Re: [Mikrotik] ipsec issue

Tue, 23 Oct 2012 16:54:18 -0700 

I just realized this was not included.

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no
enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024
add auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m
name=juniper pfs-group=none
/ip ipsec peer
add address=216.231.x.x/32 auth-method=pre-shared-key dh-group=modp1024
disabled=no dpd-interval=1m dpd-maximum-failures=2 \
    enc-algorithm=3des exchange-mode=aggressive generate-policy=no
hash-algorithm=sha1 lifebytes=0 lifetime=10h my-id-user-fqdn=\
    [email protected] nat-traversal=yes port=500 proposal-check=obey
send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=10.94.64.16/29 dst-port=any
ipsec-protocols=esp level=require priority=0 proposal=\
    juniper protocol=all sa-dst-address=216.231.x.x sa-src-address=0.0.0.0
src-address=5.1.1.10/32 src-port=any tunnel=yes
add action=encrypt disabled=no dst-address=10.94.64.16/29 dst-port=any
ipsec-protocols=esp level=require priority=0 proposal=\
    juniper protocol=all sa-dst-address=216.231.x.x sa-src-address=0.0.0.0
src-address=192.168.100.0/24 src-port=any tunnel=\
    yes

*Jerry Roy*
Sr. Systems Engineer
MTCNA/MTCRE/MTCTCE

<http://www.ipass.com/> <http://www.ipass.com/>

1 949 681 5054
1 562 305 9545 Cell

Managed Network Services

*An iPass Company*
125 Technology Drive Suite 100
Irvine, CA 92618

*Read and share our white paper - *The Next Generation Network:
"Why the Distributed Enterprise Should Consider Multi-circuit WAN VPN
Solutions" <http://bit.ly/julyMNSWP>

*iPass.com/blog* <http://www.ipass.com/blog>*    |
**facebook.com/iPass*<http://www.facebook.com/ipass>
*    |    **twitter.com/iPass <http://www.twitter.com/ipass/>*




On Tue, Oct 23, 2012 at 4:23 PM, Jerry Roy <[email protected]> wrote:

> All,
>
> We have an IPSec hub and spoke design. I have a 750GL (spoke) that is
> connected via IPsec back to a Juniper (Hub). I initiate the connection from
> the 750 and it creates a tunnel (2 SA's) and then I can ping to a device
> sitting behind the Juniper. If I try and ping back from the device behind
> the Juniper to a loopback address applied to the 750, it creates another
> set of SA's (now I have 4 SA's). This should not happen. The spokes should
> be the initiator and ONLY the initiator because all spoke locations (750's)
> are either static, dhcp or pppoe. My question is since the SA is already
> created by the spoke as the initiator (I have 2 SA's per connection to be
> exact) should the traffic from behind the Juniper already utilize the
> tunnel that was created by the spoke? Why does another tunnel (2 SA's) get
> created? If I clear the connection on the Juniper and start a ping from the
> device sitting behind it to the spoke, it creates a tunnel and then I start
> a ping from the spoke top the device behind the Juniper, it utilized the
> existing tunnel and passes traffic. A second set of SA's does not get
> created.
>
>
> # oct/23/2012 21:27:52 by RouterOS 5.21
> # software id = 182Q-xxxx
> #
> /interface bridge
> add name=loopback1
> /interface ethernet
>  set 0 name=ether1-gateway
> set 1 name=ether2-master-local
> set 2 master-port=ether2-master-local name=ether3-slave-local
> set 3 master-port=ether2-master-local name=ether4-slave-local
> set 4 master-port=ether2-master-local name=ether5-slave-local
> /ip hotspot user profile
> set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
> /ip ipsec proposal
> add name=juniper pfs-group=none
> /ip pool
> add name=default-dhcp ranges=192.168.100.10-192.168.100.254
> /ip dhcp-server
> add add-arp=yes address-pool=default-dhcp disabled=no
> interface=ether2-master-local name=default
> /ip address
> add address=192.168.100.1/24 comment="default configuration"
> interface=ether2-master-local
> add address=50.104.x.x/30 interface=ether1-gateway
> add address=5.1.1.10/32 interface=loopback1 network=5.1.1.10
> /ip dhcp-server network
> add address=192.168.100.0/24 comment="default configuration"
> dns-server=208.67.220.220,208.67.222.222 gateway=192.168.100.1
> /ip dns
> set allow-remote-requests=yes servers=208.67.220.220,208.67.222.222
> /ip dns static
> add address=192.168.88.1 name=router
> /ip firewall filter
> add chain=input comment="default configuration" protocol=icmp
> add chain=input comment="default configuration"
> connection-state=established
> add chain=input comment="default configuration" connection-state=related
> add chain=input dst-address=5.1.1.10 dst-port=161 protocol=udp src-address=
> 10.94.64.16/29
> add chain=input dst-port=22,80,443,8291 protocol=tcp
> src-address=68.167.x.x/24
> add chain=input dst-port=22,80,443,8291 protocol=tcp
> src-address=68.106.x.x/26
> add chain=input dst-port=22,80,443,8291 protocol=tcp src-address=68.106.x.x
> add chain=input dst-port=22,80,443,8291 protocol=tcp
> src-address=10.94.x.x/29
> add chain=input dst-port=22,80,443,8291 protocol=tcp
> src-address=216.231.x.x/24
> add chain=input dst-port=22,80,443,8291 protocol=tcp
> src-address=216.231.x.x/24
> add chain=input dst-port=22,80,443,8291 protocol=tcp src-address=76.168.x.x
> add action=drop chain=input comment="default configuration"
> in-interface=ether1-gateway
> /ip firewall nat
> add chain=srcnat dst-address=10.94.64.16/29 src-address=192.168.100.0/24
> add action=masquerade chain=srcnat comment="default configuration"
> out-interface=ether1-gateway src-address=192.168.100.0/24
> /ip firewall service-port
> set sip disabled=yes
> /ip ipsec peer
> add address=216.231.198.14/32 dpd-interval=1m dpd-maximum-failures=2
> exchange-mode=aggressive hash-algorithm=sha1 lifetime=10h \
>     [email protected] <[email protected]>
> /ip ipsec policy
> add dst-address=10.94.64.16/29 proposal=juniper
> sa-dst-address=216.231.x.x sa-src-address=0.0.0.0 src-address=5.1.1.10/32\
>     tunnel=yes
> add dst-address=10.94.64.16/29 proposal=juniper
> sa-dst-address=216.231.x.x sa-src-address=0.0.0.0 src-address=
> 192.168.100.0/24 \
>     tunnel=yes
> /ip neighbor discovery
> set ether1-gateway disabled=yes
> /ip route
> add distance=1 gateway=50.104.x.x
> /system identity
> set name=CS750-10
> /system logging
> add topics=snmp
> /system ntp client
> set enabled=yes mode=unicast primary-ntp=50.116.38.157
> secondary-ntp=208.38.65.35
> /system scheduler
> add interval=10s name=schedule1 on-event=ping-vpn
> policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api
> \
>     start-date=may/15/2012 start-time=22:08:12
> /system script
> add name=ping-vpn
> policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api
> source=\
>     ":put [/ping interface=loopback1 10.94.64.19 count=5]"
> add name=email-reboots
> policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api
> source=":while ( [:pick [/syst\
>     em clock get date] 7 11]<\"2003\" ) do={ :delay 10s }\r\
>     \n/log info \"time updated; uptime: \$[/system resource get
> uptime]\"\r\
>     \n:local es \"\$[/system identity get name] rebooted on \$[/system
> clock get date] \$[/system clock get time]\"\r\
>     \n:delay 90s\r\
>     \n:local eb \"Log contents (with 90 seconds delay):\\r\\n\"\r\
>     \n:foreach le in=[/log print as-value] do={\r\
>     \n  :set eb \"\$eb\$[:pick [:tostr [:pick \$le 1]] 5 100] \$[:pick
> [:tostr [:pick \$le 2]] 7 100]: \$[:pick [:tostr [:pick \$l\
>     e 3]] 8 1000]\\r\\n\"\r\
>     \n}"
> /tool mac-server
> add disabled=no interface=ether2-master-local
> add disabled=no interface=ether3-slave-local
> add disabled=no interface=ether4-slave-local
> add disabled=no interface=ether5-slave-local
> /tool mac-server mac-winbox
> set [ find default=yes ] disabled=yes
> add interface=ether2-master-local
> add interface=ether3-slave-local
> add interface=ether4-slave-local
> add interface=ether5-slave-local
> [admin@CS750-10] >
>
> *Jerry Roy*
> Sr. Systems Engineer
> MTCNA/MTCRE/MTCTCE
>
> <http://www.ipass.com/> <http://www.ipass.com/>
>
> 1 949 681 5054
> 1 562 305 9545 Cell
>
> Managed Network Services
>
> *An iPass Company*
> 125 Technology Drive Suite 100
> Irvine, CA 92618
>
> *Read and share our white paper - *The Next Generation Network:
> "Why the Distributed Enterprise Should Consider Multi-circuit WAN VPN
> Solutions" <http://bit.ly/julyMNSWP>
>
> *iPass.com/blog* <http://www.ipass.com/blog>*    |    **facebook.com/iPass
> * <http://www.facebook.com/ipass>*    |    
> **twitter.com/iPass<http://www.twitter.com/ipass/>
> *
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
<http://www.butchevans.com/pipermail/mikrotik/attachments/20121023/b8bae179/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2041 bytes
Desc: not available
URL: 
<http://www.butchevans.com/pipermail/mikrotik/attachments/20121023/b8bae179/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2041 bytes
Desc: not available
URL: 
<http://www.butchevans.com/pipermail/mikrotik/attachments/20121023/b8bae179/attachment-0001.gif>
_______________________________________________
Mikrotik mailing list
[email protected]
http://www.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Reply via email to