Re: [Mikrotik] VPN Questions

Mon, 5 May 2008 17:50:51 -0500 (CDT)

For IKE Identification Method they have IP Address and FQDN, so I'll go with FQDN as they don't have a static IP at this time. 

Perfect Forward Secrecy they have yes and no.

I don't see a lifetime on policy.


----------
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
----- Original Message ----- From: "Kevin Neal" <[EMAIL PROTECTED]> 
To: "'Mikrotik discussions'" <[email protected]>
Sent: Monday, April 21, 2008 11:08 AM
Subject: Re: [Mikrotik] VPN Questions



Form----Mikrotik Setting
IKE Mode = Exchange Mode
IKE IDMethod = Hash/Encryption (sha/3des)  --I think
IPSec Diffie-Hellman =  DH Group (1=768, 2=1024, 5=1536)
Perfect Forward Secrecy = PFS Group
Key Lifetime = Lifetime (on peer)
ISAKMP SA Lifetime = Lifetime (on policy)


I'm pretty sure that's the matchup for each question.  You need to specify
the network segments on each side of the vpn so that each side knows what to 
encrypt and what not to encrypt.  This needs to match on each side so that
the router knows what traffic to send/receive on the tunnel.

-Kevin Neal



-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Hammett
Sent: Monday, April 21, 2008 9:01 AM
To: Mikrotik discussions
Subject: [Mikrotik] VPN Questions

One of my customers got a CBeyond T1 and their VPN service (against
everything I told them to do).
CBeyond's VPN configuration form asks me the following questions, to which I 
haven't really encountered doing Mikrotik VPNs in the past.  Note that I
haven't done any IPSec VPNs before.

IKE Mode (Is this Mikrotik's Exchange Mode?) IKE Identification Method
IKE/IPSec Diffie-Hellman Group (options are groups 1, 2, or 5...  Mikrotik
has modp768, 1024, or 1536 Perfect Forward Secrecy Key Lifetime (Mikrotik
has a Lifetime field, but what does it match to?) ISAKMP SA Lifetime
(Mikrotik has a Lifetime field, but what does it match to?)

Also, I don't understand the need for specifying network segments on each
side of the VPN.


----------
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://www.butchevans.com/pipermail/mikrotik/attachments/20080421/6085e979/a
ttachment.html
_______________________________________________
Mikrotik mailing list
[email protected]
http://www.butchevans.com/mailman/listinfo/mikrotik

_______________________________________________
Mikrotik mailing list
[email protected]
http://www.butchevans.com/mailman/listinfo/mikrotik

Reply via email to