Community discussions

MikroTik App
 
leonset
Member Candidate
Member Candidate
Topic Author
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

IPSec VPN problem [SOLVED]

Mon Feb 01, 2010 9:19 pm

Hello,

I'm trying to test IPSec without L2TP, just tunneling two lans in tunnel mode. Both ends have a fixed & real IP address and are reachable from the Internet, so afaik I shoudn't need L2TP. Currently I'm using a preshared key. When I generate traffic from the local lan destined to the remote lan I get this in my log:

20:12:00 ipsec IPsec-SA request for [RemoteIP] queued due to no phase1 found.
20:12:00 ipsec initiate new phase 1 negotiation: LocalIP[500]<=>RemoteIP[500]
20:12:00 ipsec begin Identity Protection mode.
20:12:00 ipsec sendfromto failed
20:12:00 ipsec failed to begin ipsec sa negotication.

It looks like local router tries to stablish the tunnel but I get that error inmediately. I have open UDP 500 and protocol 50 (ipsec-esp) in both ends...

What am I doing wrong?

Thank you!
Last edited by leonset on Fri Feb 26, 2010 1:54 pm, edited 1 time in total.
 
leonset
Member Candidate
Member Candidate
Topic Author
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: IPSec VPN problem

Wed Feb 03, 2010 4:00 pm

Hi,

No one has faced this problem before? Should I send a report to support?

Thanks,
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: IPSec VPN problem

Wed Feb 03, 2010 4:54 pm

Post the phase 1 configuration and firewall from both sides.
 
leonset
Member Candidate
Member Candidate
Topic Author
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: IPSec VPN problem

Wed Feb 03, 2010 6:56 pm

Hi!

Here's the IPSec config for the local router:
/ip ipsec proposal
set default auth-algorithms=sha1 comment="" disabled=no enc-algorithms=3des \
    lifetime=30m name=default pfs-group=modp1024
/ip ipsec peer
add address=2.2.2.2/32:500 auth-method=pre-shared-key comment="" \
    dh-group=modp1024 disabled=no dpd-interval=disable-dpd \
    dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main \
    generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d \
    nat-traversal=no proposal-check=obey secret=PASSWORD send-initial-contact=\
    yes
/ip ipsec policy
add action=encrypt comment="" disabled=no dst-address=10.2.2.2/23:any \
    ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
    all sa-dst-address=2.2.2.2 sa-src-address=1.1.1.1 src-address=\
    10.1.1.1/32:any tunnel=yes
And this is the remote router:
/ip ipsec proposal
set default auth-algorithms=sha1 comment="" disabled=no enc-algorithms=3des \
    lifetime=30m name=default pfs-group=modp1024
/ip ipsec peer
add address=1.1.1.1/32:500 auth-method=pre-shared-key comment="" \
    dh-group=modp1024 disabled=no dpd-interval=disable-dpd \
    dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main \
    generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d \
    nat-traversal=no proposal-check=obey secret=PASSWORD send-initial-contact=\
    yes
/ip ipsec policy
add action=encrypt comment="" disabled=no dst-address=10.1.1.1/32:any \
    ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
    all sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=\
    10.2.2.2/23:any tunnel=yes
The local site firewall (1.1.1.1) has nearly 150 rules right now, too much to post. I have open everything coming from 2.2.2.2 at input chain and everything going to 2.2.2.2 at output rule. I have nothing at forward related to IPSec because as far as I know that chaing won't be used for that traffic.

EDIT: forgot to remark that the remote firewall has currently no rules, so all traffic should flow freely.

Thank you!
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: IPSec VPN problem

Wed Feb 03, 2010 8:56 pm

That configuration matches and phase 1 should completely successfully.

In your policy, why are you protecting only 10.1.1.1/32 on the remote end, but 10.2.2.2/23 on the local end?
 
leonset
Member Candidate
Member Candidate
Topic Author
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: IPSec VPN problem

Fri Feb 26, 2010 11:54 am

Hi,

In case anyone needs this:

The problem is that there was a route to the IPSec protected remote lan through a OpenVPN disabled interface that I had created when testing with OpenVPN... so my router couldn't reach the remote IPSec peer. Checked all settings again and now I have a working IPSec VPN, even with the remote peers behind a NAT :)

Regards,

Who is online

Users browsing this forum: 3pages, nanobahr and 15 guests