We CAN communicate in one direction so all traffic on the LAN going thru the masquerade works outbound such as VoIP phones and ssl to internet. Coming back thru tunnel to monitor the Mikrotik via a loopback address is the issue. The Juniper head end shows it has sa's in both directions so the traffic is being denied somewhere else down the link on its way back to the MT.
Keep us posted on the Los Angeles training! ;) I sure hope you can fit the IPv6 in at that time as well! *Jerry Roy* Sr. Systems Engineer MTCNA/MTCRE/MTCTCE 1 949 681 5054 1 562 305 9545 Cell Unity Network Services *An iPass Company* 125 Technology Drive Suite 100 Irvine, CA 92618 *Read and share our white paper - *The Next Generation Network: "Why the Distributed Enterprise Should Consider Multi-circuit WAN VPN Solutions" <http://bit.ly/julyMNSWP> *iPass.com/blog* <http://www.ipass.com/blog>* | **facebook.com/iPass*<http://www.facebook.com/ipass> * | **twitter.com/iPass <http://www.twitter.com/ipass/>* On Mon, Jul 22, 2013 at 2:46 PM, Butch Evans <[email protected]> wrote: > On 07/22/2013 03:22 PM, Jerry Roy wrote: > >> We have 4 att locations that will not encrypt ipsec traffic in both >> directions. We see traffic from MT to our Juniper Head End bytes >> increasing >> under the SA but ZERO bytes increasing coming back. We believe it has to >> do >> with an att registration page that was not utilized during the self >> install >> by the customer. Any way to get the MT to simulate web browser >> capabilities >> so I can activate and fix this issue? Any ideas? >> >> Anyone else seen the one way encrypt I describe? >> > > The "one way encrypt" is probably one of 2 things: > > 1. Your tunnel is not established completely and traffic is being routed > by the MT side over the tunnel, but NOT on the other end. This is likely > to only be possible if the end on the MT side has public IPs on the LAN > side of the router. > > 2. If you cannot communicate from LAN to LAN, then it is probable that one > or more of the IPSEC settings are different on the 2 endpoints. > > Getting the MT to simulate what you want is unlikely. You MAY want to > turn on web-proxy and see if you can make it do what you want from your > browser via the proxy. Not sure that will work, but it's worth a shot. > > -- > Butch Evans > 702-537-0979 > Network Support and Engineering > http://store.wispgear.net/ > http://www.butchevans.com/ > ______________________________**_________________ > Mikrotik mailing list > [email protected] > http://mail.butchevans.com/**mailman/listinfo/mikrotik<http://mail.butchevans.com/mailman/listinfo/mikrotik> > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > RouterOS > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.butchevans.com/pipermail/mikrotik/attachments/20130722/84a6a6e5/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 2041 bytes Desc: not available URL: <http://mail.butchevans.com/pipermail/mikrotik/attachments/20130722/84a6a6e5/attachment.gif> _______________________________________________ Mikrotik mailing list [email protected] http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
