Try keeping a ping session up on the inside and see if that stops. Maybe with check gateway ping on route side if that works.
Eric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hammett Sent: Sunday, June 22, 2008 3:01 PM To: Mikrotik discussions Subject: Re: [Mikrotik] IPSec It started working, and then stopped again. [EMAIL PROTECTED] > /log print detail time=dec/31/1969 18:00:13 topics=system,info message="router rebooted" time=dec/31/1969 18:00:20 topics=ipsec,ike message="@(#) racoon / MikroTik" time=dec/31/1969 18:00:20 topics=ipsec,ike message="@(#)This product linked OpenSSL 0.9.8a 11 Oct 2005 (http://www.openssl.org/)" time=dec/31/1969 18:00:20 topics=pppoe,ppp,info message="ICS PPPoE: initializing..." time=dec/31/1969 18:00:20 topics=pppoe,ppp,info message="ICS PPPoE: dialing..." time=dec/31/1969 18:00:22 topics=wireless,info message="00:15:6D:50:17:[EMAIL PROTECTED] established connection on 5765, SSID ICS4" time=dec/31/1969 18:00:23 topics=pppoe,ppp,info message="ICS PPPoE: authenticated" time=dec/31/1969 18:00:23 topics=pppoe,ppp,info message="ICS PPPoE: connected" time=dec/31/1969 18:00:23 topics=system,info message="dns changed" time=15:45:25 topics=system,info,account message="user admin logged in from 10.1.5.8 via winbox" time=15:47:29 topics=system,info,account message="user admin logged in from 10.1.1.254 via winbox" time=15:51:41 topics=system,info,account message="user admin logged in from 65.182.0.0 via winbox" time=16:02:41 topics=pptp,info message="TCP connection established from 65.182.0.0" time=16:02:41 topics=pptp,ppp,info message="<pptp-0>: waiting for call..." time=16:02:42 topics=pptp,ppp,info message="<pptp-0>: authenticated" time=16:02:43 topics=pptp,ppp,info message="<pptp-0>: connected" time=16:02:43 topics=pptp,ppp,info,account message="mhammett logged in, 192.168.1.252" time=16:02:44 topics=pptp,ppp,info message="<pptp-mhammett>: using encoding - MPPE128 stateless" time=16:05:59 topics=ipsec,ike message="IPsec-SA request for 68.60.0.0 queued due to no phase1 found." time=16:05:59 topics=ipsec,ike message="initiate new phase 1 negotiation: 65.182.0.0[500]<=>68.60.0.0[500]" time=16:05:59 topics=ipsec,ike message="begin Identity Protection mode." time=16:05:59 topics=ipsec,ike message="received Vendor ID: DPD" time=16:05:59 topics=ipsec,ike message="ISAKMP-SA established 65.182.0.0[500]-68.60.0.0[500] spi:2cd56cea0b29c949:1769b0ce00a81785" time=16:06:00 topics=ipsec,ike message="initiate new phase 2 negotiation: 65.182.0.0[500]<=>68.60.0.0[500]" time=16:06:00 topics=ipsec,ike message="IPsec-SA established: AH/Tunnel 68.60.0.0[0]->65.182.0.0[0] spi=206061190(0xc483e86)" time=16:06:00 topics=ipsec,ike message="IPsec-SA established: ESP/Tunnel 68.60.0.0[0]->65.182.0.0[0] spi=55768677(0x352f665)" time=16:06:00 topics=ipsec,ike message="IPsec-SA established: AH/Tunnel 65.182.0.0[0]->68.60.0.0[0] spi=172198929(0xa438c11)" time=16:06:00 topics=ipsec,ike message="IPsec-SA established: ESP/Tunnel 65.182.0.0[0]->68.60.0.0[0] spi=148960180(0x8e0f3b4)" time=16:18:13 topics=pptp,ppp,info,account message="mhammett logged out, 931 242052 1589758 2478 2689" time=16:18:13 topics=pptp,ppp,info message="<pptp-mhammett>: terminating... - call cleared" time=16:18:13 topics=pptp,ppp,info message="<pptp-mhammett>: disconnected" time=16:19:44 topics=ipsec,ike message="purging ISAKMP-SA spi=2cd56cea0b29c949:1769b0ce00a81785." time=16:19:44 topics=ipsec,ike message="purged IPsec-SA spi=148960180." time=16:19:44 topics=ipsec,ike message="purged IPsec-SA spi=172198929." time=16:19:44 topics=ipsec,ike message="purged IPsec-SA spi=55768677." time=16:19:44 topics=ipsec,ike message="purged IPsec-SA spi=206061190." time=16:19:44 topics=ipsec,ike message="purged ISAKMP-SA spi=2cd56cea0b29c949:1769b0ce00a81785." time=16:19:44 topics=ipsec,ike message="unknown Informational exchange received." time=16:19:45 topics=ipsec,ike message="ISAKMP-SA deleted 65.182.0.0[500]-68.60.0.0[500] spi:2cd56cea0b29c949:1769b0ce00a81785" time=16:36:01 topics=ipsec,ike message="can't start the quick mode, there is no ISAKMP-SA, 2cd56cea0b29c949:1769b0ce00a81785:d2d03e78" time=16:36:11 topics=ipsec,ike message="can't start the quick mode, there is no ISAKMP-SA, 2cd56cea0b29c949:1769b0ce00a81785:d2d03e78" time=16:36:21 topics=ipsec,ike message="can't start the quick mode, there is no ISAKMP-SA, 2cd56cea0b29c949:1769b0ce00a81785:d2d03e78" time=16:36:31 topics=ipsec,ike message="can't start the quick mode, there is no ISAKMP-SA, 2cd56cea0b29c949:1769b0ce00a81785:b5739b39" time=16:36:41 topics=ipsec,ike message="can't start the quick mode, there is no ISAKMP-SA, 2cd56cea0b29c949:1769b0ce00a81785:b5739b39" time=16:36:51 topics=ipsec,ike message="can't start the quick mode, there is no ISAKMP-SA, 2cd56cea0b29c949:1769b0ce00a81785:b5739b39" [EMAIL PROTECTED] > /log print detail time=16:42:38 topics=ipsec,ike message="initiate new phase 2 negotiation: 68.60.0.0[500]<=>65.182.0.0[500]" time=16:42:38 topics=ipsec,ike message="none message must be encrypted" time=16:42:48 topics=ipsec,ike message="none message must be encrypted" time=16:42:58 topics=ipsec,ike message="none message must be encrypted" time=16:43:08 topics=ipsec,ike message="65.182.0.0 give up to get IPsec-SA due to time up to wait." time=16:43:08 topics=ipsec,ike message="IPsec-SA expired: AH/Tunnel 65.182.0.0[0]->68.60.0.0[0] spi=125157313(0x775bfc1)" time=16:43:08 topics=ipsec,ike message="IPsec-SA expired: ESP/Tunnel 65.182.0.0[0]->68.60.0.0[0] spi=41544484(0x279eb24)" time=16:43:08 topics=ipsec,ike message="initiate new phase 2 negotiation: 68.60.0.0[500]<=>65.182.0.0[500]" time=16:43:08 topics=ipsec,ike message="none message must be encrypted" time=16:43:18 topics=ipsec,ike message="none message must be encrypted" time=16:43:28 topics=ipsec,ike message="none message must be encrypted" time=16:43:38 topics=ipsec,ike message="65.182.0.0 give up to get IPsec-SA due to time up to wait." time=16:43:38 topics=ipsec,ike message="IPsec-SA expired: AH/Tunnel 65.182.0.0[0]->68.60.0.0[0] spi=61961499(0x3b1751b)" time=16:43:38 topics=ipsec,ike message="IPsec-SA expired: ESP/Tunnel 65.182.0.0[0]->68.60.0.0[0] spi=23323416(0x163e318)" ---------- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com ----- Original Message ----- From: "Mike Hammett" <[EMAIL PROTECTED]> To: "Mikrotik discussions" <[email protected]> Sent: Thursday, June 19, 2008 11:05 AM Subject: Re: [Mikrotik] IPSec > Actually, the darn thing stopped working once it started and without any > changes to either side. :-\ > > [EMAIL PROTECTED] > /ip ipsec policy print detail > Flags: X - disabled, D - dynamic, I - inactive > 0 src-address=192.168.2.0/24:any dst-address=192.168.1.0/24:any > protocol=all action=encrypt level=require ipsec-protocols=ah,esp > tunnel=yes > sa-src-address=68.60.0.0 sa-dst-address=65.182.0.0 > proposal=default manual-sa=none priority=0 > [EMAIL PROTECTED] > /ip ipsec proposal print detail > Flags: X - disabled > 0 name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m > pfs-group=modp1024 > [EMAIL PROTECTED] > /ip ipsec peer print detail > Flags: X - disabled > 0 address=65.182.0.0/32:500 auth-method=pre-shared-key > secret="0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5 " > generate-policy=no exchange-mode=main send-initial-contact=yes > nat-traversal=no > proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des > dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd > dpd-maximum-failures=5 > [EMAIL PROTECTED] > /ip ipsec installed-sa print detail > Flags: A - AH, E - ESP, P - pfs > > > > > [EMAIL PROTECTED] > /ip ipsec policy print detail > Flags: X - disabled, D - dynamic, I - inactive > 0 src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any > protocol=all action=encrypt level=require ipsec-protocols=ah,esp > tunnel=yes > sa-src-address=65.182.0.0 sa-dst-address=68.60.0.0 > proposal=default manual-sa=none priority=0 > [EMAIL PROTECTED] > /ip ipsec proposal print detail > Flags: X - disabled > 0 name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m > pfs-group=modp1024 > [EMAIL PROTECTED] > /ip ipsec peer print detail > Flags: X - disabled > 0 address=68.60.0.0/32:500 auth-method=pre-shared-key > secret="0DC6F9434775ADB16D0C7353C0BAB75ED6A397CEB814D2A36A9CAD8FB003CEC5 " > generate-policy=no exchange-mode=main send-initial-contact=yes > nat-traversal=no > proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des > dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=20s > dpd-maximum-failures=1 > [EMAIL PROTECTED] > /ip ipsec installed-sa print detail > Flags: A - AH, E - ESP, P - pfs > > > ---------- > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > > ----- Original Message ----- > From: "Mike Hammett" <[EMAIL PROTECTED]> > To: "Mikrotik discussions" <[email protected]> > Sent: Saturday, June 07, 2008 11:49 AM > Subject: Re: [Mikrotik] IPSec > > >>I had actually just gotten it fixed by trying the masquerade option before >> Butch told me to do masquerade. That said, I have attached a map of what >> we're working with. The NIF wireless and everything behind it cannot >> communicate with anything across the IPSec link, though everything else >> including and behind NIF router does. Everything including and behind >> NIF >> router can talk to everyone else on that side of the network as well as >> the >> Internet. >> >> >> ---------- >> Mike Hammett >> Intelligent Computing Solutions >> http://www.ics-il.com >> >> >> ----- Original Message ----- >> From: "Mike Hammett" <[EMAIL PROTECTED]> >> To: "Mikrotik discussions" <[email protected]> >> Sent: Friday, June 06, 2008 11:33 PM >> Subject: [Mikrotik] IPSec >> >> >>> I'm trying to setup a 3.10 IPSec tunnel between two Mikrotiks. First >>> off, >>> the manual isn't correct. I do exactly what they say and I get an >>> error. >>> As it turns out, you're also required to choose an AH In\Out Algorithm. >>> It also doesn't explain things well, like ah-spi. >>> >>> How do I know it's working? I cannot ping addresses on the other side. >>> >>> >>> Side 1: >>> >>> < ICS] > /ip ipsec policy print >>> Flags: X - disabled, D - dynamic, I - inactive >>> 0 src-address=192.168.1.0/24:any dst-address=192.168.2.0/24:any >>> protocol=all action=encrypt level=require ipsec-protocols=ah tunnel=yes >>> sa-src-address=65.182.111.111 sa-dst-address=68.60.111.111 >>> proposal=default >>> manual-sa=ah-sa1 priority=0 >>> [EMAIL PROTECTED] - ICS] > /ip ipsec manual-sa print >>> Flags: X - disabled, I - invalid >>> 0 name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null >>> esp-enc-algorithm=null ah-key=64 hex characters esp-auth-key="" >>> esp-enc-key="" ah-spi=0x100/0x101 >>> esp-spi=0x100 lifetime=0s >>> >>> >>> >>> Side 2: >>> >>> [EMAIL PROTECTED] Fence] > /ip ipsec policy pr >>> Flags: X - disabled, D - dynamic, I - inactive >>> 0 src-address=192.168.2.0/24:any dst-address=192.168.1.0/24:any >>> protocol=all action=encrypt level=require ipsec-protocols=ah tunnel=yes >>> sa-src-address=68.60.111.111 sa-dst-address=65.182.111.111 >>> proposal=default >>> manual-sa=ah-sa1 priority=0 >>> [EMAIL PROTECTED] Fence] > /ip ipsec manual-sa pr >>> Flags: X - disabled, I - invalid >>> 0 name="ah-sa1" ah-algorithm=sha1 esp-auth-algorithm=null >>> esp-enc-algorithm=null ah-key=same 64 hex characters esp-auth-key="" >>> esp-enc-key="" ah-spi=0x101/0x100 >>> esp-spi=0x100 lifetime=0s >>> >>> >>> >>> ---------- >>> Mike Hammett >>> Intelligent Computing Solutions >>> http://www.ics-il.com >>> >>> -------------- next part -------------- >>> An HTML attachment was scrubbed... >>> URL: >>> http://www.butchevans.com/pipermail/mikrotik/attachments/20080606/9f93d5 8b/attachment.html >>> _______________________________________________ >>> Mikrotik mailing list >>> [email protected] >>> http://www.butchevans.com/mailman/listinfo/mikrotik >>> >> -------------- next part -------------- >> A non-text attachment was scrubbed... >> Name: CF NIF IPSec issue.pdf >> Type: application/pdf >> Size: 62758 bytes >> Desc: not available >> Url : >> http://www.butchevans.com/pipermail/mikrotik/attachments/20080607/ff575d bf/attachment.pdf >> _______________________________________________ >> Mikrotik mailing list >> [email protected] >> http://www.butchevans.com/mailman/listinfo/mikrotik >> > > _______________________________________________ > Mikrotik mailing list > [email protected] > http://www.butchevans.com/mailman/listinfo/mikrotik > _______________________________________________ Mikrotik mailing list [email protected] http://www.butchevans.com/mailman/listinfo/mikrotik
