CCR1009 IpSec site-to-site with Checkpoint R77.30
Posted: Mon Dec 04, 2017 6:34 pm
Hi everybody,
I have a problem with the site-to-site configuration of these two devices.
The tunnel is working, but a little bit unreliable, and i getting these error messages in the log on the Mikrotik box:
peer sent packet for dead phase2.
Here is my configuration:
[admin@gw] > /ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=modp1024
[admin@gw] > /ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 R address=xxx/32 local-address=xxx/32 passive=yes auth-method=pre-shared-key secret="xxx" generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey
compatibility-options=skip-peer-id-validation hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 lifetime=1d dpd-interval=disable-dpd
[admin@gw] > /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * ;;; default template
group=default src-address=::/0 dst-address=::/0 protocol=all proposal=windowsproposals template=yes
1 src-address=aaa/29 src-port=any dst-address=bbb/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=xxx sa-dst-address=xxx proposal=default priority=0 ph2-count=1
Have anybody some ideas why im receiving these errors?
Thanks for your suggestions!
Regards,
Zoltan
I have a problem with the site-to-site configuration of these two devices.
The tunnel is working, but a little bit unreliable, and i getting these error messages in the log on the Mikrotik box:
peer sent packet for dead phase2.
Here is my configuration:
[admin@gw] > /ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=modp1024
[admin@gw] > /ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 R address=xxx/32 local-address=xxx/32 passive=yes auth-method=pre-shared-key secret="xxx" generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey
compatibility-options=skip-peer-id-validation hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 lifetime=1d dpd-interval=disable-dpd
[admin@gw] > /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * ;;; default template
group=default src-address=::/0 dst-address=::/0 protocol=all proposal=windowsproposals template=yes
1 src-address=aaa/29 src-port=any dst-address=bbb/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=xxx sa-dst-address=xxx proposal=default priority=0 ph2-count=1
Have anybody some ideas why im receiving these errors?
Thanks for your suggestions!
Regards,
Zoltan