oh, I guess this email never made it...
[EMAIL PROTECTED] > /ip ipsec export
# jun/19/2008 16:25:06 by RouterOS 3.10
# software id = D302-LTT
#
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des
lifetime=30m name=default pfs-group=modp1024
/ip ipsec peer
add address=65.182.0.0/32:500 auth-method=pre-shared-key dh-group=modp1024
disabled=no dpd-interval=disable-dpd dpd-maximum-failures=5
enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=\
sha1 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey
secret=0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5
send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.1.0/24:any
ipsec-protocols=ah,esp level=require manual-sa=none priority=0
proposal=default protocol=all sa-dst-address=65.182.0.0
sa-src-address=68.60.0.0 \
src-address=192.168.2.0/24:any tunnel=yes
[EMAIL PROTECTED] > /ip firewall nat export
# jun/19/2008 16:25:25 by RouterOS 3.10
# software id = D302-LTT
#
/ip firewall nat
add action=accept chain=srcnat comment="" disabled=no
dst-address=192.168.1.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="" disabled=no
out-interface=ether1
[EMAIL PROTECTED] > /ip ipsec export
# jun/19/2008 16:42:13 by RouterOS 3.10
# software id = 2ZXT-3TT
#
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des
lifetime=30m name=default pfs-group=modp1024
/ip ipsec peer
add address=68.60.0.0/32:500 auth-method=pre-shared-key dh-group=modp1024
disabled=no dpd-interval=20s dpd-maximum-failures=1 enc-algorithm=3des
exchange-mode=main generate-policy=no hash-algorithm=sha1 \
lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey
secret=0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5
send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.2.0/24:any
ipsec-protocols=ah,esp level=require manual-sa=none priority=0
proposal=default protocol=all sa-dst-address=68.60.0.0
sa-src-address=65.182.0.0 \
src-address=192.168.1.0/24:any tunnel=yes
[EMAIL PROTECTED] > /ip firewall nat export
# jun/19/2008 16:42:15 by RouterOS 3.10
# software id = 2ZXT-3TT
#
/ip firewall nat
add action=accept chain=srcnat comment="" disabled=no
dst-address=192.168.2.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="" disabled=no out-interface="ICS
PPPoE"
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=80
in-interface="ICS PPPoE" protocol=tcp to-addresses=192.168.1.4 to-ports=80
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=1600
in-interface="ICS PPPoE" protocol=tcp to-addresses=192.168.1.4 to-ports=1600
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=554-557
in-interface="ICS PPPoE" protocol=tcp to-addresses=192.168.1.4
to-ports=554-557
----------
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
----- Original Message -----
From: "Butch Evans" <[EMAIL PROTECTED]>
To: "Mikrotik discussions" <[email protected]>
Sent: Saturday, June 14, 2008 7:07 PM
Subject: Re: [Mikrotik] IPSec
On Thu, 12 Jun 2008, Mike Hammett wrote:
we're working with. The NIF wireless and everything behind it
cannot communicate with anything across the IPSec link, though
everything else including and behind NIF router does. Everything
including and behind NIF router can talk to everyone else on that
side of the network as well as the Internet.
Post the following information:
/ip ipsec export
/ip firewall nat export
If I understand correctly, the "wireless client" cannot communicate
over the tunnel, but the "security DVR" can? Also, the workstation
and server at the NIF side can communicate over the tunnel. What
kind of router is the NIF Wireless device? If it is, also, a
Mikrotik router, please explain a bit about it's configuration.
--
********************************************************************
*Butch Evans *Professional Network Consultation *
*Network Engineering *MikroTik RouterOS *
*573-276-2879 *ImageStream *
*http://www.butchevans.com/ *StarOS and MORE *
*Mikrotik Certified Consultant *Wired or Wireless Networks *
********************************************************************
_______________________________________________
Mikrotik mailing list
[email protected]
http://www.butchevans.com/mailman/listinfo/mikrotik
