[Mikrotik] IPSec

Mike Hammett butch-mikrotik at ics-il.net
Thu Jun 19 16:43:43 CDT 2008


oh, I guess this email never made it...

[admin at CF] > /ip ipsec export
# jun/19/2008 16:25:06 by RouterOS 3.10
# software id = D302-LTT
#
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des 
lifetime=30m name=default pfs-group=modp1024
/ip ipsec peer
add address=65.182.0.0/32:500 auth-method=pre-shared-key dh-group=modp1024 
disabled=no dpd-interval=disable-dpd dpd-maximum-failures=5 
enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=\
    sha1 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey 
secret=0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5 
send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.1.0/24:any 
ipsec-protocols=ah,esp level=require manual-sa=none priority=0 
proposal=default protocol=all sa-dst-address=65.182.0.0 
sa-src-address=68.60.0.0 \
    src-address=192.168.2.0/24:any tunnel=yes
[admin at CF] > /ip firewall nat export
# jun/19/2008 16:25:25 by RouterOS 3.10
# software id = D302-LTT
#
/ip firewall nat
add action=accept chain=srcnat comment="" disabled=no 
dst-address=192.168.1.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="" disabled=no 
out-interface=ether1


[admin at NIF] > /ip ipsec export
# jun/19/2008 16:42:13 by RouterOS 3.10
# software id = 2ZXT-3TT
#
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des 
lifetime=30m name=default pfs-group=modp1024
/ip ipsec peer
add address=68.60.0.0/32:500 auth-method=pre-shared-key dh-group=modp1024 
disabled=no dpd-interval=20s dpd-maximum-failures=1 enc-algorithm=3des 
exchange-mode=main generate-policy=no hash-algorithm=sha1 \
    lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey 
secret=0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5 
send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.2.0/24:any 
ipsec-protocols=ah,esp level=require manual-sa=none priority=0 
proposal=default protocol=all sa-dst-address=68.60.0.0 
sa-src-address=65.182.0.0 \
    src-address=192.168.1.0/24:any tunnel=yes
[admin at NIF] > /ip firewall nat export
# jun/19/2008 16:42:15 by RouterOS 3.10
# software id = 2ZXT-3TT
#
/ip firewall nat
add action=accept chain=srcnat comment="" disabled=no 
dst-address=192.168.2.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="" disabled=no out-interface="ICS 
PPPoE"
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=80 
in-interface="ICS PPPoE" protocol=tcp to-addresses=192.168.1.4 to-ports=80
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=1600 
in-interface="ICS PPPoE" protocol=tcp to-addresses=192.168.1.4 to-ports=1600
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=554-557 
in-interface="ICS PPPoE" protocol=tcp to-addresses=192.168.1.4 
to-ports=554-557




----------
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com


----- Original Message ----- 
From: "Butch Evans" <butche at butchevans.com>
To: "Mikrotik discussions" <mikrotik at mail.butchevans.com>
Sent: Saturday, June 14, 2008 7:07 PM
Subject: Re: [Mikrotik] IPSec


> On Thu, 12 Jun 2008, Mike Hammett wrote:
>
>>>we're working with.  The NIF wireless and everything behind it
>>>cannot communicate with anything across the IPSec link, though
>>>everything else including and behind NIF router does.  Everything
>>>including and behind NIF router can talk to everyone else on that
>>>side of the network as well as the Internet.
>
> Post the following information:
>
> /ip ipsec export
> /ip firewall nat export
>
> If I understand correctly, the "wireless client" cannot communicate
> over the tunnel, but the "security DVR" can?  Also, the workstation
> and server at the NIF side can communicate over the tunnel.  What
> kind of router is the NIF Wireless device?  If it is, also, a
> Mikrotik router, please explain a bit about it's configuration.
>
> -- 
> ********************************************************************
> *Butch Evans *Professional Network Consultation *
> *Network Engineering *MikroTik RouterOS    *
> *573-276-2879 *ImageStream                       *
> *http://www.butchevans.com/ *StarOS and MORE                   *
> *Mikrotik Certified Consultant *Wired or Wireless Networks        *
> ********************************************************************
> _______________________________________________
> Mikrotik mailing list
> Mikrotik at mail.butchevans.com
> http://www.butchevans.com/mailman/listinfo/mikrotik
> 




More information about the Mikrotik mailing list