Community discussions

MikroTik App
  4. RouterOS
  5. General

IPSec transport mode configuration issue

Post Reply
 
marcelocbf
newbie
Topic Author
Posts: 35
Joined: Sat Jun 09, 2007 2:31 am

IPSec transport mode configuration issue

Thu Sep 09, 2010 6:41 am

Hi,
Yesterday I setup an IPSec tunnel successfully, but I found out that if the remote peer would go offline for some reason the tunnel did not re-establish by itself. I kept receiving some errors in the remote router's log saying the "IPSec could not start the quick mode" ... So, I decided to try l2tp and ipsec as transport, but for some reason the IPSec does not start ... the tunnel establishes fine, but no sign of IPSec ... no installed sa ...
Can someone please check my configs and tell me what I am doing wrong ? Thanks ...

Router 1
WAN (Static IP) - 187.XXX.XXX.30
LAN - 192.168.1.0/24

Router 2
WAN - DHCP
LAN - 192.168.2.0/24

Router 1
Code: Select all
[admin@cmi-branch.bra] /ppp secret> print detail
Flags: X - disabled
 1   name="soho" service=l2tp caller-id="" password="123456" profile=default-encryption
     local-address=172.1.1.1 remote-address=172.1.1.2 routes="192.168.2.0/24 172.1.1.2 1" limit-bytes-in=0
     limit-bytes-out=0

[admin@cmi-branch.bra] /interface l2tp-server server> print
          enabled: yes
          max-mtu: 1460
          max-mru: 1460
             mrru: disabled
   authentication: pap,chap,mschap1,mschap2
  default-profile: default-encryption

[admin@cmi-branch.bra] /ip ipsec peer> print
Flags: X - disabled
 1   address=172.1.1.2/32:500 auth-method=pre-shared-key secret="soho_ipsec" generate-policy=yes
     exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=md5
     enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5
Router 2
Code: Select all
[admin@soho] /interface l2tp-client> print
Flags: X - disabled, R - running
 0  R name="l2tp-cmi" max-mtu=1460 max-mru=1460 mrru=disabled connect-to=187.XXX.XXX.30 user="soho"
      password="123456" profile=default-encryption add-default-route=no dial-on-demand=no allow=pap,chap,mschap1,mschap2

[admin@soho] /ip ipsec peer> print
Flags: X - disabled
 1   address=172.1.1.1/32:500 auth-method=pre-shared-key secret="soho_ipsec" generate-policy=no
     exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=md5
     enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5

[admin@soho] /ip ipsec peer> .. policy print
Flags: X - disabled, D - dynamic, I - inactive
 0   src-address=172.1.1.2/32:any dst-address=172.1.1.1/32:any protocol=all action=encrypt level=require ipsec-protocols=esp
     tunnel=no sa-src-address=172.1.1.2 sa-dst-address=172.1.1.1 proposal=default priority=0
So, the l2tp tunnel connects fine, traffic flows in both directions but there is no IPSec SA and no IPSec activity in the logs ...
Top
Post Reply
  4. RouterOS
  5. General