Hi,

I would evaluate an IPSEC tunnel between MT and a WatchGuard box, running standard IPSEC.

I managed to correctly build the tunnel and it works great from Watchguard box to MT only: on the other way it seems the MT doesn't forward the outgoing packets to the tunnel.

If I ping from 192.168.1.x (watchguard internal LAN) to 10.10.10.x (MT internal LAN) everything is OK, but from 10.10.10.x to 192.168.1.x it doesn't work: the packet goes out of MT without any address translation or tunnelling, although it is correctly encrypted.

In my opinion the IPSEC policy should do all the work... Do I need to manually add some route or firewall rule on MT side?

Here is my configuration (MT just setup from scratch):

/ ip ipsec policy
add src-address=10.10.10.0/24:any dst-address=192.168.1.0/24:any protocol=all \
action=encrypt level=require ipsec-protocols=esp tunnel=yes \
sa-src-address=217.141.182.122 sa-dst-address=217.141.182.98 \
proposal=Prova manual-sa=none dont-fragment=clear disabled=no
/ ip ipsec peer
add address=217.141.182.98/32:500 secret="blahblah" generate-policy=no \
exchange-mode=main send-initial-contact=yes proposal-check=exact \
hash-algorithm=md5 enc-algorithm=des dh-group=modp768 lifetime=1d \
lifebytes=0 disabled=no
/ ip ipsec proposal
add name="Prova" auth-algorithms=md5 enc-algorithms=des lifetime=1d \
lifebytes=0 pfs-group=none disabled=no

Thanx a lot for any hint.

Riccardo Leonardi

Show your routing table, it sounds like your missing a route.

Problem solved, the cause was a missing rule onto remote firewall (not MT)..... now it works great, but not (yet) behind a NATting ADSL router.

Any hints?

Riccardo Leonardi

NAT-T is not supported.

Regards

Andrew