Thu Aug 27, 2009 10:29 pm
ahrg, usually I'm pretty good without needing to ask spoon feeding me the procedure. But again I'll need help and hopefully this will be helpfull for some other people. I deleted the policy on the remote site and check the generate policy, that works, but strangely it created not one, nor two but three Dynamic policy on the primary site with only one remote MT 450 establishing the connection.
As soon as I change, in the primary site, the IP address of the peer to 0.0.0.0, and the SA Src Address in the remote policy to 0.0.0.0 I get into trouble... I read again the ref manual and try to change the policy level to other settings without better result...
Again here are my new export
Primary Site:
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m \
name=default pfs-group=modp1024
/ip ipsec peer
add address=0.0.0.0/32:500 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 \
enc-algorithm=3des exchange-mode=main generate-policy=yes hash-algorithm=\
md5 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=\
mysecret send-initial-contact=no
Remote Site:
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m \
name=default pfs-group=modp1024
/ip ipsec peer
add address=69.x.x.122/32:500 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 \
enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=\
md5 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=\
mysecret send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.213.0/24:any \
ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
all sa-dst-address=69.x.x.122 sa-src-address=0.0.0.0 src-address=\
192.168.214.0/24:any tunnel=yes
Again TY
Sabrina
Last edited by
Rockyboa on Sun Aug 30, 2009 3:46 pm, edited 1 time in total.