Page 1 of 1

VPN IPSec Mikrotik Site-To-Site

Posted: Sat Aug 08, 2020 8:38 pm
by OriiOn
I fail to setup a simple IPSec VPN between two Mikrotiks. "Active Peer" shows "message 3 sent", I also see "Installed SAs", but only in "one direction", not the return key. I am on v6.47.1
Here's the setup for Mikrotik-1
/ip ipsec mode-config
add name=responder
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=3des hash-algorithm=md5
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1h name=vpn-profile
/ip ipsec peer
add address=188.11.11.11/32 comment="VPN Erwin" name=Erwin profile=vpn-profile
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1d pfs-group=modp2048
/ip ipsec identity
add comment="VPN Erwin" mode-config=request-only peer=Erwin secret=YSyd7
/ip ipsec policy
add comment="VPN Erwin" dst-address=192.168.30.0/24 peer=Erwin sa-dst-address=188.11.11.11 sa-src-address=88.22.22.22 src-address=192.168.2.0/24 tunnel=yes
Here's the setup for Mikrotik-2
/ip ipsec mode-config
add name=responder
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1h name=vpn-profile
/ip ipsec peer
add address=88.22.22.22/32 comment="VPN Erwin" name=Erwin profile=vpn-profile
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1d pfs-group=modp2048
/ip ipsec identity
add comment="VPN Erwin" mode-config=request-only peer=Erwin secret=YSyd7
/ip ipsec policy
add comment="VPN Erwin" dst-address=192.168.2.0/24 peer=Erwin sa-dst-address=88.22.22.22 sa-src-address=188.11.11.11 src-address=192.168.30.0/24 tunnel=yes
The log (only those bits that I consider meaningful)
Aug/08/2020 19:20:21 ipsec,info ipsec: ISAKMP-SA established 188.11.11.11[500]-88.22.22.22[500] spi:dcf4bd2bfae39be9:51157a322a274dd8
Aug/08/2020 19:20:21 ipsec ipsec: Configuration exchange type mode config REQUEST
Aug/08/2020 19:20:21 ipsec,debug ipsec: Attribute INTERNAL_IP4_ADDRESS, len 0
Aug/08/2020 19:20:21 ipsec ipsec: No address or pool specified!
Aug/08/2020 19:20:21 ipsec,debug ipsec: Removing PH1...
Aug/08/2020 19:20:21 ipsec,debug ipsec: sendto Information delete.
Aug/08/2020 19:20:21 ipsec,info ipsec: ISAKMP-SA deleted 188.11.11.11[500]-88.22.22.22[500] spi:dcf4bd2bfae39be9:51157a322a274dd8 rekey:1
Aug/08/2020 19:20:21 ipsec,debug ipsec: ===
Aug/08/2020 19:20:21 ipsec,info ipsec: initiate new phase 1 (Identity Protection): 188.11.11.11[500]<=>88.22.22.22[500]
Aug/08/2020 19:20:22 ipsec,debug ipsec: sendto Information notify.
Aug/08/2020 19:20:22 ipsec ipsec: 88.22.22.22 can't start the quick mode, there is no ISAKMP-SA, 188.11.11.11[500]<=>88.22.22.22[500] dcf4bd2bfae39be9:51157a322a274dd8:bf0f7bc1
So it seems ISAKMP-SA gets established, but deleted again. "No address or pool specified!" seems significant?

Re: VPN IPSec Mikrotik Site-To-Site  [SOLVED]

Posted: Sat Aug 08, 2020 8:55 pm
by sindy
In the /ip ipsec identity rows at both devices, set mode-config to none. When it is set to request-only, each peer asks the other one for an IP address assignment.

Re: VPN IPSec Mikrotik Site-To-Site

Posted: Sat Aug 08, 2020 9:10 pm
by OriiOn
This solved my problem! Wish I had asked you 5 hours ago...
Thanks so much!