth-method=pre-shared-key
dh-group=modp1024 disabled=no \
dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des
exchange-mode=main-l2tp generate-policy=yes \
hash-algorithm=sha1 lifetime=1d my-id-user-fqdn="" nat-traversal=yes
port=500 secret=1234567abcdef send-initial-contact=yes

# ADD Client (change user, psw, ips)
/ppp secret add name=user password=12345 profile=default-encryption
local-address=192.168.255.10 remote-address=192.168.255.254
service=l2tp


# Debug
/system logging add action=memory topics=l2tp
/system logging add action=memory topics=ipsec


Regards


2012/8/22 Meftah Tayeb :


hello folks
i'm traveling these days and i'lle love to be in my home network
i have a iPhone4S
i want to do IPSec or L2TP (no pptp) into my rb493G
any idea please?
IPSec look very complicated... no OpenVPN in iOs. no Jailbreack.
thank you
   Meftah Tayeb
IT Consulting
http://www.tmvoip.com/ phone: +21321656139
Mobile: +213660347746

__ Information from ESET NOD32 Antivirus, version of virus
signature
database 7404 (20120821) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS


___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS


__ Information from ESET NOD32 Antivirus, version of virus
signature database 7404 (20120821) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com






__ Information from ESET NOD32 Antivirus, version of virus 
signature

database 7404 (20120821) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik 
RouterOS

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik 
RouterOS



__ Information from ESET NOD32 Antivirus, version of virus 
signature database 7404 (20120821) __


The message was checked by ESET NOD32 Antivirus.

http://www.eset.com






__ Information from ESET NOD32 Antivirus, version of virus signature 
database 7404 (20120821) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] IPSec for mobile

[Sim]

iPhone IPsec is for Cisco (see logo).

Use L2TP+IPsec (first choice on your mobile device)

Regards

2012/8/22 Meftah Tayeb :
> thank you a lot !
> is L2TP required?
> or IPSec can work alone ?
>
> - Original Message - From: "Sim" 
> To: "Mikrotik discussions" 
> Sent: Wednesday, August 22, 2012 4:39 PM
> Subject: Re: [Mikrotik] IPSec for mobile
>
>
>
>> Hi, this is that you need :-)
>>
>> # Server & Preshared (1234567abcdef) config
>> /interface l2tp-server server set enabled=yes
>>
>> /ip ipsec proposal
>> set [ find default=yes ] auth-algorithms=sha1 disabled=no
>> enc-algorithms=3des,aes-256 \
>> lifetime=30m name=default pfs-group=modp1024
>>
>> /ip ipsec peer add address=0.0.0.0/0 auth-method=pre-shared-key
>> dh-group=modp1024 disabled=no \
>> dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des
>> exchange-mode=main-l2tp generate-policy=yes \
>> hash-algorithm=sha1 lifetime=1d my-id-user-fqdn="" nat-traversal=yes
>> port=500 secret=1234567abcdef send-initial-contact=yes
>>
>> # ADD Client (change user, psw, ips)
>> /ppp secret add name=user password=12345 profile=default-encryption
>> local-address=192.168.255.10 remote-address=192.168.255.254
>> service=l2tp
>>
>>
>> # Debug
>> /system logging add action=memory topics=l2tp
>> /system logging add action=memory topics=ipsec
>>
>>
>> Regards
>>
>>
>> 2012/8/22 Meftah Tayeb :
>>>
>>> hello folks
>>> i'm traveling these days and i'lle love to be in my home network
>>> i have a iPhone4S
>>> i want to do IPSec or L2TP (no pptp) into my rb493G
>>> any idea please?
>>> IPSec look very complicated... no OpenVPN in iOs. no Jailbreack.
>>> thank you
>>>Meftah Tayeb
>>> IT Consulting
>>> http://www.tmvoip.com/ phone: +21321656139
>>> Mobile: +213660347746
>>>
>>> __ Information from ESET NOD32 Antivirus, version of virus
>>> signature
>>> database 7404 (20120821) __
>>>
>>> The message was checked by ESET NOD32 Antivirus.
>>>
>>> http://www.eset.com
>>>
>>>
>>>
>>> ___
>>> Mikrotik mailing list
>>> Mikrotik@mail.butchevans.com
>>> http://www.butchevans.com/mailman/listinfo/mikrotik
>>>
>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
>>> RouterOS
>>
>> ___
>> Mikrotik mailing list
>> Mikrotik@mail.butchevans.com
>> http://www.butchevans.com/mailman/listinfo/mikrotik
>>
>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
>> RouterOS
>>
>>
>> __ Information from ESET NOD32 Antivirus, version of virus
>> signature database 7404 (20120821) __
>>
>> The message was checked by ESET NOD32 Antivirus.
>>
>> http://www.eset.com
>>
>>
>>
>
>
> __ Information from ESET NOD32 Antivirus, version of virus signature
> database 7404 (20120821) __
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
> ___
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://www.butchevans.com/mailman/listinfo/mikrotik
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] IPSec for mobile

[Meftah Tayeb]

thank you a lot !
is L2TP required?
or IPSec can work alone ?

- Original Message - 
From: "Sim" 

To: "Mikrotik discussions" 
Sent: Wednesday, August 22, 2012 4:39 PM
Subject: Re: [Mikrotik] IPSec for mobile



Hi, this is that you need :-)

# Server & Preshared (1234567abcdef) config
/interface l2tp-server server set enabled=yes

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no
enc-algorithms=3des,aes-256 \
lifetime=30m name=default pfs-group=modp1024

/ip ipsec peer add address=0.0.0.0/0 auth-method=pre-shared-key
dh-group=modp1024 disabled=no \
dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des
exchange-mode=main-l2tp generate-policy=yes \
hash-algorithm=sha1 lifetime=1d my-id-user-fqdn="" nat-traversal=yes
port=500 secret=1234567abcdef send-initial-contact=yes

# ADD Client (change user, psw, ips)
/ppp secret add name=user password=12345 profile=default-encryption
local-address=192.168.255.10 remote-address=192.168.255.254
service=l2tp


# Debug
/system logging add action=memory topics=l2tp
/system logging add action=memory topics=ipsec


Regards


2012/8/22 Meftah Tayeb :

hello folks
i'm traveling these days and i'lle love to be in my home network
i have a iPhone4S
i want to do IPSec or L2TP (no pptp) into my rb493G
any idea please?
IPSec look very complicated... no OpenVPN in iOs. no Jailbreack.
thank you
   Meftah Tayeb
IT Consulting
http://www.tmvoip.com/ phone: +21321656139
Mobile: +213660347746

__ Information from ESET NOD32 Antivirus, version of virus 
signature

database 7404 (20120821) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik 
RouterOS

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik 
RouterOS



__ Information from ESET NOD32 Antivirus, version of virus 
signature database 7404 (20120821) __


The message was checked by ESET NOD32 Antivirus.

http://www.eset.com






__ Information from ESET NOD32 Antivirus, version of virus signature 
database 7404 (20120821) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] IPSec for mobile

[Sim]

Hi, this is that you need :-)

# Server & Preshared (1234567abcdef) config
/interface l2tp-server server set enabled=yes

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no
enc-algorithms=3des,aes-256 \
lifetime=30m name=default pfs-group=modp1024

/ip ipsec peer add address=0.0.0.0/0 auth-method=pre-shared-key
dh-group=modp1024 disabled=no \
dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des
exchange-mode=main-l2tp generate-policy=yes \
hash-algorithm=sha1 lifetime=1d my-id-user-fqdn="" nat-traversal=yes
port=500 secret=1234567abcdef send-initial-contact=yes

# ADD Client (change user, psw, ips)
/ppp secret add name=user password=12345 profile=default-encryption
local-address=192.168.255.10 remote-address=192.168.255.254
service=l2tp


# Debug
/system logging add action=memory topics=l2tp
/system logging add action=memory topics=ipsec


Regards


2012/8/22 Meftah Tayeb :
> hello folks
> i'm traveling these days and i'lle love to be in my home network
> i have a iPhone4S
> i want to do IPSec or L2TP (no pptp) into my rb493G
> any idea please?
> IPSec look very complicated... no OpenVPN in iOs. no Jailbreack.
> thank you
>Meftah Tayeb
> IT Consulting
> http://www.tmvoip.com/ phone: +21321656139
> Mobile: +213660347746
>
> __ Information from ESET NOD32 Antivirus, version of virus signature
> database 7404 (20120821) __
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
> ___
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://www.butchevans.com/mailman/listinfo/mikrotik
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

[Mikrotik] IPSec for mobile

[Meftah Tayeb]

hello folks
i'm traveling these days and i'lle love to be in my home network
i have a iPhone4S
i want to do IPSec or L2TP (no pptp) into my rb493G
any idea please?
IPSec look very complicated... no OpenVPN in iOs. no Jailbreack.
thank you
   Meftah Tayeb
IT Consulting
http://www.tmvoip.com/ 
phone: +21321656139

Mobile: +213660347746

__ Information from ESET NOD32 Antivirus, version of virus signature 
database 7404 (20120821) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

[Mikrotik] Ipsec to Loopback Interface?

[Jerry Roy]

Hi all you Guru's :)

I have a "hub and spoke" Ipsec VPN network. On the hub side is Juniper
router. We have 900 Cisco 881 routers on the spoke side all with standard
broadband links (pppoe, dhcp and static w/dsl, cable or wireless)
connecting back to it. We have a loopback address assigned on each cisco
that is the ipsec tunnel termination point. We use a loopback because we
want to monitor on an interface that is always up (even if nothing is
connected to lan of cisco we have access). Now we want to do same thing
with Mikrotik. I have been reading posts on how to create a loopback on a
bridge interface and have created one for my lab. I have been unsuccessful
in creating the same scenario with MT 750GL as I have with a cisco 881
spoke. On the MT I can build IPsec tunnel to juniper with no issues. It is
when I try and make the loopback IP the tunnel peer it fails. Anyone offer
some support on this issue?

For some notes: The Cisco does overload from lan to internet (masquerade)
and does not do nat thru ipsec tunnel back to Co-Lo server (content
filtering server at other end of tunnel). So tunnel is needed only for two
things, management/polling and access to content filtering server.

Thanks in advance for your insight

*Jerry Roy*
Sr. Systems Engineer

 

1 949 681 5054
1 562 305 9545 Cell

Managed Network Services

*An iPass Company*
125 Technology Drive Suite 100
Irvine, CA 92618

*be well connected*

*iPass.com/blog* *|
**facebook.com/iPass*
*|**twitter.com/iPass *
-- next part --
An HTML attachment was scrubbed...
URL: 

-- next part --
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2041 bytes
Desc: not available
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

[Mikrotik] Windows to MikroTik IPSec VPN Setup

[david . sovereen]

Hi guys,

I normally use PPTP to set up Windows-to-Mikrotik VPN connections, but I have a 
customer who is insisting on IPSec.

I've read the Manual/Wiki, but haven't been successful with this.

If anyone has a working Windows XP/Vista/7-to-Miorktik VPN setup using IPSec, I 
would really appreciate the help.  I wasted hours on this Friday and need to 
get it figured out.

Thanks,

Dave

Sent from my iPhone
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Mikrotik, IPSec VPN, UDP, VOIP

[Meftah Tayeb]

true, but Voice over a TCP tunnel would have such latency
do it over IPSec better, no limitation in IPSec.
if the RB have Static IP, and you don't require much security/Encription, i 
recomand doing it in GRE...
- Original Message - 
From: "Chupaka" 

To: "Mikrotik discussions" 
Sent: Friday, July 13, 2012 2:33 PM
Subject: Re: [Mikrotik] Mikrotik, IPSec VPN, UDP, VOIP



Sure, any IP traffic inside any tunnel.


2012/7/13 Damai 


Oh, it is my mistake, it is OpenVPN that does not support UDP mode.

So, if we are using OpenVPN, we can still using UDP/VOIP inside the 
tunnel?


Thanks.
Anto

Chupaka wrote:


Please give us a link. OpenVPN in RouterOS does not support UDP mode. I
haven't heard about any such limitations in IPSec. And definitely it
should
not affect traffic inside the tunnel, so VoIP will work.


2012/7/9 Damai 




Hi All,

I've read that IPSec VPN in Mikrotik does not support UDP.
So if we established the IPSec VPN connection with Mikrotik at any end,
then we cannot do VOIP thru the tunnel, right?
Please confirm.

We are going to make IPSec connection between Mikrotik RB1100AH and
Sonicwall.

Thanks.

Anto
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik<http://www.butchevans.com/**mailman/listinfo/mikrotik>
http://www.butchevans.com/mailman/listinfo/mikrotik>
>


Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS




-- next part --
An HTML attachment was scrubbed...
URL: <http://www.butchevans.com/**pipermail/mikrotik/**
attachments/20120710/24b3e978/**attachment.html<http://www.butchevans.com/pipermail/mikrotik/attachments/20120710/24b3e978/attachment.html>
>

__**_
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/**mailman/listinfo/mikrotik<http://www.butchevans.com/mailman/listinfo/mikrotik>

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS





__**_
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/**mailman/listinfo/mikrotik<http://www.butchevans.com/mailman/listinfo/mikrotik>

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS


-- next part --
An HTML attachment was scrubbed...
URL: 
<http://www.butchevans.com/pipermail/mikrotik/attachments/20120713/d1730ba8/attachment.html>

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik 
RouterOS



__ Information from ESET NOD32 Antivirus, version of virus 
signature database 7293 (20120712) __


The message was checked by ESET NOD32 Antivirus.

http://www.eset.com






__ Information from ESET NOD32 Antivirus, version of virus signature 
database 7293 (20120712) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Mikrotik, IPSec VPN, UDP, VOIP

[Chupaka]

Sure, any IP traffic inside any tunnel.


2012/7/13 Damai 

> Oh, it is my mistake, it is OpenVPN that does not support UDP mode.
>
> So, if we are using OpenVPN, we can still using UDP/VOIP inside the tunnel?
>
> Thanks.
> Anto
>
> Chupaka wrote:
>
>> Please give us a link. OpenVPN in RouterOS does not support UDP mode. I
>> haven't heard about any such limitations in IPSec. And definitely it
>> should
>> not affect traffic inside the tunnel, so VoIP will work.
>>
>>
>> 2012/7/9 Damai 
>>
>>
>>
>>> Hi All,
>>>
>>> I've read that IPSec VPN in Mikrotik does not support UDP.
>>> So if we established the IPSec VPN connection with Mikrotik at any end,
>>> then we cannot do VOIP thru the tunnel, right?
>>> Please confirm.
>>>
>>> We are going to make IPSec connection between Mikrotik RB1100AH and
>>> Sonicwall.
>>>
>>> Thanks.
>>>
>>> Anto
>>> ___
>>> Mikrotik mailing list
>>> Mikrotik@mail.butchevans.com
>>> http://www.butchevans.com/mailman/listinfo/mikrotik
>>> http://www.butchevans.com/mailman/listinfo/mikrotik>
>>> >
>>>
>>>
>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
>>> RouterOS
>>>
>>>
>>>
>> -- next part --
>> An HTML attachment was scrubbed...
>> URL: > attachments/20120710/24b3e978/**attachment.html
>> >
>>
>> __**_
>> Mikrotik mailing list
>> Mikrotik@mail.butchevans.com
>> http://www.butchevans.com/**mailman/listinfo/mikrotik
>>
>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
>> RouterOS
>>
>>
>>
>
> __**_
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://www.butchevans.com/**mailman/listinfo/mikrotik
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> RouterOS
>
-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Mikrotik, IPSec VPN, UDP, VOIP

[Damai]

Oh, it is my mistake, it is OpenVPN that does not support UDP mode.

So, if we are using OpenVPN, we can still using UDP/VOIP inside the tunnel?

Thanks.
Anto

Chupaka wrote:

Please give us a link. OpenVPN in RouterOS does not support UDP mode. I
haven't heard about any such limitations in IPSec. And definitely it should
not affect traffic inside the tunnel, so VoIP will work.


2012/7/9 Damai 

  

Hi All,

I've read that IPSec VPN in Mikrotik does not support UDP.
So if we established the IPSec VPN connection with Mikrotik at any end,
then we cannot do VOIP thru the tunnel, right?
Please confirm.

We are going to make IPSec connection between Mikrotik RB1100AH and
Sonicwall.

Thanks.

Anto
__**_
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/**mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS



-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

  


___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Mikrotik, IPSec VPN, UDP, VOIP

[Chupaka]

Please give us a link. OpenVPN in RouterOS does not support UDP mode. I
haven't heard about any such limitations in IPSec. And definitely it should
not affect traffic inside the tunnel, so VoIP will work.


2012/7/9 Damai 

> Hi All,
>
> I've read that IPSec VPN in Mikrotik does not support UDP.
> So if we established the IPSec VPN connection with Mikrotik at any end,
> then we cannot do VOIP thru the tunnel, right?
> Please confirm.
>
> We are going to make IPSec connection between Mikrotik RB1100AH and
> Sonicwall.
>
> Thanks.
>
> Anto
> __**_
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://www.butchevans.com/**mailman/listinfo/mikrotik
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> RouterOS
>
-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

[Mikrotik] Mikrotik, IPSec VPN, UDP, VOIP

[Damai]

Hi All,

I've read that IPSec VPN in Mikrotik does not support UDP.
So if we established the IPSec VPN connection with Mikrotik at any end,
then we cannot do VOIP thru the tunnel, right?
Please confirm.

We are going to make IPSec connection between Mikrotik RB1100AH and 
Sonicwall.


Thanks.

Anto
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] IPSEC over DSL issues

[Dylan Bouterse]

Thanks Tim! I'll try 1400 and see if that provides for a more stable tunnel.

Dylan

On Jun 6, 2011, at 7:39 PM, Tim Payne wrote:

> I had to set my MTU's to 1400...  Still a little flakey..  Good Luck..
> 
> -tp
> On Jun 6, 2011, at 8:36 AM, Dylan Bouterse wrote:
> 
>> I have an IPSEC tunnel that has been giving us fits since we switch from a 
>> Pix to a RB750. There is location A that is at the main office with a RB750 
>> (on a fiber upstream) and the remote site on a RB750 using PPPOE over DSL. 
>> Both 750s are on 5.4 after upgrading due to various fixes. The tunnel will 
>> stay up for days, then drop, and neither an installed-sa flush nor reboot 
>> will bring the tunnel back up. The MTU on the pppoe client is set to 1440 
>> and mru at 1480. I believe there are issues with IPSEC over PPPOE with MTU 
>> set too high? Any ideas? If I need to provide more information, please let 
>> me know.
>> 
>> Dylan
>> ___
>> Mikrotik mailing list
>> Mikrotik@mail.butchevans.com
>> http://www.butchevans.com/mailman/listinfo/mikrotik
>> 
>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
> 
> ___
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://www.butchevans.com/mailman/listinfo/mikrotik
> 
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] IPSEC over DSL issues

[Tim Payne]

I had to set my MTU's to 1400...  Still a little flakey..  Good Luck..

-tp
On Jun 6, 2011, at 8:36 AM, Dylan Bouterse wrote:

> I have an IPSEC tunnel that has been giving us fits since we switch from a 
> Pix to a RB750. There is location A that is at the main office with a RB750 
> (on a fiber upstream) and the remote site on a RB750 using PPPOE over DSL. 
> Both 750s are on 5.4 after upgrading due to various fixes. The tunnel will 
> stay up for days, then drop, and neither an installed-sa flush nor reboot 
> will bring the tunnel back up. The MTU on the pppoe client is set to 1440 and 
> mru at 1480. I believe there are issues with IPSEC over PPPOE with MTU set 
> too high? Any ideas? If I need to provide more information, please let me 
> know.
> 
> Dylan
> ___
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://www.butchevans.com/mailman/listinfo/mikrotik
> 
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

[Mikrotik] IPSEC over DSL issues

[Dylan Bouterse]

I have an IPSEC tunnel that has been giving us fits since we switch from a Pix 
to a RB750. There is location A that is at the main office with a RB750 (on a 
fiber upstream) and the remote site on a RB750 using PPPOE over DSL. Both 750s 
are on 5.4 after upgrading due to various fixes. The tunnel will stay up for 
days, then drop, and neither an installed-sa flush nor reboot will bring the 
tunnel back up. The MTU on the pppoe client is set to 1440 and mru at 1480. I 
believe there are issues with IPSEC over PPPOE with MTU set too high? Any 
ideas? If I need to provide more information, please let me know.

Dylan
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] IPSec Tunnel won't Form over Wireless Link

[Keith Barber]

Even though I seem I have a one-man thread going, I wanted to post my results. 

It seems that if I have vlan tags over the wireless portion of my link to the 
cpe the tunnel never forms. 

So I created a virtual ap, detagged my vlan before hitting the air, and it came 
right up. 

I don't understand why it would matter. 

It is a cisco ezvpn setup that the client was using. So I don't know if it is 
all MT blame or some cisco as well. 



--Original Message--
To: Mikrotik discussions
Subject: Re: [Mikrotik] IPSec Tunnel won't Form over Wireless Link
Sent: Nov 10, 2010 10:19 PM

To add further, this problem is happening with another client, which has 
multiple employees across the island.  This really makes me think there is 
something with mikrotik's vlan architecture.  As all our aps now run with vlans 
on them. 



--Original Message--
From: Keith Barber
Sender: mikrotik-boun...@mail.butchevans.com
To: Mikrotik discussions
ReplyTo: Mikrotik discussions
Subject: Re: [Mikrotik] IPSec Tunnel won't Form over Wireless Link
Sent: Nov 10, 2010 6:41 PM

Alright I have some more information on this issue. 

Took the clients router to our site. With two rb800's linked wirelessly.  When 
I had the switch port set to untag the vlan everything worked going through the 
wireless link. 

As soon as I turned on vlan tagging and told the cpe to untag the traffic the 
tunnel broke. 

Is there some problem with mt's when you start doing vlans? Do they not know 
how to negociate the packets to handle a full mtu load?

Are there mtu settings I need to be changing on radios I have vlans on?

Thanks, any ideas really help. 

 
-Keith-

>From my phone...

-Original Message-
From: "Keith Barber" 
Sender: mikrotik-boun...@mail.butchevans.com
Date: Tue, 9 Nov 2010 12:08:42 
To: mikrotik
Reply-To: Mikrotik discussions 
Subject: [Mikrotik] IPSec Tunnel won't Form over Wireless Link

Good afternoon everyone.

 

I have a bit of problem for a big client that is trying to setup an
IPsec tunnel to their corporate offices.

 

The setup is as follows:

 

CoreRouter -> L2Switch -> AP -> CPE

 

The router and switch are strictly vlan.  The same vlans are being
handed out through the Ap to the CPE.  The cpe is in wds mode.  The vlan
interface is then bridged to the ether interface.

We also tried untagging of the vlans from a switch plugged into the cpe,
instead of making the Mikrotik do it.

 

If we put their router directly into the L2Switch at the tower site,
untagged in the vlan, their tunnel fires up immediately.  So we know
that we don’t have any edge/provider problems, and nothing wrong with
our backhaul, switches, or core routers.

 

The AP is a RB600 with 3.20 and the cpe is an rb800 on 4.11. Both have
Atheros AR5413 radio cards.

Our second test was using two rb532’s running 3.30.  

 

We’ve tried having the cpe in station, station-psuedobridge, wds slave.

We are queuing the customer’s traffic on the cpe using simple queues.

 

We have exhausted all that we can think of.

 

Can anybody think of what would be causing an ipsec tunnel to break down
over a wireless link?

 

Thanks for any help on this, it’s rather frustrating.

 

-Keith-


-- next part --
An HTML attachment was scrubbed...
URL: 
<http://www.butchevans.com/pipermail/mikrotik/attachments/20101109/96e76fff/attachment.html>
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS


-Keith-

>From my phone...
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] IPSec Tunnel won't Form over Wireless Link

[Keith Barber]

To add further, this problem is happening with another client, which has 
multiple employees across the island.  This really makes me think there is 
something with mikrotik's vlan architecture.  As all our aps now run with vlans 
on them. 


-Keith-

From my phone...

-Original Message-
From: "Keith Barber" 
Sender: mikrotik-boun...@mail.butchevans.com
Date: Wed, 10 Nov 2010 22:41:36 
To: Mikrotik discussions
Reply-To: Mikrotik discussions 
Subject: Re: [Mikrotik] IPSec Tunnel won't Form over Wireless Link

Alright I have some more information on this issue. 

Took the clients router to our site. With two rb800's linked wirelessly.  When 
I had the switch port set to untag the vlan everything worked going through the 
wireless link. 

As soon as I turned on vlan tagging and told the cpe to untag the traffic the 
tunnel broke. 

Is there some problem with mt's when you start doing vlans? Do they not know 
how to negociate the packets to handle a full mtu load?

Are there mtu settings I need to be changing on radios I have vlans on?

Thanks, any ideas really help. 

 
-Keith-

From my phone...

-Original Message-
From: "Keith Barber" 
Sender: mikrotik-boun...@mail.butchevans.com
Date: Tue, 9 Nov 2010 12:08:42 
To: mikrotik
Reply-To: Mikrotik discussions 
Subject: [Mikrotik] IPSec Tunnel won't Form over Wireless Link

Good afternoon everyone.

 

I have a bit of problem for a big client that is trying to setup an
IPsec tunnel to their corporate offices.

 

The setup is as follows:

 

CoreRouter -> L2Switch -> AP -> CPE

 

The router and switch are strictly vlan.  The same vlans are being
handed out through the Ap to the CPE.  The cpe is in wds mode.  The vlan
interface is then bridged to the ether interface.

We also tried untagging of the vlans from a switch plugged into the cpe,
instead of making the Mikrotik do it.

 

If we put their router directly into the L2Switch at the tower site,
untagged in the vlan, their tunnel fires up immediately.  So we know
that we don’t have any edge/provider problems, and nothing wrong with
our backhaul, switches, or core routers.

 

The AP is a RB600 with 3.20 and the cpe is an rb800 on 4.11. Both have
Atheros AR5413 radio cards.

Our second test was using two rb532’s running 3.30.  

 

We’ve tried having the cpe in station, station-psuedobridge, wds slave.

We are queuing the customer’s traffic on the cpe using simple queues.

 

We have exhausted all that we can think of.

 

Can anybody think of what would be causing an ipsec tunnel to break down
over a wireless link?

 

Thanks for any help on this, it’s rather frustrating.

 

-Keith-


-- next part --
An HTML attachment was scrubbed...
URL: 
<http://www.butchevans.com/pipermail/mikrotik/attachments/20101109/96e76fff/attachment.html>
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] IPSec Tunnel won't Form over Wireless Link

[Keith Barber]

Alright I have some more information on this issue. 

Took the clients router to our site. With two rb800's linked wirelessly.  When 
I had the switch port set to untag the vlan everything worked going through the 
wireless link. 

As soon as I turned on vlan tagging and told the cpe to untag the traffic the 
tunnel broke. 

Is there some problem with mt's when you start doing vlans? Do they not know 
how to negociate the packets to handle a full mtu load?

Are there mtu settings I need to be changing on radios I have vlans on?

Thanks, any ideas really help. 

 
-Keith-

From my phone...

-Original Message-
From: "Keith Barber" 
Sender: mikrotik-boun...@mail.butchevans.com
Date: Tue, 9 Nov 2010 12:08:42 
To: mikrotik
Reply-To: Mikrotik discussions 
Subject: [Mikrotik] IPSec Tunnel won't Form over Wireless Link

Good afternoon everyone.

 

I have a bit of problem for a big client that is trying to setup an
IPsec tunnel to their corporate offices.

 

The setup is as follows:

 

CoreRouter -> L2Switch -> AP -> CPE

 

The router and switch are strictly vlan.  The same vlans are being
handed out through the Ap to the CPE.  The cpe is in wds mode.  The vlan
interface is then bridged to the ether interface.

We also tried untagging of the vlans from a switch plugged into the cpe,
instead of making the Mikrotik do it.

 

If we put their router directly into the L2Switch at the tower site,
untagged in the vlan, their tunnel fires up immediately.  So we know
that we don’t have any edge/provider problems, and nothing wrong with
our backhaul, switches, or core routers.

 

The AP is a RB600 with 3.20 and the cpe is an rb800 on 4.11. Both have
Atheros AR5413 radio cards.

Our second test was using two rb532’s running 3.30.  

 

We’ve tried having the cpe in station, station-psuedobridge, wds slave.

We are queuing the customer’s traffic on the cpe using simple queues.

 

We have exhausted all that we can think of.

 

Can anybody think of what would be causing an ipsec tunnel to break down
over a wireless link?

 

Thanks for any help on this, it’s rather frustrating.

 

-Keith-


-- next part --
An HTML attachment was scrubbed...
URL: 
<http://www.butchevans.com/pipermail/mikrotik/attachments/20101109/96e76fff/attachment.html>
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

[Mikrotik] IPSec Tunnel won't Form over Wireless Link

[Keith Barber]

Good afternoon everyone.

 

I have a bit of problem for a big client that is trying to setup an
IPsec tunnel to their corporate offices.

 

The setup is as follows:

 

CoreRouter -> L2Switch -> AP -> CPE

 

The router and switch are strictly vlan.  The same vlans are being
handed out through the Ap to the CPE.  The cpe is in wds mode.  The vlan
interface is then bridged to the ether interface.

We also tried untagging of the vlans from a switch plugged into the cpe,
instead of making the Mikrotik do it.

 

If we put their router directly into the L2Switch at the tower site,
untagged in the vlan, their tunnel fires up immediately.  So we know
that we don’t have any edge/provider problems, and nothing wrong with
our backhaul, switches, or core routers.

 

The AP is a RB600 with 3.20 and the cpe is an rb800 on 4.11. Both have
Atheros AR5413 radio cards.

Our second test was using two rb532’s running 3.30.  

 

We’ve tried having the cpe in station, station-psuedobridge, wds slave.

We are queuing the customer’s traffic on the cpe using simple queues.

 

We have exhausted all that we can think of.

 

Can anybody think of what would be causing an ipsec tunnel to break down
over a wireless link?

 

Thanks for any help on this, it’s rather frustrating.

 

-Keith-


-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Ipsec behind NAT

[Josh Luthman]

I haven't heard of any special configuration to allow ipsec but I could be
wrong.  Did you check the mt forums?

On Jul 22, 2010 10:07 PM, "Keith Barber"  wrote:

Its for a global company that I'm sure is super paranoid.  But plan to ask
if they can just do pptp in the am.



-Keith-

>From my phone...


-Original Message-
From: Josh Luthman 
Sender: mikrotik-bounce...
URL: <
http://www.butchevans.com/pipermail/mikrotik/attachments/20100722/ff4bdb41/attachment.html
>

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
h...
-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Ipsec behind NAT

[Keith Barber]

Its for a global company that I'm sure is super paranoid.  But plan to ask if 
they can just do pptp in the am. 



-Keith-

>From my phone...

-Original Message-
From: Josh Luthman 
Sender: mikrotik-boun...@mail.butchevans.com
Date: Thu, 22 Jul 2010 22:01:50 
To: Mikrotik discussions
Reply-To: Mikrotik discussions 
Subject: Re: [Mikrotik] Ipsec behind NAT

Pptp is very easy.  Can you do that?

Windows has a built in client.

On Jul 22, 2010 9:59 PM, "Keith Barber"  wrote:

Hey everyone,

I need to have a pc behind my MT connect to an ipsec vpn.  My MT is
src-nat'ing my internal network as my public ip.

The error it always fails on is "negociating security policy".  The client
being used is Cisco VPN Client v5.0.01.0600.

Tried doing some google research, and most of the topics were on using the
MT to make the connection.  Does anybody know if there are some NAT rules
that I can add that will allow the MT to passthrough the packets needed to
get the tunnel to form?

Thanks!

-Keith-
-- next part --
An HTML attachment was scrubbed...
URL: <
http://www.butchevans.com/pipermail/mikrotik/attachments/20100722/dcd1b324/attachment.html
>
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
-- next part --
An HTML attachment was scrubbed...
URL: 
<http://www.butchevans.com/pipermail/mikrotik/attachments/20100722/ff4bdb41/attachment.html>
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] Ipsec behind NAT

[Josh Luthman]

Pptp is very easy.  Can you do that?

Windows has a built in client.

On Jul 22, 2010 9:59 PM, "Keith Barber"  wrote:

Hey everyone,

I need to have a pc behind my MT connect to an ipsec vpn.  My MT is
src-nat'ing my internal network as my public ip.

The error it always fails on is "negociating security policy".  The client
being used is Cisco VPN Client v5.0.01.0600.

Tried doing some google research, and most of the topics were on using the
MT to make the connection.  Does anybody know if there are some NAT rules
that I can add that will allow the MT to passthrough the packets needed to
get the tunnel to form?

Thanks!

-Keith-
-- next part --
An HTML attachment was scrubbed...
URL: <
http://www.butchevans.com/pipermail/mikrotik/attachments/20100722/dcd1b324/attachment.html
>
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

[Mikrotik] Ipsec behind NAT

[Keith Barber]

Hey everyone,  

I need to have a pc behind my MT connect to an ipsec vpn.  My MT is src-nat'ing 
my internal network as my public ip.

The error it always fails on is "negociating security policy".  The client 
being used is Cisco VPN Client v5.0.01.0600.

Tried doing some google research, and most of the topics were on using the MT 
to make the connection.  Does anybody know if there are some NAT rules that I 
can add that will allow the MT to passthrough the packets needed to get the 
tunnel to form?

Thanks!

-Keith-
-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] [IPsec and Cisco ASA]

[Hilton J Ralphs]

Thanks Kurt, whilst I don't have a Cisco box, your config helped me connect two 
Mikrotik routers together, something I was having a problem with.

Thanks again.

-- 
Regards
Hilton
082.572.9619

-Original Message-
From: mikrotik-boun...@mail.butchevans.com 
[mailto:mikrotik-boun...@mail.butchevans.com] On Behalf Of Kurt Plaatjes



___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] [IPsec and Cisco ASA]

[Kurt Plaatjes]

oops... My apologies that should be no.

I was doing some other tests and disabled these rules.

Thanks!

PS:  There is a known bug with IPSEC between Mikrotik to Cisco  if you have
multiple Peers.

I managed to duplicate this exact bug...

See: http://forum.mikrotik.com/viewtopic.php?f=2&t=39243


On Fri, May 21, 2010 at 7:21 PM, Casey Mills  wrote:

> Why are your "Firewall NAT" rules disabled?
>
> Casey
>
>
>
>
> On Fri, May 21, 2010 at 4:42 AM, Kurt Plaatjes 
> wrote:
> > Details:
> > Local network:
> >
> > 10.10.0.0/16
> >
> > Remote networks
> >
> > 172.16.70.0/24
> > 172.16.71.0/24
> >
> > Local Public IP:
> >
> > 195.10.10.20
> >
> > Remote Public IP:
> > 202.10.10.20
> >
> >
> >
> > /ip ipsec proposal
> > set default auth-algorithms=sha1 comment="" disabled=no enc-algorithms=\
> > aes-256 lifetime=1h name=default pfs-group=modp1536
> > /ip ipsec peer
> > add address=202.10.10.20/32:500 auth-method=pre-shared-key comment="" \
> > dh-group=modp1536 disabled=no dpd-interval=disable-dpd \
> > dpd-maximum-failures=2 enc-algorithm=aes-256 exchange-mode=aggressive \
> >  generate-policy=no hash-algorithm=sha1 lifebytes=0 lifetime=5h \
> >  nat-traversal=no proposal-check=obey secret=secretskey12345 \
> > send-initial-contact=no
> >
> > /ip ipsec policy
> > add action=encrypt comment="" disabled=no dst-address=172.16.70.0/24:any\
> > ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
> > all sa-dst-address=202.10.10.20 sa-src-address=195.10.10.20 \
> > src-address=10.10.0.0/16 :any tunnel=yes
> > add action=encrypt comment="" disabled=no dst-address=172.16.71.0/24:any\
> > ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
> > all sa-dst-address=202.10.10.20 sa-src-address=195.10.10.20 \
> > src-address=10.10.0.0/16 :any tunnel=yes
> >
> >
> > Firewall:NAT
> >
> > /ip firewall nat
> > add action=accept chain=srcnat comment="" disabled=yes dst-address=\
> > 172.16.70.0/24 src-address=10.10.0.0/16
> > add action=accept chain=srcnat comment="" disabled=yes dst-address=\
> > 172.16.71.0/24 src-address=10.10.0.0/16
> >
> > Note: This has to be inserted above all masquerade rules
> >
> > Routing:
> >
> > None
> >
> > Once the tunnels are up Mikrotik does its thing.
> >
> > I will try and get the cisco config posted aswell.
> >
> > Kurt
> > -- next part --
> > An HTML attachment was scrubbed...
> > URL: <
> http://www.butchevans.com/pipermail/mikrotik/attachments/20100521/a51a7d39/attachment.html
> >
> > ___
> > Mikrotik mailing list
> > Mikrotik@mail.butchevans.com
> > http://www.butchevans.com/mailman/listinfo/mikrotik
> >
> > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> RouterOS
> >
> ___
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://www.butchevans.com/mailman/listinfo/mikrotik
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> RouterOS
>
-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] [IPsec and Cisco ASA]

[Casey Mills]

Why are your "Firewall NAT" rules disabled?

Casey




On Fri, May 21, 2010 at 4:42 AM, Kurt Plaatjes  wrote:
> Details:
> Local network:
>
> 10.10.0.0/16
>
> Remote networks
>
> 172.16.70.0/24
> 172.16.71.0/24
>
> Local Public IP:
>
> 195.10.10.20
>
> Remote Public IP:
> 202.10.10.20
>
>
>
> /ip ipsec proposal
> set default auth-algorithms=sha1 comment="" disabled=no enc-algorithms=\
> aes-256 lifetime=1h name=default pfs-group=modp1536
> /ip ipsec peer
> add address=202.10.10.20/32:500 auth-method=pre-shared-key comment="" \
> dh-group=modp1536 disabled=no dpd-interval=disable-dpd \
> dpd-maximum-failures=2 enc-algorithm=aes-256 exchange-mode=aggressive \
>  generate-policy=no hash-algorithm=sha1 lifebytes=0 lifetime=5h \
>  nat-traversal=no proposal-check=obey secret=secretskey12345 \
> send-initial-contact=no
>
> /ip ipsec policy
> add action=encrypt comment="" disabled=no dst-address=172.16.70.0/24:any \
> ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
> all sa-dst-address=202.10.10.20 sa-src-address=195.10.10.20 \
> src-address=10.10.0.0/16 :any tunnel=yes
> add action=encrypt comment="" disabled=no dst-address=172.16.71.0/24:any \
> ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
> all sa-dst-address=202.10.10.20 sa-src-address=195.10.10.20 \
> src-address=10.10.0.0/16 :any tunnel=yes
>
>
> Firewall:NAT
>
> /ip firewall nat
> add action=accept chain=srcnat comment="" disabled=yes dst-address=\
> 172.16.70.0/24 src-address=10.10.0.0/16
> add action=accept chain=srcnat comment="" disabled=yes dst-address=\
> 172.16.71.0/24 src-address=10.10.0.0/16
>
> Note: This has to be inserted above all masquerade rules
>
> Routing:
>
> None
>
> Once the tunnels are up Mikrotik does its thing.
>
> I will try and get the cisco config posted aswell.
>
> Kurt
> -- next part --
> An HTML attachment was scrubbed...
> URL: 
> 
> ___
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://www.butchevans.com/mailman/listinfo/mikrotik
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
>
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] [IPsec and Cisco ASA]

[Kurt Plaatjes]

Details:
Local network:

10.10.0.0/16

Remote networks

172.16.70.0/24
172.16.71.0/24

Local Public IP:

195.10.10.20

Remote Public IP:
202.10.10.20



/ip ipsec proposal
set default auth-algorithms=sha1 comment="" disabled=no enc-algorithms=\
aes-256 lifetime=1h name=default pfs-group=modp1536
/ip ipsec peer
add address=202.10.10.20/32:500 auth-method=pre-shared-key comment="" \
dh-group=modp1536 disabled=no dpd-interval=disable-dpd \
dpd-maximum-failures=2 enc-algorithm=aes-256 exchange-mode=aggressive \
  generate-policy=no hash-algorithm=sha1 lifebytes=0 lifetime=5h \
  nat-traversal=no proposal-check=obey secret=secretskey12345 \
send-initial-contact=no

/ip ipsec policy
add action=encrypt comment="" disabled=no dst-address=172.16.70.0/24:any \
ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
all sa-dst-address=202.10.10.20 sa-src-address=195.10.10.20 \
src-address=10.10.0.0/16 :any tunnel=yes
add action=encrypt comment="" disabled=no dst-address=172.16.71.0/24:any \
ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
all sa-dst-address=202.10.10.20 sa-src-address=195.10.10.20 \
src-address=10.10.0.0/16 :any tunnel=yes


Firewall:NAT

/ip firewall nat
add action=accept chain=srcnat comment="" disabled=yes dst-address=\
172.16.70.0/24 src-address=10.10.0.0/16
add action=accept chain=srcnat comment="" disabled=yes dst-address=\
172.16.71.0/24 src-address=10.10.0.0/16

Note: This has to be inserted above all masquerade rules

Routing:

None

Once the tunnels are up Mikrotik does its thing.

I will try and get the cisco config posted aswell.

Kurt
-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] [IPsec and Cisco ASA]

[Josh Luthman]

Great!!! I'd like to see it posted :)

On 5/21/10, Kurt Plaatjes  wrote:
> Hey Guys
>
> After many sleepless hours  we have managed to get ipsec running smoothly
> between Mikrotik 4.9 and CISCO ASA.
> I am glad to share configs if anyone is interested.
>
> Kurt
> -- next part --
> An HTML attachment was scrubbed...
> URL:
> 
> ___
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://www.butchevans.com/mailman/listinfo/mikrotik
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
>


-- 
Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

“Success is not final, failure is not fatal: it is the courage to
continue that counts.”
--- Winston Churchill
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

[Mikrotik] [IPsec and Cisco ASA]

[Kurt Plaatjes]

Hey Guys

After many sleepless hours  we have managed to get ipsec running smoothly
between Mikrotik 4.9 and CISCO ASA.
I am glad to share configs if anyone is interested.

Kurt
-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

[Mikrotik] IPSec Certificate Usage

[Tim Payne]

Is there a procedure for creating IPSec ecurity certificates?  I want to create 
and use certificates on an IPSec link as an exercise.  So can anyone explain 
the proper way to create them and install them in a Tik box on each end.   I 
currently have the IPSec link is up and running just fine using simple secret 
passwords.
11:46 AM
-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] IPSec

[Kristian Hoffmann]

I believe it's referred to as the "bump in the stack" model.  It can be
much harder to troubleshoot because there are no interfaces to point your
finger at, and packets don't strictly follow the routing table (or at
least not as you might expect).  I find it much easier to let another
protocol do the tunneling (e.g. IPIP, GRE) and then use ipsec in transport
mode.  There's an example in the Mikrotik wiki for setting up ipsec in
transport mode to encrypt an IPIP tunnel.  Then you can treat it just like
any other interface.  Much more flexible IMHO.

Regards,

-Kristian

On Mon, 23 Jun 2008, Mike Hammett wrote:

> >From what I can tell, Mikrotik does treat IPSec as a VPN tunnel, but just
> tags the packets with some extra data and sends them on their way.  No easy
> way to check interface uptime, perform routing, etc.  In my uninformed
> opinion, kinda piss poor.
>
>
> --
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
>
> - Original Message -
> From: "Eric Holtzclaw" <[EMAIL PROTECTED]>
> To: "Mikrotik discussions" 
> Sent: Monday, June 23, 2008 2:13 AM
> Subject: Re: [Mikrotik] IPSec
>
>
> > Try keeping a ping session up on the inside and see if that stops.
> > Maybe with check gateway ping on route side if that works.
> >
> > Eric
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hammett
> > Sent: Sunday, June 22, 2008 3:01 PM
> > To: Mikrotik discussions
> > Subject: Re: [Mikrotik] IPSec
> >
> > It started working, and then stopped again.
> >
> > [EMAIL PROTECTED] > /log print detail
> > time=dec/31/1969 18:00:13 topics=system,info message="router rebooted"
> >
> > time=dec/31/1969 18:00:20 topics=ipsec,ike message="@(#) racoon /
> > MikroTik"
> >
> > time=dec/31/1969 18:00:20 topics=ipsec,ike message="@(#)This product
> > linked
> > OpenSSL 0.9.8a 11 Oct 2005 (http://www.openssl.org/)"
> >
> > time=dec/31/1969 18:00:20 topics=pppoe,ppp,info message="ICS PPPoE:
> > initializing..."
> >
> > time=dec/31/1969 18:00:20 topics=pppoe,ppp,info message="ICS PPPoE:
> > dialing..."
> >
> > time=dec/31/1969 18:00:22 topics=wireless,info
> > message="00:15:6D:50:17:[EMAIL PROTECTED] established connection on 5765, 
> > SSID
> > ICS4"
> >
> > time=dec/31/1969 18:00:23 topics=pppoe,ppp,info message="ICS PPPoE:
> > authenticated"
> >
> > time=dec/31/1969 18:00:23 topics=pppoe,ppp,info message="ICS PPPoE:
> > connected"
> >
> > time=dec/31/1969 18:00:23 topics=system,info message="dns changed"
> >
> > time=15:45:25 topics=system,info,account message="user admin logged in
> > from
> > 10.1.5.8 via winbox"
> >
> > time=15:47:29 topics=system,info,account message="user admin logged in
> > from
> > 10.1.1.254 via winbox"
> >
> > time=15:51:41 topics=system,info,account message="user admin logged in
> > from
> > 65.182.0.0 via winbox"
> >
> > time=16:02:41 topics=pptp,info message="TCP connection established from
> >
> > 65.182.0.0"
> >
> > time=16:02:41 topics=pptp,ppp,info message=": waiting for
> > call..."
> >
> > time=16:02:42 topics=pptp,ppp,info message=": authenticated"
> >
> > time=16:02:43 topics=pptp,ppp,info message=": connected"
> >
> > time=16:02:43 topics=pptp,ppp,info,account message="mhammett logged in,
> >
> > 192.168.1.252"
> >
> > time=16:02:44 topics=pptp,ppp,info message=": using
> > encoding - MPPE128 stateless"
> >
> > time=16:05:59 topics=ipsec,ike message="IPsec-SA request for 68.60.0.0
> > queued due to no phase1 found."
> >
> > time=16:05:59 topics=ipsec,ike message="initiate new phase 1
> > negotiation:
> > 65.182.0.0[500]<=>68.60.0.0[500]"
> >
> > time=16:05:59 topics=ipsec,ike message="begin Identity Protection
> > mode."
> >
> > time=16:05:59 topics=ipsec,ike message="received Vendor ID: DPD"
> >
> > time=16:05:59 topics=ipsec,ike message="ISAKMP-SA established
> > 65.182.0.0[500]-68.60.0.0[500] spi:2cd56cea0b29c949:1769b0ce00a81785"
> >
> > time=16:06:00 topics=ipsec,ike message="initiate new phase 2
> > negotiation:
> > 65.182.0.0[500]<=>68.60.0.0[500]"
> >
> > time=16

Re: [Mikrotik] IPSec

[Mike Hammett]

From what I can tell, Mikrotik does treat IPSec as a VPN tunnel, but just 
tags the packets with some extra data and sends them on their way.  No easy 
way to check interface uptime, perform routing, etc.  In my uninformed 
opinion, kinda piss poor.



--
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com


- Original Message - 
From: "Eric Holtzclaw" <[EMAIL PROTECTED]>

To: "Mikrotik discussions" 
Sent: Monday, June 23, 2008 2:13 AM
Subject: Re: [Mikrotik] IPSec



Try keeping a ping session up on the inside and see if that stops.
Maybe with check gateway ping on route side if that works.

Eric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Hammett
Sent: Sunday, June 22, 2008 3:01 PM
To: Mikrotik discussions
Subject: Re: [Mikrotik] IPSec

It started working, and then stopped again.

[EMAIL PROTECTED] > /log print detail
time=dec/31/1969 18:00:13 topics=system,info message="router rebooted"

time=dec/31/1969 18:00:20 topics=ipsec,ike message="@(#) racoon /
MikroTik"

time=dec/31/1969 18:00:20 topics=ipsec,ike message="@(#)This product
linked
OpenSSL 0.9.8a 11 Oct 2005 (http://www.openssl.org/)"

time=dec/31/1969 18:00:20 topics=pppoe,ppp,info message="ICS PPPoE:
initializing..."

time=dec/31/1969 18:00:20 topics=pppoe,ppp,info message="ICS PPPoE:
dialing..."

time=dec/31/1969 18:00:22 topics=wireless,info
message="00:15:6D:50:17:[EMAIL PROTECTED] established connection on 5765, SSID
ICS4"

time=dec/31/1969 18:00:23 topics=pppoe,ppp,info message="ICS PPPoE:
authenticated"

time=dec/31/1969 18:00:23 topics=pppoe,ppp,info message="ICS PPPoE:
connected"

time=dec/31/1969 18:00:23 topics=system,info message="dns changed"

time=15:45:25 topics=system,info,account message="user admin logged in
from
10.1.5.8 via winbox"

time=15:47:29 topics=system,info,account message="user admin logged in
from
10.1.1.254 via winbox"

time=15:51:41 topics=system,info,account message="user admin logged in
from
65.182.0.0 via winbox"

time=16:02:41 topics=pptp,info message="TCP connection established from

65.182.0.0"

time=16:02:41 topics=pptp,ppp,info message=": waiting for
call..."

time=16:02:42 topics=pptp,ppp,info message=": authenticated"

time=16:02:43 topics=pptp,ppp,info message=": connected"

time=16:02:43 topics=pptp,ppp,info,account message="mhammett logged in,

192.168.1.252"

time=16:02:44 topics=pptp,ppp,info message=": using
encoding - MPPE128 stateless"

time=16:05:59 topics=ipsec,ike message="IPsec-SA request for 68.60.0.0
queued due to no phase1 found."

time=16:05:59 topics=ipsec,ike message="initiate new phase 1
negotiation:
65.182.0.0[500]<=>68.60.0.0[500]"

time=16:05:59 topics=ipsec,ike message="begin Identity Protection
mode."

time=16:05:59 topics=ipsec,ike message="received Vendor ID: DPD"

time=16:05:59 topics=ipsec,ike message="ISAKMP-SA established
65.182.0.0[500]-68.60.0.0[500] spi:2cd56cea0b29c949:1769b0ce00a81785"

time=16:06:00 topics=ipsec,ike message="initiate new phase 2
negotiation:
65.182.0.0[500]<=>68.60.0.0[500]"

time=16:06:00 topics=ipsec,ike message="IPsec-SA established: AH/Tunnel

68.60.0.0[0]->65.182.0.0[0] spi=206061190(0xc483e86)"

time=16:06:00 topics=ipsec,ike message="IPsec-SA established:
ESP/Tunnel
68.60.0.0[0]->65.182.0.0[0] spi=55768677(0x352f665)"

time=16:06:00 topics=ipsec,ike message="IPsec-SA established: AH/Tunnel

65.182.0.0[0]->68.60.0.0[0] spi=172198929(0xa438c11)"

time=16:06:00 topics=ipsec,ike message="IPsec-SA established:
ESP/Tunnel
65.182.0.0[0]->68.60.0.0[0] spi=148960180(0x8e0f3b4)"

time=16:18:13 topics=pptp,ppp,info,account message="mhammett logged
out,
931 242052 1589758 2478 2689"

time=16:18:13 topics=pptp,ppp,info message=":
terminating... - call cleared"

time=16:18:13 topics=pptp,ppp,info message=":
disconnected"

time=16:19:44 topics=ipsec,ike message="purging ISAKMP-SA
spi=2cd56cea0b29c949:1769b0ce00a81785."

time=16:19:44 topics=ipsec,ike message="purged IPsec-SA spi=148960180."

time=16:19:44 topics=ipsec,ike message="purged IPsec-SA spi=172198929."

time=16:19:44 topics=ipsec,ike message="purged IPsec-SA spi=55768677."

time=16:19:44 topics=ipsec,ike message="purged IPsec-SA spi=206061190."

time=16:19:44 topics=ipsec,ike message="purged ISAKMP-SA
spi=2cd56cea0b29c949:1769b0ce00a81785."

time=16:19:44 topics=ipsec,ike message="unknown Informational exchange
received."

time=16:19:45 topics=ipsec,ike message="ISAKMP-SA deleted
65.182.0.0[500]-68.60.0.0[500] spi:2cd56cea0b29c949:1769b0ce00a81785"

time=16:36:01 topics=ipsec,ike 

Re: [Mikrotik] IPSec

[Eric Holtzclaw]

Try keeping a ping session up on the inside and see if that stops.
Maybe with check gateway ping on route side if that works.

Eric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Hammett
Sent: Sunday, June 22, 2008 3:01 PM
To: Mikrotik discussions
Subject: Re: [Mikrotik] IPSec

It started working, and then stopped again.

[EMAIL PROTECTED] > /log print detail
 time=dec/31/1969 18:00:13 topics=system,info message="router rebooted"

 time=dec/31/1969 18:00:20 topics=ipsec,ike message="@(#) racoon /
MikroTik"

 time=dec/31/1969 18:00:20 topics=ipsec,ike message="@(#)This product
linked 
OpenSSL 0.9.8a 11 Oct 2005 (http://www.openssl.org/)"

 time=dec/31/1969 18:00:20 topics=pppoe,ppp,info message="ICS PPPoE: 
initializing..."

 time=dec/31/1969 18:00:20 topics=pppoe,ppp,info message="ICS PPPoE: 
dialing..."

 time=dec/31/1969 18:00:22 topics=wireless,info 
message="00:15:6D:50:17:[EMAIL PROTECTED] established connection on 5765, SSID
ICS4"

 time=dec/31/1969 18:00:23 topics=pppoe,ppp,info message="ICS PPPoE: 
authenticated"

 time=dec/31/1969 18:00:23 topics=pppoe,ppp,info message="ICS PPPoE: 
connected"

 time=dec/31/1969 18:00:23 topics=system,info message="dns changed"

 time=15:45:25 topics=system,info,account message="user admin logged in
from 
10.1.5.8 via winbox"

 time=15:47:29 topics=system,info,account message="user admin logged in
from 
10.1.1.254 via winbox"

 time=15:51:41 topics=system,info,account message="user admin logged in
from 
65.182.0.0 via winbox"

 time=16:02:41 topics=pptp,info message="TCP connection established from

65.182.0.0"

 time=16:02:41 topics=pptp,ppp,info message=": waiting for
call..."

 time=16:02:42 topics=pptp,ppp,info message=": authenticated"

 time=16:02:43 topics=pptp,ppp,info message=": connected"

 time=16:02:43 topics=pptp,ppp,info,account message="mhammett logged in,

192.168.1.252"

 time=16:02:44 topics=pptp,ppp,info message=": using 
encoding - MPPE128 stateless"

 time=16:05:59 topics=ipsec,ike message="IPsec-SA request for 68.60.0.0 
queued due to no phase1 found."

 time=16:05:59 topics=ipsec,ike message="initiate new phase 1
negotiation: 
65.182.0.0[500]<=>68.60.0.0[500]"

 time=16:05:59 topics=ipsec,ike message="begin Identity Protection
mode."

 time=16:05:59 topics=ipsec,ike message="received Vendor ID: DPD"

 time=16:05:59 topics=ipsec,ike message="ISAKMP-SA established 
65.182.0.0[500]-68.60.0.0[500] spi:2cd56cea0b29c949:1769b0ce00a81785"

 time=16:06:00 topics=ipsec,ike message="initiate new phase 2
negotiation: 
65.182.0.0[500]<=>68.60.0.0[500]"

 time=16:06:00 topics=ipsec,ike message="IPsec-SA established: AH/Tunnel

68.60.0.0[0]->65.182.0.0[0] spi=206061190(0xc483e86)"

 time=16:06:00 topics=ipsec,ike message="IPsec-SA established:
ESP/Tunnel 
68.60.0.0[0]->65.182.0.0[0] spi=55768677(0x352f665)"

 time=16:06:00 topics=ipsec,ike message="IPsec-SA established: AH/Tunnel

65.182.0.0[0]->68.60.0.0[0] spi=172198929(0xa438c11)"

 time=16:06:00 topics=ipsec,ike message="IPsec-SA established:
ESP/Tunnel 
65.182.0.0[0]->68.60.0.0[0] spi=148960180(0x8e0f3b4)"

 time=16:18:13 topics=pptp,ppp,info,account message="mhammett logged
out, 
931 242052 1589758 2478 2689"

 time=16:18:13 topics=pptp,ppp,info message=": 
terminating... - call cleared"

 time=16:18:13 topics=pptp,ppp,info message=":
disconnected"

 time=16:19:44 topics=ipsec,ike message="purging ISAKMP-SA 
spi=2cd56cea0b29c949:1769b0ce00a81785."

 time=16:19:44 topics=ipsec,ike message="purged IPsec-SA spi=148960180."

 time=16:19:44 topics=ipsec,ike message="purged IPsec-SA spi=172198929."

 time=16:19:44 topics=ipsec,ike message="purged IPsec-SA spi=55768677."

 time=16:19:44 topics=ipsec,ike message="purged IPsec-SA spi=206061190."

 time=16:19:44 topics=ipsec,ike message="purged ISAKMP-SA 
spi=2cd56cea0b29c949:1769b0ce00a81785."

 time=16:19:44 topics=ipsec,ike message="unknown Informational exchange 
received."

 time=16:19:45 topics=ipsec,ike message="ISAKMP-SA deleted 
65.182.0.0[500]-68.60.0.0[500] spi:2cd56cea0b29c949:1769b0ce00a81785"

 time=16:36:01 topics=ipsec,ike message="can't start the quick mode,
there 
is no ISAKMP-SA, 2cd56cea0b29c949:1769b0ce00a81785:d2d03e78"

 time=16:36:11 topics=ipsec,ike message="can't start the quick mode,
there 
is no ISAKMP-SA, 2cd56cea0b29c949:1769b0ce00a81785:d2d03e78"

 time=16:36:21 topics=ipsec,ike message="can't start the quick mode,
there 
is no ISAKMP-SA, 2cd56cea0b29c949:1769b0ce00a81785:d2d03e78"

 time=16:36:31 topics=ipsec,ike message=&qu

Re: [Mikrotik] IPSec

[Mike Hammett]

here 
is no ISAKMP-SA, 2cd56cea0b29c949:1769b0ce00a81785:b5739b39"


[EMAIL PROTECTED] > /log print detail
time=16:42:38 topics=ipsec,ike message="initiate new phase 2 negotiation: 
68.60.0.0[500]<=>65.182.0.0[500]"


time=16:42:38 topics=ipsec,ike message="none message must be encrypted"

time=16:42:48 topics=ipsec,ike message="none message must be encrypted"

time=16:42:58 topics=ipsec,ike message="none message must be encrypted"

time=16:43:08 topics=ipsec,ike message="65.182.0.0 give up to get IPsec-SA 
due to time up to wait."


time=16:43:08 topics=ipsec,ike message="IPsec-SA expired: AH/Tunnel 
65.182.0.0[0]->68.60.0.0[0] spi=125157313(0x775bfc1)"


time=16:43:08 topics=ipsec,ike message="IPsec-SA expired: ESP/Tunnel 
65.182.0.0[0]->68.60.0.0[0] spi=41544484(0x279eb24)"


time=16:43:08 topics=ipsec,ike message="initiate new phase 2 negotiation: 
68.60.0.0[500]<=>65.182.0.0[500]"


time=16:43:08 topics=ipsec,ike message="none message must be encrypted"

time=16:43:18 topics=ipsec,ike message="none message must be encrypted"

time=16:43:28 topics=ipsec,ike message="none message must be encrypted"

time=16:43:38 topics=ipsec,ike message="65.182.0.0 give up to get IPsec-SA 
due to time up to wait."


time=16:43:38 topics=ipsec,ike message="IPsec-SA expired: AH/Tunnel 
65.182.0.0[0]->68.60.0.0[0] spi=61961499(0x3b1751b)"


time=16:43:38 topics=ipsec,ike message="IPsec-SA expired: ESP/Tunnel 
65.182.0.0[0]->68.60.0.0[0] spi=23323416(0x163e318)"



--
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com


- Original Message - 
From: "Mike Hammett" <[EMAIL PROTECTED]>

To: "Mikrotik discussions" 
Sent: Thursday, June 19, 2008 11:05 AM
Subject: Re: [Mikrotik] IPSec



Actually, the darn thing stopped working once it started and without any
changes to either side.  :-\

[EMAIL PROTECTED] > /ip ipsec policy print detail
Flags: X - disabled, D - dynamic, I - inactive
0   src-address=192.168.2.0/24:any dst-address=192.168.1.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=ah,esp 
tunnel=yes

sa-src-address=68.60.0.0 sa-dst-address=65.182.0.0
proposal=default manual-sa=none priority=0
[EMAIL PROTECTED] > /ip ipsec proposal print detail
Flags: X - disabled
0   name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024
[EMAIL PROTECTED] > /ip ipsec peer print detail
Flags: X - disabled
0   address=65.182.0.0/32:500 auth-method=pre-shared-key
secret="0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5"
generate-policy=no exchange-mode=main send-initial-contact=yes
nat-traversal=no
proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd
dpd-maximum-failures=5
[EMAIL PROTECTED] > /ip ipsec installed-sa print detail
Flags: A - AH, E - ESP, P - pfs




[EMAIL PROTECTED] > /ip ipsec policy print detail
Flags: X - disabled, D - dynamic, I - inactive
0   src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=ah,esp 
tunnel=yes

sa-src-address=65.182.0.0 sa-dst-address=68.60.0.0
proposal=default manual-sa=none priority=0
[EMAIL PROTECTED] > /ip ipsec proposal print detail
Flags: X - disabled
0   name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024
[EMAIL PROTECTED] > /ip ipsec peer print detail
Flags: X - disabled
0   address=68.60.0.0/32:500 auth-method=pre-shared-key
secret="0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5"
generate-policy=no exchange-mode=main send-initial-contact=yes
nat-traversal=no
proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=20s
dpd-maximum-failures=1
[EMAIL PROTECTED] > /ip ipsec installed-sa print detail
Flags: A - AH, E - ESP, P - pfs


--
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com


- Original Message - 
From: "Mike Hammett" <[EMAIL PROTECTED]>

To: "Mikrotik discussions" 
Sent: Saturday, June 07, 2008 11:49 AM
Subject: Re: [Mikrotik] IPSec



I had actually just gotten it fixed by trying the masquerade option before
Butch told me to do masquerade.  That said, I have attached a map of what
we're working with.  The NIF wireless and everything behind it cannot
communicate with anything across the IPSec link, though everything else
including and behind NIF router does.  Everything including and behind 
NIF

router can talk to everyone else on that side of the network as well as
the
Internet.


--
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com


- Original Message - 
From: "

Re: [Mikrotik] IPSec

[Mike Hammett]

The routers and wireless AP are all Mikrotik.  The wireless AP has all ports 
in a bridge.


Previously NIF wireless and anything behind it couldn't traverse the tunnel. 
For some reason, nothing can now.



--
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com


- Original Message - 
From: "Butch Evans" <[EMAIL PROTECTED]>

To: "Mikrotik discussions" 
Sent: Saturday, June 14, 2008 7:07 PM
Subject: Re: [Mikrotik] IPSec



On Thu, 12 Jun 2008, Mike Hammett wrote:


we're working with.  The NIF wireless and everything behind it
cannot communicate with anything across the IPSec link, though
everything else including and behind NIF router does.  Everything
including and behind NIF router can talk to everyone else on that
side of the network as well as the Internet.


Post the following information:

/ip ipsec export
/ip firewall nat export

If I understand correctly, the "wireless client" cannot communicate
over the tunnel, but the "security DVR" can?  Also, the workstation
and server at the NIF side can communicate over the tunnel.  What
kind of router is the NIF Wireless device?  If it is, also, a
Mikrotik router, please explain a bit about it's configuration.

--

*Butch Evans *Professional Network Consultation *
*Network Engineering *MikroTik RouterOS*
*573-276-2879 *ImageStream   *
*http://www.butchevans.com/ *StarOS and MORE   *
*Mikrotik Certified Consultant *Wired or Wireless Networks*

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Re: [Mikrotik] IPSec

[Mike Hammett]

oh, I guess this email never made it...

[EMAIL PROTECTED] > /ip ipsec export
# jun/19/2008 16:25:06 by RouterOS 3.10
# software id = D302-LTT
#
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des 
lifetime=30m name=default pfs-group=modp1024

/ip ipsec peer
add address=65.182.0.0/32:500 auth-method=pre-shared-key dh-group=modp1024 
disabled=no dpd-interval=disable-dpd dpd-maximum-failures=5 
enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=\
   sha1 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey 
secret=0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5 
send-initial-contact=yes

/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.1.0/24:any 
ipsec-protocols=ah,esp level=require manual-sa=none priority=0 
proposal=default protocol=all sa-dst-address=65.182.0.0 
sa-src-address=68.60.0.0 \

   src-address=192.168.2.0/24:any tunnel=yes
[EMAIL PROTECTED] > /ip firewall nat export
# jun/19/2008 16:25:25 by RouterOS 3.10
# software id = D302-LTT
#
/ip firewall nat
add action=accept chain=srcnat comment="" disabled=no 
dst-address=192.168.1.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="" disabled=no 
out-interface=ether1



[EMAIL PROTECTED] > /ip ipsec export
# jun/19/2008 16:42:13 by RouterOS 3.10
# software id = 2ZXT-3TT
#
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des 
lifetime=30m name=default pfs-group=modp1024

/ip ipsec peer
add address=68.60.0.0/32:500 auth-method=pre-shared-key dh-group=modp1024 
disabled=no dpd-interval=20s dpd-maximum-failures=1 enc-algorithm=3des 
exchange-mode=main generate-policy=no hash-algorithm=sha1 \
   lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey 
secret=0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5 
send-initial-contact=yes

/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.2.0/24:any 
ipsec-protocols=ah,esp level=require manual-sa=none priority=0 
proposal=default protocol=all sa-dst-address=68.60.0.0 
sa-src-address=65.182.0.0 \

   src-address=192.168.1.0/24:any tunnel=yes
[EMAIL PROTECTED] > /ip firewall nat export
# jun/19/2008 16:42:15 by RouterOS 3.10
# software id = 2ZXT-3TT
#
/ip firewall nat
add action=accept chain=srcnat comment="" disabled=no 
dst-address=192.168.2.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="" disabled=no out-interface="ICS 
PPPoE"
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=80 
in-interface="ICS PPPoE" protocol=tcp to-addresses=192.168.1.4 to-ports=80
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=1600 
in-interface="ICS PPPoE" protocol=tcp to-addresses=192.168.1.4 to-ports=1600
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=554-557 
in-interface="ICS PPPoE" protocol=tcp to-addresses=192.168.1.4 
to-ports=554-557





--
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com


- Original Message - 
From: "Butch Evans" <[EMAIL PROTECTED]>

To: "Mikrotik discussions" 
Sent: Saturday, June 14, 2008 7:07 PM
Subject: Re: [Mikrotik] IPSec



On Thu, 12 Jun 2008, Mike Hammett wrote:


we're working with.  The NIF wireless and everything behind it
cannot communicate with anything across the IPSec link, though
everything else including and behind NIF router does.  Everything
including and behind NIF router can talk to everyone else on that
side of the network as well as the Internet.


Post the following information:

/ip ipsec export
/ip firewall nat export

If I understand correctly, the "wireless client" cannot communicate
over the tunnel, but the "security DVR" can?  Also, the workstation
and server at the NIF side can communicate over the tunnel.  What
kind of router is the NIF Wireless device?  If it is, also, a
Mikrotik router, please explain a bit about it's configuration.

--

*Butch Evans *Professional Network Consultation *
*Network Engineering *MikroTik RouterOS*
*573-276-2879 *ImageStream   *
*http://www.butchevans.com/ *StarOS and MORE   *
*Mikrotik Certified Consultant *Wired or Wireless Networks*

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Re: [Mikrotik] IPSec

[Paul J. Benner, Jr.]

Check your counters.  My guess would be that since you're running 
private networks on both sides the traffic is being masqueraded as it's 
leaving the router, so it never matches your policy.  Add an accept on 
both sides that is ahead of the masquerade for traffic bound for the 
opposite side's network and see what happens.


Regards,

Paul

Mike Hammett wrote:

Where would I see that at?


--
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com


- Original Message - 
From: "Paul J. Benner, Jr." <[EMAIL PROTECTED]>

To: "Mikrotik discussions" 
Sent: Thursday, June 19, 2008 11:22 AM
Subject: Re: [Mikrotik] IPSec


  

Mike,

Does the IPSec tunnel encrypt any packets when you attempt to make a
connection from one side to the other?

Regards,

Paul

Mike Hammett wrote:


Actually, the darn thing stopped working once it started and without any
changes to either side.  :-\

[EMAIL PROTECTED] > /ip ipsec policy print detail
Flags: X - disabled, D - dynamic, I - inactive
 0   src-address=192.168.2.0/24:any dst-address=192.168.1.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=ah,esp 
tunnel=yes

sa-src-address=68.60.0.0 sa-dst-address=65.182.0.0
 proposal=default manual-sa=none priority=0
[EMAIL PROTECTED] > /ip ipsec proposal print detail
Flags: X - disabled
 0   name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024
[EMAIL PROTECTED] > /ip ipsec peer print detail
Flags: X - disabled
 0   address=65.182.0.0/32:500 auth-method=pre-shared-key
secret="0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5"
generate-policy=no exchange-mode=main send-initial-contact=yes
nat-traversal=no
 proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd
dpd-maximum-failures=5
[EMAIL PROTECTED] > /ip ipsec installed-sa print detail
Flags: A - AH, E - ESP, P - pfs




[EMAIL PROTECTED] > /ip ipsec policy print detail
Flags: X - disabled, D - dynamic, I - inactive
 0   src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=ah,esp 
tunnel=yes

sa-src-address=65.182.0.0 sa-dst-address=68.60.0.0
 proposal=default manual-sa=none priority=0
[EMAIL PROTECTED] > /ip ipsec proposal print detail
Flags: X - disabled
 0   name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024
[EMAIL PROTECTED] > /ip ipsec peer print detail
Flags: X - disabled
 0   address=68.60.0.0/32:500 auth-method=pre-shared-key
secret="0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5"
generate-policy=no exchange-mode=main send-initial-contact=yes
nat-traversal=no
 proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=20s
dpd-maximum-failures=1
[EMAIL PROTECTED] > /ip ipsec installed-sa print detail
Flags: A - AH, E - ESP, P - pfs


--
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com


- Original Message - 
From: "Mike Hammett" <[EMAIL PROTECTED]>

To: "Mikrotik discussions" 
Sent: Saturday, June 07, 2008 11:49 AM
Subject: Re: [Mikrotik] IPSec



  
I had actually just gotten it fixed by trying the masquerade option 
before
Butch told me to do masquerade.  That said, I have attached a map of 
what

we're working with.  The NIF wireless and everything behind it cannot
communicate with anything across the IPSec link, though everything else
including and behind NIF router does.  Everything including and behind 
NIF

router can talk to everyone else on that side of the network as well as
the
Internet.


--
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com


- Original Message ----- 
From: "Mike Hammett" <[EMAIL PROTECTED]>

To: "Mikrotik discussions" 
Sent: Friday, June 06, 2008 11:33 PM
Subject: [Mikrotik] IPSec





I'm trying to setup a 3.10 IPSec tunnel between two Mikrotiks.  First
off,
the manual isn't correct.  I do exactly what they say and I get an 
error.

As it turns out, you're also required to choose an AH In\Out Algorithm.
It also doesn't explain things well, like ah-spi.

How do I know it's working?  I cannot ping addresses on the other side.


Side 1:

< ICS] > /ip ipsec policy print
Flags: X - disabled, D - dynamic, I - inactive
0   src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=ah tunnel=yes
sa-src-address=65.182.111.111 sa-dst-address=68.60.111.111
proposal=default
manual-sa=ah-sa1 priority=0
[EMAIL PROTECTED] - ICS] > /ip ipsec manual-sa print
Flags: X - disabled, I - invalid
0   name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null
esp-enc-algorith

Re: [Mikrotik] IPSec

[Mike Hammett]

Where would I see that at?


--
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com


- Original Message - 
From: "Paul J. Benner, Jr." <[EMAIL PROTECTED]>

To: "Mikrotik discussions" 
Sent: Thursday, June 19, 2008 11:22 AM
Subject: Re: [Mikrotik] IPSec



Mike,

Does the IPSec tunnel encrypt any packets when you attempt to make a
connection from one side to the other?

Regards,

Paul

Mike Hammett wrote:

Actually, the darn thing stopped working once it started and without any
changes to either side.  :-\

[EMAIL PROTECTED] > /ip ipsec policy print detail
Flags: X - disabled, D - dynamic, I - inactive
 0   src-address=192.168.2.0/24:any dst-address=192.168.1.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=ah,esp 
tunnel=yes

sa-src-address=68.60.0.0 sa-dst-address=65.182.0.0
 proposal=default manual-sa=none priority=0
[EMAIL PROTECTED] > /ip ipsec proposal print detail
Flags: X - disabled
 0   name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024
[EMAIL PROTECTED] > /ip ipsec peer print detail
Flags: X - disabled
 0   address=65.182.0.0/32:500 auth-method=pre-shared-key
secret="0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5"
generate-policy=no exchange-mode=main send-initial-contact=yes
nat-traversal=no
 proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd
dpd-maximum-failures=5
[EMAIL PROTECTED] > /ip ipsec installed-sa print detail
Flags: A - AH, E - ESP, P - pfs




[EMAIL PROTECTED] > /ip ipsec policy print detail
Flags: X - disabled, D - dynamic, I - inactive
 0   src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=ah,esp 
tunnel=yes

sa-src-address=65.182.0.0 sa-dst-address=68.60.0.0
 proposal=default manual-sa=none priority=0
[EMAIL PROTECTED] > /ip ipsec proposal print detail
Flags: X - disabled
 0   name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024
[EMAIL PROTECTED] > /ip ipsec peer print detail
Flags: X - disabled
 0   address=68.60.0.0/32:500 auth-method=pre-shared-key
secret="0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5"
generate-policy=no exchange-mode=main send-initial-contact=yes
nat-traversal=no
 proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=20s
dpd-maximum-failures=1
[EMAIL PROTECTED] > /ip ipsec installed-sa print detail
Flags: A - AH, E - ESP, P - pfs


--
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com


- Original Message - 
From: "Mike Hammett" <[EMAIL PROTECTED]>

To: "Mikrotik discussions" 
Sent: Saturday, June 07, 2008 11:49 AM
Subject: Re: [Mikrotik] IPSec



I had actually just gotten it fixed by trying the masquerade option 
before
Butch told me to do masquerade.  That said, I have attached a map of 
what

we're working with.  The NIF wireless and everything behind it cannot
communicate with anything across the IPSec link, though everything else
including and behind NIF router does.  Everything including and behind 
NIF

router can talk to everyone else on that side of the network as well as
the
Internet.


--
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com


- Original Message ----- 
From: "Mike Hammett" <[EMAIL PROTECTED]>

To: "Mikrotik discussions" 
Sent: Friday, June 06, 2008 11:33 PM
Subject: [Mikrotik] IPSec




I'm trying to setup a 3.10 IPSec tunnel between two Mikrotiks.  First
off,
the manual isn't correct.  I do exactly what they say and I get an 
error.

As it turns out, you're also required to choose an AH In\Out Algorithm.
It also doesn't explain things well, like ah-spi.

How do I know it's working?  I cannot ping addresses on the other side.


Side 1:

< ICS] > /ip ipsec policy print
Flags: X - disabled, D - dynamic, I - inactive
0   src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=ah tunnel=yes
sa-src-address=65.182.111.111 sa-dst-address=68.60.111.111
proposal=default
manual-sa=ah-sa1 priority=0
[EMAIL PROTECTED] - ICS] > /ip ipsec manual-sa print
Flags: X - disabled, I - invalid
0   name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null
esp-enc-algorithm=null ah-key=64 hex characters esp-auth-key=""
esp-enc-key="" ah-spi=0x100/0x101
esp-spi=0x100 lifetime=0s



Side 2:

[EMAIL PROTECTED] Fence] > /ip ipsec policy pr
Flags: X - disabled, D - dynamic, I - inactive
0   src-address=192.168.2.0/24:any dst-address=192.168.1.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=ah tunnel=yes
sa-src-address=68.60.

Re: [Mikrotik] IPSec

[Paul J. Benner, Jr.]

Mike,

Does the IPSec tunnel encrypt any packets when you attempt to make a 
connection from one side to the other?


Regards,

Paul

Mike Hammett wrote:
Actually, the darn thing stopped working once it started and without any 
changes to either side.  :-\


[EMAIL PROTECTED] > /ip ipsec policy print detail
Flags: X - disabled, D - dynamic, I - inactive
 0   src-address=192.168.2.0/24:any dst-address=192.168.1.0/24:any 
protocol=all action=encrypt level=require ipsec-protocols=ah,esp tunnel=yes 
sa-src-address=68.60.0.0 sa-dst-address=65.182.0.0

 proposal=default manual-sa=none priority=0
[EMAIL PROTECTED] > /ip ipsec proposal print detail
Flags: X - disabled
 0   name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m 
pfs-group=modp1024

[EMAIL PROTECTED] > /ip ipsec peer print detail
Flags: X - disabled
 0   address=65.182.0.0/32:500 auth-method=pre-shared-key 
secret="0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5" 
generate-policy=no exchange-mode=main send-initial-contact=yes 
nat-traversal=no
 proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des 
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd 
dpd-maximum-failures=5

[EMAIL PROTECTED] > /ip ipsec installed-sa print detail
Flags: A - AH, E - ESP, P - pfs




[EMAIL PROTECTED] > /ip ipsec policy print detail
Flags: X - disabled, D - dynamic, I - inactive
 0   src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any 
protocol=all action=encrypt level=require ipsec-protocols=ah,esp tunnel=yes 
sa-src-address=65.182.0.0 sa-dst-address=68.60.0.0

 proposal=default manual-sa=none priority=0
[EMAIL PROTECTED] > /ip ipsec proposal print detail
Flags: X - disabled
 0   name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m 
pfs-group=modp1024

[EMAIL PROTECTED] > /ip ipsec peer print detail
Flags: X - disabled
 0   address=68.60.0.0/32:500 auth-method=pre-shared-key 
secret="0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5" 
generate-policy=no exchange-mode=main send-initial-contact=yes 
nat-traversal=no
 proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des 
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=20s 
dpd-maximum-failures=1

[EMAIL PROTECTED] > /ip ipsec installed-sa print detail
Flags: A - AH, E - ESP, P - pfs


--
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com


- Original Message - 
From: "Mike Hammett" <[EMAIL PROTECTED]>

To: "Mikrotik discussions" 
Sent: Saturday, June 07, 2008 11:49 AM
Subject: Re: [Mikrotik] IPSec


  

I had actually just gotten it fixed by trying the masquerade option before
Butch told me to do masquerade.  That said, I have attached a map of what
we're working with.  The NIF wireless and everything behind it cannot
communicate with anything across the IPSec link, though everything else
including and behind NIF router does.  Everything including and behind NIF
router can talk to everyone else on that side of the network as well as 
the

Internet.


--
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com


- Original Message - 
From: "Mike Hammett" <[EMAIL PROTECTED]>

To: "Mikrotik discussions" 
Sent: Friday, June 06, 2008 11:33 PM
Subject: [Mikrotik] IPSec



I'm trying to setup a 3.10 IPSec tunnel between two Mikrotiks.  First 
off,

the manual isn't correct.  I do exactly what they say and I get an error.
As it turns out, you're also required to choose an AH In\Out Algorithm.
It also doesn't explain things well, like ah-spi.

How do I know it's working?  I cannot ping addresses on the other side.


Side 1:

< ICS] > /ip ipsec policy print
Flags: X - disabled, D - dynamic, I - inactive
0   src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=ah tunnel=yes
sa-src-address=65.182.111.111 sa-dst-address=68.60.111.111
proposal=default
manual-sa=ah-sa1 priority=0
[EMAIL PROTECTED] - ICS] > /ip ipsec manual-sa print
Flags: X - disabled, I - invalid
0   name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null
esp-enc-algorithm=null ah-key=64 hex characters esp-auth-key=""
esp-enc-key="" ah-spi=0x100/0x101
esp-spi=0x100 lifetime=0s



Side 2:

[EMAIL PROTECTED] Fence] > /ip ipsec policy pr
Flags: X - disabled, D - dynamic, I - inactive
0   src-address=192.168.2.0/24:any dst-address=192.168.1.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=ah tunnel=yes
sa-src-address=68.60.111.111 sa-dst-address=65.182.111.111
proposal=default
manual-sa=ah-sa1 priority=0
[EMAIL PROTECTED] Fence] > /ip ipsec manual-sa pr
Flags: X - disabled, I - invalid
0   name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null
esp-enc-algorithm=null ah-key=same 64 

Re: [Mikrotik] IPSec

[Mike Hammett]

Actually, the darn thing stopped working once it started and without any 
changes to either side.  :-\


[EMAIL PROTECTED] > /ip ipsec policy print detail
Flags: X - disabled, D - dynamic, I - inactive
0   src-address=192.168.2.0/24:any dst-address=192.168.1.0/24:any 
protocol=all action=encrypt level=require ipsec-protocols=ah,esp tunnel=yes 
sa-src-address=68.60.0.0 sa-dst-address=65.182.0.0

proposal=default manual-sa=none priority=0
[EMAIL PROTECTED] > /ip ipsec proposal print detail
Flags: X - disabled
0   name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m 
pfs-group=modp1024

[EMAIL PROTECTED] > /ip ipsec peer print detail
Flags: X - disabled
0   address=65.182.0.0/32:500 auth-method=pre-shared-key 
secret="0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5" 
generate-policy=no exchange-mode=main send-initial-contact=yes 
nat-traversal=no
proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des 
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd 
dpd-maximum-failures=5

[EMAIL PROTECTED] > /ip ipsec installed-sa print detail
Flags: A - AH, E - ESP, P - pfs




[EMAIL PROTECTED] > /ip ipsec policy print detail
Flags: X - disabled, D - dynamic, I - inactive
0   src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any 
protocol=all action=encrypt level=require ipsec-protocols=ah,esp tunnel=yes 
sa-src-address=65.182.0.0 sa-dst-address=68.60.0.0

proposal=default manual-sa=none priority=0
[EMAIL PROTECTED] > /ip ipsec proposal print detail
Flags: X - disabled
0   name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m 
pfs-group=modp1024

[EMAIL PROTECTED] > /ip ipsec peer print detail
Flags: X - disabled
0   address=68.60.0.0/32:500 auth-method=pre-shared-key 
secret="0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5" 
generate-policy=no exchange-mode=main send-initial-contact=yes 
nat-traversal=no
proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des 
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=20s 
dpd-maximum-failures=1

[EMAIL PROTECTED] > /ip ipsec installed-sa print detail
Flags: A - AH, E - ESP, P - pfs


--
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com


- Original Message - 
From: "Mike Hammett" <[EMAIL PROTECTED]>

To: "Mikrotik discussions" 
Sent: Saturday, June 07, 2008 11:49 AM
Subject: Re: [Mikrotik] IPSec



I had actually just gotten it fixed by trying the masquerade option before
Butch told me to do masquerade.  That said, I have attached a map of what
we're working with.  The NIF wireless and everything behind it cannot
communicate with anything across the IPSec link, though everything else
including and behind NIF router does.  Everything including and behind NIF
router can talk to everyone else on that side of the network as well as 
the

Internet.


--
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com


- Original Message - 
From: "Mike Hammett" <[EMAIL PROTECTED]>

To: "Mikrotik discussions" 
Sent: Friday, June 06, 2008 11:33 PM
Subject: [Mikrotik] IPSec


I'm trying to setup a 3.10 IPSec tunnel between two Mikrotiks.  First 
off,

the manual isn't correct.  I do exactly what they say and I get an error.
As it turns out, you're also required to choose an AH In\Out Algorithm.
It also doesn't explain things well, like ah-spi.

How do I know it's working?  I cannot ping addresses on the other side.


Side 1:

< ICS] > /ip ipsec policy print
Flags: X - disabled, D - dynamic, I - inactive
0   src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=ah tunnel=yes
sa-src-address=65.182.111.111 sa-dst-address=68.60.111.111
proposal=default
manual-sa=ah-sa1 priority=0
[EMAIL PROTECTED] - ICS] > /ip ipsec manual-sa print
Flags: X - disabled, I - invalid
0   name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null
esp-enc-algorithm=null ah-key=64 hex characters esp-auth-key=""
esp-enc-key="" ah-spi=0x100/0x101
esp-spi=0x100 lifetime=0s



Side 2:

[EMAIL PROTECTED] Fence] > /ip ipsec policy pr
Flags: X - disabled, D - dynamic, I - inactive
0   src-address=192.168.2.0/24:any dst-address=192.168.1.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=ah tunnel=yes
sa-src-address=68.60.111.111 sa-dst-address=65.182.111.111
proposal=default
manual-sa=ah-sa1 priority=0
[EMAIL PROTECTED] Fence] > /ip ipsec manual-sa pr
Flags: X - disabled, I - invalid
0   name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null
esp-enc-algorithm=null ah-key=same 64 hex characters esp-auth-key=""
esp-enc-key="" ah-spi=0x101/0x100
esp-spi=0x100 lifetime=0s



--
Mike Hammett
Inte

Re: [Mikrotik] IPSec

[Butch Evans]

On Thu, 12 Jun 2008, Mike Hammett wrote:

we're working with.  The NIF wireless and everything behind it 
cannot communicate with anything across the IPSec link, though 
everything else including and behind NIF router does.  Everything 
including and behind NIF router can talk to everyone else on that 
side of the network as well as the Internet.


Post the following information:

/ip ipsec export
/ip firewall nat export

If I understand correctly, the "wireless client" cannot communicate 
over the tunnel, but the "security DVR" can?  Also, the workstation 
and server at the NIF side can communicate over the tunnel.  What 
kind of router is the NIF Wireless device?  If it is, also, a 
Mikrotik router, please explain a bit about it's configuration.


--

*Butch Evans*Professional Network Consultation *
*Network Engineering*MikroTik RouterOS *
*573-276-2879   *ImageStream   *
*http://www.butchevans.com/ *StarOS and MORE   *
*Mikrotik Certified Consultant  *Wired or Wireless Networks*

Re: [Mikrotik] IPSec

[Butch Evans]

On Thu, 12 Jun 2008, Mike Hammett wrote:


*bump*


I haven't had opportunity to review the other documents you posted. 
I'll take a look tonight or tomorrow and see if this is one that is 
a "freebie" and contact you offlist with further information.


--

*Butch Evans*Professional Network Consultation *
*Network Engineering*MikroTik RouterOS *
*573-276-2879   *ImageStream   *
*http://www.butchevans.com/ *StarOS and MORE   *
*Mikrotik Certified Consultant  *Wired or Wireless Networks*

Re: [Mikrotik] IPSec

[Mike Hammett]

*bump*


--
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com


- Original Message - 
From: "Mike Hammett" <[EMAIL PROTECTED]>

To: "Mikrotik discussions" 
Sent: Saturday, June 07, 2008 11:49 AM
Subject: Re: [Mikrotik] IPSec



I had actually just gotten it fixed by trying the masquerade option before
Butch told me to do masquerade.  That said, I have attached a map of what
we're working with.  The NIF wireless and everything behind it cannot
communicate with anything across the IPSec link, though everything else
including and behind NIF router does.  Everything including and behind NIF
router can talk to everyone else on that side of the network as well as 
the

Internet.


--
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com


- Original Message - 
From: "Mike Hammett" <[EMAIL PROTECTED]>

To: "Mikrotik discussions" 
Sent: Friday, June 06, 2008 11:33 PM
Subject: [Mikrotik] IPSec


I'm trying to setup a 3.10 IPSec tunnel between two Mikrotiks.  First 
off,

the manual isn't correct.  I do exactly what they say and I get an error.
As it turns out, you're also required to choose an AH In\Out Algorithm.
It also doesn't explain things well, like ah-spi.

How do I know it's working?  I cannot ping addresses on the other side.


Side 1:

< ICS] > /ip ipsec policy print
Flags: X - disabled, D - dynamic, I - inactive
0   src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=ah tunnel=yes
sa-src-address=65.182.111.111 sa-dst-address=68.60.111.111
proposal=default
manual-sa=ah-sa1 priority=0
[EMAIL PROTECTED] - ICS] > /ip ipsec manual-sa print
Flags: X - disabled, I - invalid
0   name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null
esp-enc-algorithm=null ah-key=64 hex characters esp-auth-key=""
esp-enc-key="" ah-spi=0x100/0x101
esp-spi=0x100 lifetime=0s



Side 2:

[EMAIL PROTECTED] Fence] > /ip ipsec policy pr
Flags: X - disabled, D - dynamic, I - inactive
0   src-address=192.168.2.0/24:any dst-address=192.168.1.0/24:any
protocol=all action=encrypt level=require ipsec-protocols=ah tunnel=yes
sa-src-address=68.60.111.111 sa-dst-address=65.182.111.111
proposal=default
manual-sa=ah-sa1 priority=0
[EMAIL PROTECTED] Fence] > /ip ipsec manual-sa pr
Flags: X - disabled, I - invalid
0   name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null
esp-enc-algorithm=null ah-key=same 64 hex characters esp-auth-key=""
esp-enc-key="" ah-spi=0x101/0x100
esp-spi=0x100 lifetime=0s



--
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

-- next part --
An HTML attachment was scrubbed...
URL:
http://www.butchevans.com/pipermail/mikrotik/attachments/20080606/9f93d58b/attachment.html
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik


-- next part --
A non-text attachment was scrubbed...
Name: CF NIF IPSec issue.pdf
Type: application/pdf
Size: 62758 bytes
Desc: not available
Url : 
http://www.butchevans.com/pipermail/mikrotik/attachments/20080607/ff575dbf/attachment.pdf

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Re: [Mikrotik] IPSec

[Eric Holtzclaw]

I have Written

MT to Sonicwall
MT to PIX
MT to ASA
and (Not Written) I just did a MT to Nokia Checkpoint

Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Casey Mills
Sent: Sunday, June 08, 2008 1:10 AM
To: Mikrotik discussions
Subject: Re: [Mikrotik] IPSec

So has anyone put together any step by step instructions on how to use
IPSec?  It has always been a pain in my backside.  What options are
there besides another Mikrotik on the client end?  Software or
hardware.

Casey




On 6/7/08, Mike Hammett <[EMAIL PROTECTED]> wrote:
> I had actually just gotten it fixed by trying the masquerade option
before
> Butch told me to do masquerade.  That said, I have attached a map of
what
> we're working with.  The NIF wireless and everything behind it cannot
> communicate with anything across the IPSec link, though everything
else
> including and behind NIF router does.  Everything including and behind
NIF
> router can talk to everyone else on that side of the network as well
as the
> Internet.
>
>
> --
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
>
> - Original Message -
> From: "Mike Hammett" <[EMAIL PROTECTED]>
> To: "Mikrotik discussions" 
> Sent: Friday, June 06, 2008 11:33 PM
> Subject: [Mikrotik] IPSec
>
>
> > I'm trying to setup a 3.10 IPSec tunnel between two Mikrotiks.
First off,
> > the manual isn't correct.  I do exactly what they say and I get an
error.
> > As it turns out, you're also required to choose an AH In\Out
Algorithm.
> > It also doesn't explain things well, like ah-spi.
> >
> > How do I know it's working?  I cannot ping addresses on the other
side.
> >
> >
> > Side 1:
> >
> > < ICS] > /ip ipsec policy print
> > Flags: X - disabled, D - dynamic, I - inactive
> > 0   src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any
> > protocol=all action=encrypt level=require ipsec-protocols=ah
tunnel=yes
> > sa-src-address=65.182.111.111 sa-dst-address=68.60.111.111
> > proposal=default
> > manual-sa=ah-sa1 priority=0
> > [EMAIL PROTECTED] - ICS] > /ip ipsec manual-sa print
> > Flags: X - disabled, I - invalid
> > 0   name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null
> > esp-enc-algorithm=null ah-key=64 hex characters esp-auth-key=""
> > esp-enc-key="" ah-spi=0x100/0x101
> > esp-spi=0x100 lifetime=0s
> >
> >
> >
> > Side 2:
> >
> > [EMAIL PROTECTED] Fence] > /ip ipsec policy pr
> > Flags: X - disabled, D - dynamic, I - inactive
> > 0   src-address=192.168.2.0/24:any dst-address=192.168.1.0/24:any
> > protocol=all action=encrypt level=require ipsec-protocols=ah
tunnel=yes
> > sa-src-address=68.60.111.111 sa-dst-address=65.182.111.111
> > proposal=default
> > manual-sa=ah-sa1 priority=0
> > [EMAIL PROTECTED] Fence] > /ip ipsec manual-sa pr
> > Flags: X - disabled, I - invalid
> > 0   name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null
> > esp-enc-algorithm=null ah-key=same 64 hex characters esp-auth-key=""
> > esp-enc-key="" ah-spi=0x101/0x100
> > esp-spi=0x100 lifetime=0s
> >
> >
> >
> > --
> > Mike Hammett
> > Intelligent Computing Solutions
> > http://www.ics-il.com
> >
> > -- next part --
> > An HTML attachment was scrubbed...
> > URL:
> >
http://www.butchevans.com/pipermail/mikrotik/attachments/20080606/9f93d5
8b/attachment.html
> > ___
> > Mikrotik mailing list
> > Mikrotik@mail.butchevans.com
> > http://www.butchevans.com/mailman/listinfo/mikrotik
> >
> -- next part --
> A non-text attachment was scrubbed...
> Name: CF NIF IPSec issue.pdf
> Type: application/pdf
> Size: 62758 bytes
> Desc: not available
> Url :
http://www.butchevans.com/pipermail/mikrotik/attachments/20080607/ff575d
bf/attachment.pdf
> ___
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://www.butchevans.com/mailman/listinfo/mikrotik
>
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Re: [Mikrotik] IPSec

[Butch Evans]

On Sun, 8 Jun 2008, Casey Mills wrote:

So has anyone put together any step by step instructions on how to 
use IPSec?  It has always been a pain in my backside.  What options 
are there besides another Mikrotik on the client end?  Software or 
hardware.


There are LOTs of options.  As for a "step by step", this is one of 
the things that is covered in detail in my training course.  ;-)


The documentation is decent in this area, but not as good as some 
parts.  I'll see about putting up a quick tutorial when I get some 
"free time" (whatever THAT is..)


--

*Butch Evans*Professional Network Consultation *
*Network Engineering*MikroTik RouterOS *
*573-276-2879   *ImageStream   *
*http://www.butchevans.com/ *StarOS and MORE   *
*Mikrotik Certified Consultant  *Wired or Wireless Networks*

Re: [Mikrotik] IPSec

[Casey Mills]

So has anyone put together any step by step instructions on how to use
IPSec?  It has always been a pain in my backside.  What options are
there besides another Mikrotik on the client end?  Software or
hardware.

Casey




On 6/7/08, Mike Hammett <[EMAIL PROTECTED]> wrote:
> I had actually just gotten it fixed by trying the masquerade option before
> Butch told me to do masquerade.  That said, I have attached a map of what
> we're working with.  The NIF wireless and everything behind it cannot
> communicate with anything across the IPSec link, though everything else
> including and behind NIF router does.  Everything including and behind NIF
> router can talk to everyone else on that side of the network as well as the
> Internet.
>
>
> --
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
>
> - Original Message -
> From: "Mike Hammett" <[EMAIL PROTECTED]>
> To: "Mikrotik discussions" 
> Sent: Friday, June 06, 2008 11:33 PM
> Subject: [Mikrotik] IPSec
>
>
> > I'm trying to setup a 3.10 IPSec tunnel between two Mikrotiks.  First off,
> > the manual isn't correct.  I do exactly what they say and I get an error.
> > As it turns out, you're also required to choose an AH In\Out Algorithm.
> > It also doesn't explain things well, like ah-spi.
> >
> > How do I know it's working?  I cannot ping addresses on the other side.
> >
> >
> > Side 1:
> >
> > < ICS] > /ip ipsec policy print
> > Flags: X - disabled, D - dynamic, I - inactive
> > 0   src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any
> > protocol=all action=encrypt level=require ipsec-protocols=ah tunnel=yes
> > sa-src-address=65.182.111.111 sa-dst-address=68.60.111.111
> > proposal=default
> > manual-sa=ah-sa1 priority=0
> > [EMAIL PROTECTED] - ICS] > /ip ipsec manual-sa print
> > Flags: X - disabled, I - invalid
> > 0   name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null
> > esp-enc-algorithm=null ah-key=64 hex characters esp-auth-key=""
> > esp-enc-key="" ah-spi=0x100/0x101
> > esp-spi=0x100 lifetime=0s
> >
> >
> >
> > Side 2:
> >
> > [EMAIL PROTECTED] Fence] > /ip ipsec policy pr
> > Flags: X - disabled, D - dynamic, I - inactive
> > 0   src-address=192.168.2.0/24:any dst-address=192.168.1.0/24:any
> > protocol=all action=encrypt level=require ipsec-protocols=ah tunnel=yes
> > sa-src-address=68.60.111.111 sa-dst-address=65.182.111.111
> > proposal=default
> > manual-sa=ah-sa1 priority=0
> > [EMAIL PROTECTED] Fence] > /ip ipsec manual-sa pr
> > Flags: X - disabled, I - invalid
> > 0   name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null
> > esp-enc-algorithm=null ah-key=same 64 hex characters esp-auth-key=""
> > esp-enc-key="" ah-spi=0x101/0x100
> > esp-spi=0x100 lifetime=0s
> >
> >
> >
> > --
> > Mike Hammett
> > Intelligent Computing Solutions
> > http://www.ics-il.com
> >
> > -- next part --
> > An HTML attachment was scrubbed...
> > URL:
> > http://www.butchevans.com/pipermail/mikrotik/attachments/20080606/9f93d58b/attachment.html
> > ___
> > Mikrotik mailing list
> > Mikrotik@mail.butchevans.com
> > http://www.butchevans.com/mailman/listinfo/mikrotik
> >
> -- next part --
> A non-text attachment was scrubbed...
> Name: CF NIF IPSec issue.pdf
> Type: application/pdf
> Size: 62758 bytes
> Desc: not available
> Url : 
> http://www.butchevans.com/pipermail/mikrotik/attachments/20080607/ff575dbf/attachment.pdf
> ___
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://www.butchevans.com/mailman/listinfo/mikrotik
>

Re: [Mikrotik] IPSec

[Mike Hammett]

I had actually just gotten it fixed by trying the masquerade option before 
Butch told me to do masquerade.  That said, I have attached a map of what 
we're working with.  The NIF wireless and everything behind it cannot 
communicate with anything across the IPSec link, though everything else 
including and behind NIF router does.  Everything including and behind NIF 
router can talk to everyone else on that side of the network as well as the 
Internet.


--
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com


- Original Message - 
From: "Mike Hammett" <[EMAIL PROTECTED]>
To: "Mikrotik discussions" 
Sent: Friday, June 06, 2008 11:33 PM
Subject: [Mikrotik] IPSec


> I'm trying to setup a 3.10 IPSec tunnel between two Mikrotiks.  First off, 
> the manual isn't correct.  I do exactly what they say and I get an error. 
> As it turns out, you're also required to choose an AH In\Out Algorithm. 
> It also doesn't explain things well, like ah-spi.
>
> How do I know it's working?  I cannot ping addresses on the other side.
>
>
> Side 1:
>
> < ICS] > /ip ipsec policy print
> Flags: X - disabled, D - dynamic, I - inactive
> 0   src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any 
> protocol=all action=encrypt level=require ipsec-protocols=ah tunnel=yes 
> sa-src-address=65.182.111.111 sa-dst-address=68.60.111.111 
> proposal=default
> manual-sa=ah-sa1 priority=0
> [EMAIL PROTECTED] - ICS] > /ip ipsec manual-sa print
> Flags: X - disabled, I - invalid
> 0   name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null 
> esp-enc-algorithm=null ah-key=64 hex characters esp-auth-key="" 
> esp-enc-key="" ah-spi=0x100/0x101
> esp-spi=0x100 lifetime=0s
>
>
>
> Side 2:
>
> [EMAIL PROTECTED] Fence] > /ip ipsec policy pr
> Flags: X - disabled, D - dynamic, I - inactive
> 0   src-address=192.168.2.0/24:any dst-address=192.168.1.0/24:any 
> protocol=all action=encrypt level=require ipsec-protocols=ah tunnel=yes 
> sa-src-address=68.60.111.111 sa-dst-address=65.182.111.111 
> proposal=default
> manual-sa=ah-sa1 priority=0
> [EMAIL PROTECTED] Fence] > /ip ipsec manual-sa pr
> Flags: X - disabled, I - invalid
> 0   name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null 
> esp-enc-algorithm=null ah-key=same 64 hex characters esp-auth-key="" 
> esp-enc-key="" ah-spi=0x101/0x100
> esp-spi=0x100 lifetime=0s
>
>
>
> --
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> -- next part --
> An HTML attachment was scrubbed...
> URL: 
> http://www.butchevans.com/pipermail/mikrotik/attachments/20080606/9f93d58b/attachment.html
> ___
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://www.butchevans.com/mailman/listinfo/mikrotik
> 
-- next part --
A non-text attachment was scrubbed...
Name: CF NIF IPSec issue.pdf
Type: application/pdf
Size: 62758 bytes
Desc: not available
Url : 
http://www.butchevans.com/pipermail/mikrotik/attachments/20080607/ff575dbf/attachment.pdf
 

Re: [Mikrotik] IPSec

[Mike Hammett]

I had (obviously incorrectly) assumed that the masquerading would masquerade 
the traffic destined to the remote router as coming from the local router 
instead of the local PC.



--
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com


- Original Message - 
From: "Butch Evans" <[EMAIL PROTECTED]>

To: "Mikrotik discussions" 
Sent: Saturday, June 07, 2008 12:39 AM
Subject: Re: [Mikrotik] IPSec



On Fri, 6 Jun 2008, Mike Hammett wrote:


I'm trying to setup a 3.10 IPSec tunnel between two Mikrotiks.
First off, the manual isn't correct.  I do exactly what they say
and I get an error.  As it turns out, you're also required to
choose an AH In\Out Algorithm.  It also doesn't explain things
well, like ah-spi.


First, why are you creating a manual-sa?  This is usually not
necessary and it is easier to not do this manually.  Second
question: Are you masquerading traffic on the LAN of either side of
this tunnel?  If so, you have to make an exception for the IPSEC
policy traffic.  The traffic flow diagram is very clear in this
regard.

Use the example titled "IPsec Between two Masquerading MikroTik
Routers", as it does not require a manual key.

--

*Butch Evans *Professional Network Consultation *
*Network Engineering *MikroTik RouterOS*
*573-276-2879 *ImageStream   *
*http://www.butchevans.com/ *StarOS and MORE   *
*Mikrotik Certified Consultant *Wired or Wireless Networks*

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://www.butchevans.com/mailman/listinfo/mikrotik

Re: [Mikrotik] IPSec

[Butch Evans]

On Fri, 6 Jun 2008, Mike Hammett wrote:

I'm trying to setup a 3.10 IPSec tunnel between two Mikrotiks. 
First off, the manual isn't correct.  I do exactly what they say 
and I get an error.  As it turns out, you're also required to 
choose an AH In\Out Algorithm.  It also doesn't explain things 
well, like ah-spi.


First, why are you creating a manual-sa?  This is usually not 
necessary and it is easier to not do this manually.  Second 
question: Are you masquerading traffic on the LAN of either side of 
this tunnel?  If so, you have to make an exception for the IPSEC 
policy traffic.  The traffic flow diagram is very clear in this 
regard.


Use the example titled "IPsec Between two Masquerading MikroTik 
Routers", as it does not require a manual key.


--

*Butch Evans*Professional Network Consultation *
*Network Engineering*MikroTik RouterOS *
*573-276-2879   *ImageStream   *
*http://www.butchevans.com/ *StarOS and MORE   *
*Mikrotik Certified Consultant  *Wired or Wireless Networks*

[Mikrotik] IPSec

[Mike Hammett]

I'm trying to setup a 3.10 IPSec tunnel between two Mikrotiks.  First off, the 
manual isn't correct.  I do exactly what they say and I get an error.  As it 
turns out, you're also required to choose an AH In\Out Algorithm.  It also 
doesn't explain things well, like ah-spi.

How do I know it's working?  I cannot ping addresses on the other side.


Side 1:

< ICS] > /ip ipsec policy print 

   
Flags: X - disabled, D - dynamic, I - inactive 
 0   src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any protocol=all 
action=encrypt level=require ipsec-protocols=ah tunnel=yes 
sa-src-address=65.182.111.111 sa-dst-address=68.60.111.111 proposal=default 
 manual-sa=ah-sa1 priority=0 
[EMAIL PROTECTED] - ICS] > /ip ipsec manual-sa print

  
Flags: X - disabled, I - invalid 
 0   name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null 
esp-enc-algorithm=null ah-key=64 hex characters esp-auth-key="" esp-enc-key="" 
ah-spi=0x100/0x101 
 esp-spi=0x100 lifetime=0s 



Side 2:

[EMAIL PROTECTED] Fence] > /ip ipsec policy pr
Flags: X - disabled, D - dynamic, I - inactive 
 0   src-address=192.168.2.0/24:any dst-address=192.168.1.0/24:any protocol=all 
action=encrypt level=require ipsec-protocols=ah tunnel=yes 
sa-src-address=68.60.111.111 sa-dst-address=65.182.111.111 proposal=default 
 manual-sa=ah-sa1 priority=0 
[EMAIL PROTECTED] Fence] > /ip ipsec manual-sa pr
Flags: X - disabled, I - invalid 
 0   name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null 
esp-enc-algorithm=null ah-key=same 64 hex characters esp-auth-key="" 
esp-enc-key="" ah-spi=0x101/0x100 
 esp-spi=0x100 lifetime=0s 



--
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

-- next part --
An HTML attachment was scrubbed...
URL: 
http://www.butchevans.com/pipermail/mikrotik/attachments/20080606/9f93d58b/attachment.html
 

Re: [Mikrotik] [MikroTik] IPSec Configuration Problems

[Butch Evans]

On Fri, 18 Jan 2008, Gene Spiker wrote:

Other versions of IPSec on other systems that work off a menu such 
as winbox also build the interface and route.


Mikrotik uses a POLICY to route the traffic...there is not a route 
(at least not one visible under "/ip route") for IPSEC traffic.


In version 2.9 of Mikrotik I manually built a route for the remote 
subnet pointing to the Mikrotik IP address of the Mikrotik LAN. 
This did not work.


Because it's not necessary.  What you need to do is add 
configurations as follows (this is not exact, but a GUIDE):


under "/ip ipsec policy", you define the following 4 values as 
appropriate:

src-address = the lan network address on the MT side
dst-address = the lan network address on the IPCOP side
sa-src-address = the PUBLIC IP on the MT side
sa-dst-address = the PUBLIC IP on the IPCOP side

The remainder of the ipsec config is likely to be correct, since you 
can communicate across the tunnel.


under "/ip firewall nat", you should run these commands:

/ip firewall nat print
/ip firewall nat
add src-address=MTLAN dst-address=IPCOPLAN action=accept \
  place-before=0

of course, the "MTLAN" is the network address for the private 
subnet on the MT side and IPCOPLAN is the IPCOP side.  WHat this 
does, is cause traffic destined for the remote side of the tunnel to 
NOT be natted (assuming you are natting on the public side).  This 
is necessary because the NAT happens before the IPSEC part of the 
kernel, meaning that if the traffic is being natted, the IPSEC does 
not see traffic that matches the policy and, therefore, does not 
send it across the tunnel.


There is no need for routes or setting of proxy-arp.  MT does not 
add any IP addresses or visible interfaces for IPSEC tunnels.


After you set this up, you should be able to ping from one private 
lan to the other.  You should see (under "/ip ipsec installed-sa") 2 
tunnels - one in and one out.


The documentation says this, but (unlike most other parts of MT's 
documentation) I think this part is not very clear.


--
Butch Evans
Network Engineering and Security Consulting
573-276-2879
http://www.butchevans.com/
My calendar: http://tinyurl.com/y24ad6
Training Partners: http://tinyurl.com/smfkf
Mikrotik Certified Consultant
http://www.mikrotik.com/consultants.html