I am attempting to create a point-2-point or Branch office VPN using SSLVPN and I only seem to be able to create client-server profiles. I really need SSLVPN but also interested in L2TP and PPTP.

SPent hours last night working on IPSec and it is a nightmare and then the hard drive in my router died so I am waiting for a migrated key from Mikrotik so I can migrate to a new drive.

In any event has anyone been successfull in this regard?

Thanks

Leon D. Zetekoff, NCE
BackWoods Wireless

In any event has anyone been successfull in this regard?

Yes, I have.

L2L IPsec VPN is really easy to setup in case:
1. You have static "real" IP addresses on both VPN endpoints.
2. You know what exactly you want/need to achieve.
3. You know/understand how the IPsec works.

Please provide more info in case you need someone to help you with the configuration.

Thanks. I work with watchguards everyday so I am familiar with VPNs. Have you implemented bovpn? I'd prefer sslvpn instead of IPSec

Leon

Have you implemented bovpn? I'd prefer sslvpn instead of IPSec

Yep, we have a number of L2L VPNs (lan-to-lan, site-to-site, whatever you name it) with our partners. Strictly speaking, they are not BO (branch office) VPNs, but that's only from the business point of view- technologically they are the same. But all of them are IPsec based (kinda de facto standard).

Yeah but that's what watchguard and other vendors call it. I am also familiar with Cisco and adtran routers from a routing standpoint as I work for a carrier here in the u.s.

We tried last night attempting to connect ROS to a Pfsense firewall remotely with IPSec and failed miserably. But as I said I really need to use sslvpn for what we need to for the type of transport we need.

As I said I do not see and peer to peer sslvpn or any other tunnel type except IPSec in ROS that does p2p or am I all wet?

Leon

ok for now we're recrafting what we are doing. I have configured IPSec on both sides (my side ROS) remote side Fortinet). I added the bypass NAT in the front of the firewall config.

THe only thing that seems to be missing is routes outbound to the tunnel. I don't even see the remote tunnel as an IP address.

SO what am I missing?

Thanks leon

THe only thing that seems to be missing is routes outbound to the tunnel. I don't even see the remote tunnel as an IP address.

I don't quite understand what "the remote tunnel as an IP address" means.
Generally, for the IPsec tunnel to work you don't need to add anything special to the routing table. Defining proper IPsec policy is enough.

the policies define the local networks on each side. If I attempt to traceroute from the router across the tunnel it goes out the default route to the internet.

Obviously I am missing something

here's what I have so far:

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5,sha1 disabled=no enc-algorithms=\
3des,aes-256 lifetime=1d name=default pfs-group=modp1536
add auth-algorithms=sha1 disabled=no enc-algorithms=aes-256 lifetime=1d name=\
SHA1-AES256-DH1536-1D pfs-group=modp1536

/ip firewall nat
add action=accept chain=srcnat disabled=no dst-address=10.180.17.0/24 \
src-address=10.161.51.0/24
add action=masquerade chain=srcnat disabled=no src-address=10.161.51.0/2

/ip ipsec peer
add address=64.121.177.225/32 auth-method=pre-shared-key dh-group=modp1536 \
disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-256 \
exchange-mode=main generate-policy=no hash-algorithm=sha1 lifebytes=0 \
lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=\
obey secret=shush_secret send-initial-contact=yes

/ip ipsec policy
add action=encrypt disabled=no dst-address=10.180.17.0/24 dst-port=any \
ipsec-protocols=esp level=require priority=0 proposal=SHA1-AES256-DH1536-1D \
protocol=all sa-dst-address=64.121.177.225 sa-src-address=24.115.164.29 \
src-address=10.161.51.0/24 src-port=any tunnel=yes

Provided your local subnet is 10.161.51.0/24 and remote subnet is 10.180.17.0/24, everything looks correct.
Except this one:

ros code

/ip firewall nat
add action=masquerade chain=srcnat disabled=no src-address=10.161.51.0/2

I'm pretty sure subnet mask were meant to be /24 instead of /2.

the masquerade rule is a /24; cut-n-paste got me. ok so if this is correct why can't we tracer across?

ok so if this is correct why can't we tracer across?

That depends. How do you check? First, don't try to ping/traceroute the remote subnet from the router itself- do it from any other host in the local subnet. While it is generally possible, special care should be taken to make sure the correct source address is used, so better use another host for that.

it seems phase 1 is coming up but phase 2 is not. this is talking to a fortinet 50B which keeps telling us there are errors but doesnt seem to qualify that.

the only way phase two would come up is by turning on generate policy. also when I look at REMOTE PEERS and double click on the peers PH2 still shows 0's but we were able to pass data

definitely different than watchguards

it seems phase 1 is coming up but phase 2 is not. this is talking to a fortinet 50B which keeps telling us there are errors but doesnt seem to qualify that.

the only way phase two would come up is by turning on generate policy.

L2L should work without 'generate policy' being turned on. If phase 2 is not coming up, it is in most cases mean your phase2 proposals do not match. Phase2 proposal is what you configure in '/ip ipsec proposal', and that's what cisco defines as 'crypto ipsec transform-set ...'. Please pay attention to lifetime settings, as that's what I personally have trouble with most often.

the router crashed during this earlier so I when I get home around 4:30 P.M. EST I'll be able to see what happened.
yes that makes sense. doesn't explain why that display always shows P2 as 0 either

Leon

Turns out router did not crash. Local LAN lost its ip but also don't remember what happened on the wan side of the router.

But now p1 is down
Will have to revisit this Sunday as when the link was up with things set as generate policy all ofy traffic attempted to go out the IPSec tunnel which is not acceptable