Hi,
I want to set up a IPSec connection from MT with dynamic IP to a Juniper/ScreenOS/Firewall.
Normaly to do this with other devices you have to set IPSec in Aggressive mode and define different FQDN for each remote/dynamic device.
But with MT I'm not able to set up the FQDN.
Is this configuratione possible ?
There is any examples about this ?
regards
Stefano
Re: IPSec from dynamic IP
You can setup /ip ipsec peer with address as 0.0.0.0 and enable to generate-policy automatically.
Re: IPSec from dynamic IP
Is not clear to me the behaviours of the command "generate-policy automatically".
This should have effect for the networks behind the VPN, and not for the IP of the termination of the VPN.
With aggressive mode you should normally (Juniper and Cisco) identify the connection with a FQDN.
I tried this with presharedkey, and there is no possibility to set the FQDN.
Does I have to use certificates in this configuration?
regards
Stefano
This should have effect for the networks behind the VPN, and not for the IP of the termination of the VPN.
With aggressive mode you should normally (Juniper and Cisco) identify the connection with a FQDN.
I tried this with presharedkey, and there is no possibility to set the FQDN.
Does I have to use certificates in this configuration?
regards
Stefano
Re: IPSec from dynamic IP
I just "upgrade" my configuration to certificates/rsa signature.
And with static IP it works well.
Now I tried out to set the peer IP 0.0.0.0 and set generate policy = yes.
In this case I have to remove the policies of the "concentrator", correct?
this is the config
I tried setting on MT2 the sa-src-address=0.0.0.0 and 192.168.1.2, BUT it doesn't works 
please please help me, I'm not far I need a concrete confi example.
regards
Stefano
And with static IP it works well.
Now I tried out to set the peer IP 0.0.0.0 and set generate policy = yes.
In this case I have to remove the policies of the "concentrator", correct?
this is the config
Code: Select all
MT1 (concentrator): 192.168.1.1 (labo setup)
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m \
name=default pfs-group=modp1024
/ip ipsec peer
add address=0.0.0.0/32:500 auth-method=rsa-signature certificate=cert1 \
dh-group=modp1024 disabled=no dpd-interval=disable-dpd \
dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=aggressive \
[b] generate-policy=yes[/b] hash-algorithm=md5 lifebytes=0 lifetime=1d \
nat-traversal=no proposal-check=obey remote-certificate=cert2 \
send-initial-contact=no
MT2 (remote office) 192.168.1.2 (labo setup)
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m \
name=default pfs-group=modp1024
/ip ipsec peer
add address=192.168.1.1/32:500 auth-method=rsa-signature certificate=cert2 \
dh-group=modp1024 disabled=no dpd-interval=disable-dpd \
dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=aggressive \
[b]generate-policy=no[/b] hash-algorithm=md5 lifebytes=0 lifetime=1d \
nat-traversal=yes proposal-check=obey remote-certificate=cert1 \
send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=172.16.12.0/24:any \
ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
all sa-dst-address=192.168.1.1 sa-src-address=0.0.0.0 src-address=\
192.168.10.0/24:any tunnel=yes
add action=encrypt disabled=no dst-address=10.0.0.0/8:any ipsec-protocols=esp \
level=require priority=-2147483646 proposal=default protocol=all \
sa-dst-address=192.168.1.1 sa-src-address=0.0.0.0 src-address=\
192.168.10.0/24:any tunnel=yes
please please help me, I'm not far I need a concrete confi example.
regards
Stefano
Re: IPSec from dynamic IP
I forgot:
on MT1 I get the following tn the ipsec log:
00:44:49 ipsec couldn't find configuration
Stefano
on MT1 I get the following tn the ipsec log:
00:44:49 ipsec couldn't find configuration
Stefano
Nobody can hel me configuring IPSEC qith dynamic IP ?
there is really no examples that can help to configure this ??
I configured IPsec on checkpoint/nokia/cisco/netscreen and I NEVER got so much difficulty as with MT
Stefano
I configured IPsec on checkpoint/nokia/cisco/netscreen and I NEVER got so much difficulty as with MT
Stefano
Re: IPSec from dynamic IP
It is not possible to set FQDN for the peer, the only way to use FQDN.
Setup script which resolves FQDN IP address and put it to /ip ipsec peer menu.
Certificates should be used for the IPSec peer, when on the other end certificates are used.
Setup script which resolves FQDN IP address and put it to /ip ipsec peer menu.
Certificates should be used for the IPSec peer, when on the other end certificates are used.
IPSEC and nat-traversal
I was finally able to setup a IpSec connection between a RB and a ScreenOS device, it was really not easy!
Now the problem is: I set the parameter nat-traversal=yes and anyway the Ipsec tunnel is using ESP(ip-proto=50).
I tried to block ESP on a firewall between the two Ipsec Gateway, then the ipsec stop works.
Manly using nat-traversal the device should encapsulate the traffic in a UDP packet, but this is not the case.
Any experience about nat-traversal and RouterOS ?
regards
Stefano
Now the problem is: I set the parameter nat-traversal=yes and anyway the Ipsec tunnel is using ESP(ip-proto=50).
I tried to block ESP on a firewall between the two Ipsec Gateway, then the ipsec stop works.
Manly using nat-traversal the device should encapsulate the traffic in a UDP packet, but this is not the case.
Any experience about nat-traversal and RouterOS ?
regards
Stefano
Re: IPSec from dynamic IP
Hello Stefano,
What did you need to do to get it working? I am having the same problem.
Thank you!
~Reiney
What did you need to do to get it working? I am having the same problem.
Thank you!
~Reiney
Re: IPSec from dynamic IP
wow Reiney,
you ask me a very old stuff.
Manly I decided to NOT use IPsec with mikrotik, because there is no possibility of set ipsec route based.
So, now I'm using OpenVPN.
I don't know if with the release 5 is possible to set IPSec interfaces like with OpenVPN
sorry..
regards
Stefano
you ask me a very old stuff.
Manly I decided to NOT use IPsec with mikrotik, because there is no possibility of set ipsec route based.
So, now I'm using OpenVPN.
I don't know if with the release 5 is possible to set IPSec interfaces like with OpenVPN
sorry..
regards
Stefano