I have read the documentation ad naseum on ipsec and otherwise, but all examples refer to point-to-point links
I have a situation where I would like the microtik to have a generic setup for multiple ipsec tunnels to it from different manufactureres (eg SMC, Cisco, etc)
How to I create a generic setup on the microtik side, such that a link is created wthout knowing beforehand what the IP is going to be ?
Re: generic ipsec tunnels
if i understand you correctly, the MT has to be configured as vpn-server in ipsec aggressive-mode. a login with user-id (aka password) is possible then.
sorry to say, i havent't configured this with MT yet, but it works using a few other systems.
sorry to say, i havent't configured this with MT yet, but it works using a few other systems.
-
-
kinglestat
just joined
- Posts: 5
- Joined:
Re: generic ipsec tunnels
yes, what you say is right. That is the config I am looking for
do you have any suggestions ?
do you have any suggestions ?
What is the problem? If you are able to create one point to point IPSec tunnel, then you are able to create more simillar tunnels by adding appropriate IPSec policies, NAT and routing rules.. I think there are also some examples of how to connect MT with other devices (Cisco) in manual..
What do you mean exactly by "generic" setup? Are your clients single computers or other computer networks? Can you be more specific please?
What do you mean exactly by "generic" setup? Are your clients single computers or other computer networks? Can you be more specific please?
Re: generic ipsec tunnels
sorry, not at the moment, i am working on it.do you have any suggestions ?
-
-
kinglestat
just joined
- Posts: 5
- Joined:
I have done some testing and have manage to do some progress
I am using the MT l2pserver together with ispec, and MS win 2000 server as a client
MT
/ interface l2tp-server server
set enabled=yes max-mtu=1460 max-mru=1460 authentication=mschap2 \
default-profile=default-encryption
2 address=172.16.13.2/32:57307 secret="JuveIsTheBest" generate-policy=yes
exchange-mode=main send-initial-contact=no proposal-check=claim
hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0
3 address=172.16.13.2/32:57307 secret="JuveIsTheBest" generate-policy=yes
exchange-mode=main send-initial-contact=no proposal-check=claim
hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0
I src-address=192.168.0.0/23:any dst-address=192.168.2.0/24:any protocol=all
action=encrypt level=require ipsec-protocols=ah,esp tunnel=yes
sa-src-address=172.16.13.1 sa-dst-address=172.16.13.2 proposal=default
manual-sa=EHL dont-fragment=inherit
It seems that negotiation starts as from the log things seem to happen
but after it gives me phase 1 time out
I am using the MT l2pserver together with ispec, and MS win 2000 server as a client
MT
/ interface l2tp-server server
set enabled=yes max-mtu=1460 max-mru=1460 authentication=mschap2 \
default-profile=default-encryption
2 address=172.16.13.2/32:57307 secret="JuveIsTheBest" generate-policy=yes
exchange-mode=main send-initial-contact=no proposal-check=claim
hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0
3 address=172.16.13.2/32:57307 secret="JuveIsTheBest" generate-policy=yes
exchange-mode=main send-initial-contact=no proposal-check=claim
hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0
I src-address=192.168.0.0/23:any dst-address=192.168.2.0/24:any protocol=all
action=encrypt level=require ipsec-protocols=ah,esp tunnel=yes
sa-src-address=172.16.13.1 sa-dst-address=172.16.13.2 proposal=default
manual-sa=EHL dont-fragment=inherit
It seems that negotiation starts as from the log things seem to happen
but after it gives me phase 1 time out
