[Mikrotik] Loopback IPsec termination?

Wed, 05 Feb 2014 17:24:18 -0800 

Hi All,

I have a config for a customer and I would like to modify the design.
Currently I have Ipsec Lan to Lan between a Juniper 5200 and MT 750's. Each
MT 750 has a unique Lan subnet. I want to change the design so I can have
the same Lan subnet at all locations but use the loopback address for the
monitoring vs the Lan IP address. I have this deployed with 2000 Cisco
1811's but now want to duplicate with 750's. I have included ipsec export.
Could someone please review and make a recommendation?

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no
enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024
add auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m
name=juniper pfs-group=none
/ip ipsec peer
add address=216.231.x.x/32 auth-method=pre-shared-key dh-group=modp1024
disabled=no dpd-interval=1m dpd-maximum-failures=\
    2 enc-algorithm=3des exchange-mode=aggressive generate-policy=no
hash-algorithm=sha1 lifebytes=0 lifetime=10h \
    my-id-user-fqdn=SVNCHS-*******City@*******.com nat-traversal=yes
port=500 proposal-check=obey secret=\
    ******************************************* send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=10.94.64.16/29 dst-port=any
ipsec-protocols=esp level=require priority=0 \
    proposal=juniper protocol=all sa-dst-address=216.231.x.x
sa-src-address=0.0.0.0 src-address=192.168.98.0/24 src-port=\
    any tunnel=yes
add action=encrypt disabled=no dst-address=10.94.64.16/29 dst-port=any
ipsec-protocols=esp level=require priority=0 \
    proposal=juniper protocol=all sa-dst-address=216.231.x.x
sa-src-address=0.0.0.0 src-address=5.1.0.8/32 src-port=any \
    tunnel=yes
[admin@SVNCHS-xxxxxxxcity] >

Thanks for your input as always.

*Jerry Roy*
Sr. Systems Engineer
MTCNA/MTCRE/MTCTCE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
<http://mail.butchevans.com/pipermail/mikrotik/attachments/20140205/a8166627/attachment.html>
_______________________________________________
Mikrotik mailing list
[email protected]
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Reply via email to