MikroTik

Community discussions
https://forum.mikrotik.com/

IPsec VPN site to site

https://forum.mikrotik.com/viewtopic.php?t=102138

Page 1 of 1

IPsec VPN site to site

Posted: Thu Nov 12, 2015 5:19 pm
by alexpaige
I am trying to setup a site to site VPN using Untangle version 11.2 as the server and a Mikrotik v6.32.3
I ran through the setup guide here https://www.nasa-security.net/mikrotik/ ... ik-how-to/

I have attached a screenshot of the log and the error I'm getting.
Mikrotik log.png
fatal NO-PROPOSAL-CHOSEN notify message, phase 1 should be deleted.

I have obviously made a mistake somewhere but I'm not sure where to start.

Any help would be greatly appreciated


Thanks

Re: IPsec VPN site to site

Posted: Sun Nov 29, 2015 10:06 pm
by jaytcsd
Have you tried this setup?

http://gregsowell.com/wp-content/plugin ... .php?id=15

I can get the routers to ping but can't get any devices behind them to see the other side of the tunnel.

Re: IPsec VPN site to site

Posted: Mon Nov 30, 2015 9:51 am
by evince
Helle,

The src-address seems to be wrong, we can see in your logs 192.168.1.2. It should be a WAN IP.

Regards,

Re: IPsec VPN site to site

Posted: Mon Nov 30, 2015 5:07 pm
by downther0ad
Hi

I was able to make a VPN IPSec with this conf:

router_1
Code: Select all
/ip ipsec policy>add src-address=<local_lan_router_1>/xx dst-address=<local_lan_router_2>/xx protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=<public_ip_router_1> sa-dst-address=<public_ip_router_2> proposal=default 
priority=0

/ip ipsec peer>add address=<public_ip_router_2> port=500 auth-method=pre-shared-key secret="some_password" exchange-mode=main send-initial-contact=yes proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 dpd-interval=
120 dpd-maximum-failures=5

/ip firewall nat>add chain=srcnat src-address=<local_lan_router_1>/xx dst-address=<local_lan_router_2>/xx action=accept disabled=no
router_2
Code: Select all
/ip ipsec policy>add src-address=<local_lan_router_2>/xx dst-address=<local_lan_router_1>/xx protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=<public_ip_router_2> sa-dst-address=<public_ip_router_1> proposal=default 
priority=0

/ip ipsec peer>add address=<public_ip_router_1> port=500 auth-method=pre-shared-key secret="some_password" exchange-mode=main send-initial-contact=yes proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 dpd-interval=
120 dpd-maximum-failures=5

/ip firewall nat>add chain=srcnat src-address=<local_lan_router_2>/xx dst-address=<local_lan_router_1>/xx action=accept disabled=no
Regards
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/