I have set it up like described in this guide
http://wiki.mikrotik.com/wiki/MikroTik_ ... wall_IPSEC
As I know that is a pic there is slight differences but this is the problem I have. The 750 never even tries to make a connection to the cisco. The logs show no attempt. Below is my config out of the 750. Can someone point me in the right direction?
Thanks,
Josh
[admin@MikroTik] > ip ipsec peer print
Flags: X - disabled
0 address=98.173.xxx.xxx/32:500 auth-method=pre-shared-key
secret="xxxxxxxx" generate-policy=no exchange-mode=main
send-initial-contact=yes nat-traversal=yes proposal-check=obey
hash-algorithm=md5 enc-algorithm=des dh-group=modp1024 lifetime=1d
lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1
[admin@MikroTik] > ip ipsec proposal print
Flags: X - disabled
0 name="default" auth-algorithms=md5 enc-algorithms=des lifetime=30m
pfs-group=modp1024
[admin@MikroTik] > ip ipsec policy print
Flags: X - disabled, D - dynamic, I - inactive
0 src-address=172.50.0.0/24:any dst-address=172.19.1.0/24:any protocol=all
action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=68.109.xxx.xxx sa-dst-address=98.173.xxx.xxx
proposal=default priority=0
[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=172.50.0.0/24
dst-address=172.19.1.0/24
1 chain=srcnat action=masquerade out-interface=ether1-gateway
[admin@MikroTik] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=accept protocol=ipsec-esp src-address=98.173.xxx.xxx
1 chain=customer action=accept src-address=172.19.1.0/24
dst-address=172.50.0.0/24 in-interface=ether1-gateway
out-interface=ether2-local-master
OK digging around on the Cisco I have found these logs
Group = 68.109.xxx.xxx, IP = 68.109.xxx.xxx, PHASE 1 COMPLETED
Group = 68.109.xxx.xxx, IP = 68.109.xxx.xxx, All IPSec SA proposals found unacceptable!
Group = 68.109.xxx.xxx, IP = 68.109.xxx.xxx, QM FSM error (P2 struct &0xda459508, mess id 0xc26c7219)!
Here is my crypto map.
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 68.109.xxx.xxx
crypto map outside_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
See anything what I am missing?
c
Re: IPSEC between RouterOS 750 V4.11 and Cisco ASA 5510 V8.2
Ok here is a update. All attempts so far has been from the 750 to Cisco....
If I go from cisco to 750 it work great here is the cisco log
Group = 68.109.sss.xxx, IP = 68.109.xxx.xxx, PHASE 1 COMPLETED
Group = 68.109.xxx.xxx, IP = 68.109.xxx.xxx, Security negotiation complete for LAN-to-LAN Group (68.109.xxx.xxx) Initiator, Inbound SPI = 0x3630751a, Outbound SPI = 0x01061934
Any ideas?
If I go from cisco to 750 it work great here is the cisco log
Group = 68.109.sss.xxx, IP = 68.109.xxx.xxx, PHASE 1 COMPLETED
Group = 68.109.xxx.xxx, IP = 68.109.xxx.xxx, Security negotiation complete for LAN-to-LAN Group (68.109.xxx.xxx) Initiator, Inbound SPI = 0x3630751a, Outbound SPI = 0x01061934
Any ideas?
Who is online
Users browsing this forum: Bing [Bot], GoogleOther [Bot] and 25 guests