IPSec between two RouterOS
Posted: Tue Feb 24, 2015 6:33 am
I recently setup IPSec between two Mikrotik Routers and Network A is able to access/ping to NetworkB but NetworkB can not access NetworkA.
Where is the problem?
NetworkA
/ip ipsec export
# feb/24/2015 09:33:14 by RouterOS 6.15
# software id = BWNM-9D3P
#
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5,sha1 enc-algorithms=3des
/ip ipsec peer
add address=124.*.226.246/32 enc-algorithm=3des hash-algorithm=md5 secret=***
/ip ipsec policy
add dst-address=192.168.2.0/24 sa-dst-address=124.*.226.246 sa-src-address=\
180.*.12.144 src-address=192.168.88.0/24 tunnel=yes
NetworkB
/ip ipsec export
# feb/24/2015 10:26:30 by RouterOS 5.25
# software id = WLV0-0GEY
#
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5,sha1 disabled=no enc-algorithms=\
3des lifetime=30m name=default pfs-group=modp1024
/ip ipsec peer
add address=180.*.12.144/32 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des \
exchange-mode=main generate-policy=no hash-algorithm=md5 lifebytes=0 \
lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=\
obey secret=*** send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.88.0/24 dst-port=any \
ipsec-protocols=esp level=require priority=0 proposal=default protocol=all \
sa-dst-address=180.*.12.144 sa-src-address=124.*.226.246 src-address=\
192.168.2.0/24 src-port=any tunnel=yes
Where is the problem?
NetworkA
/ip ipsec export
# feb/24/2015 09:33:14 by RouterOS 6.15
# software id = BWNM-9D3P
#
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5,sha1 enc-algorithms=3des
/ip ipsec peer
add address=124.*.226.246/32 enc-algorithm=3des hash-algorithm=md5 secret=***
/ip ipsec policy
add dst-address=192.168.2.0/24 sa-dst-address=124.*.226.246 sa-src-address=\
180.*.12.144 src-address=192.168.88.0/24 tunnel=yes
NetworkB
/ip ipsec export
# feb/24/2015 10:26:30 by RouterOS 5.25
# software id = WLV0-0GEY
#
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5,sha1 disabled=no enc-algorithms=\
3des lifetime=30m name=default pfs-group=modp1024
/ip ipsec peer
add address=180.*.12.144/32 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des \
exchange-mode=main generate-policy=no hash-algorithm=md5 lifebytes=0 \
lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=\
obey secret=*** send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.88.0/24 dst-port=any \
ipsec-protocols=esp level=require priority=0 proposal=default protocol=all \
sa-dst-address=180.*.12.144 sa-src-address=124.*.226.246 src-address=\
192.168.2.0/24 src-port=any tunnel=yes