[Mikrotik] IPSec

Mike Hammett butch-mikrotik at ics-il.net
Thu Jun 12 10:59:14 CDT 2008


*bump*


----------
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com


----- Original Message ----- 
From: "Mike Hammett" <butch-mikrotik at ics-il.net>
To: "Mikrotik discussions" <mikrotik at mail.butchevans.com>
Sent: Saturday, June 07, 2008 11:49 AM
Subject: Re: [Mikrotik] IPSec


>I had actually just gotten it fixed by trying the masquerade option before
> Butch told me to do masquerade.  That said, I have attached a map of what
> we're working with.  The NIF wireless and everything behind it cannot
> communicate with anything across the IPSec link, though everything else
> including and behind NIF router does.  Everything including and behind NIF
> router can talk to everyone else on that side of the network as well as 
> the
> Internet.
>
>
> ----------
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
>
> ----- Original Message ----- 
> From: "Mike Hammett" <butch-mikrotik at ics-il.net>
> To: "Mikrotik discussions" <mikrotik at mail.butchevans.com>
> Sent: Friday, June 06, 2008 11:33 PM
> Subject: [Mikrotik] IPSec
>
>
>> I'm trying to setup a 3.10 IPSec tunnel between two Mikrotiks.  First 
>> off,
>> the manual isn't correct.  I do exactly what they say and I get an error.
>> As it turns out, you're also required to choose an AH In\Out Algorithm.
>> It also doesn't explain things well, like ah-spi.
>>
>> How do I know it's working?  I cannot ping addresses on the other side.
>>
>>
>> Side 1:
>>
>> < ICS] > /ip ipsec policy print
>> Flags: X - disabled, D - dynamic, I - inactive
>> 0   src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any
>> protocol=all action=encrypt level=require ipsec-protocols=ah tunnel=yes
>> sa-src-address=65.182.111.111 sa-dst-address=68.60.111.111
>> proposal=default
>>     manual-sa=ah-sa1 priority=0
>> [admin at NIFence - ICS] > /ip ipsec manual-sa print
>> Flags: X - disabled, I - invalid
>> 0   name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null
>> esp-enc-algorithm=null ah-key=64 hex characters esp-auth-key=""
>> esp-enc-key="" ah-spi=0x100/0x101
>>     esp-spi=0x100 lifetime=0s
>>
>>
>>
>> Side 2:
>>
>> [admin at Complete Fence] > /ip ipsec policy pr
>> Flags: X - disabled, D - dynamic, I - inactive
>> 0   src-address=192.168.2.0/24:any dst-address=192.168.1.0/24:any
>> protocol=all action=encrypt level=require ipsec-protocols=ah tunnel=yes
>> sa-src-address=68.60.111.111 sa-dst-address=65.182.111.111
>> proposal=default
>>     manual-sa=ah-sa1 priority=0
>> [admin at Complete Fence] > /ip ipsec manual-sa pr
>> Flags: X - disabled, I - invalid
>> 0   name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null
>> esp-enc-algorithm=null ah-key=same 64 hex characters esp-auth-key=""
>> esp-enc-key="" ah-spi=0x101/0x100
>>     esp-spi=0x100 lifetime=0s
>>
>>
>>
>> ----------
>> Mike Hammett
>> Intelligent Computing Solutions
>> http://www.ics-il.com
>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:
>> http://www.butchevans.com/pipermail/mikrotik/attachments/20080606/9f93d58b/attachment.html
>> _______________________________________________
>> Mikrotik mailing list
>> Mikrotik at mail.butchevans.com
>> http://www.butchevans.com/mailman/listinfo/mikrotik
>>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: CF NIF IPSec issue.pdf
> Type: application/pdf
> Size: 62758 bytes
> Desc: not available
> Url : 
> http://www.butchevans.com/pipermail/mikrotik/attachments/20080607/ff575dbf/attachment.pdf
> _______________________________________________
> Mikrotik mailing list
> Mikrotik at mail.butchevans.com
> http://www.butchevans.com/mailman/listinfo/mikrotik
> 




More information about the Mikrotik mailing list