Mikrotik
===========>>
Mikrotik does not have clear demarcation between phase1 & phase2. However peer setting can be regarded as phase 1 and policy & proposal (esp-des-md5) can be regarded as phase2. We will established policy based VPN tunnel between Mikrotik & Juniper. Here is the configuration.
Mikrotik 450G
==============
Peer: Address: <peer-address>
port:500
Auth. Method: pre-sharedkey
Exchange Mode: main
Send Initial Contact: enable
NAT Traversal: do not enable
Proposal check: obey
Hash Algorithm: md5
Encryption Algorithm: des
DH Group: modp768(this is same as group 1)
Generate Policy: do not enable
other thing: leave as it is.
Policy: General:
Specify Src Address & Dst. Address
Action:
Action:encrypt
Level: unique
IPsec Protocols: esp
Tunnel: enable
SA Src. Address: <Local Public IP>
SA Dst. Address: <Remote public IP>
Proposal: default
Proposal:
Auth Algorithms: md5
Enc Algorithms: des
PFS Group: none
Juniper SSG-350M
==================
Click VPNs > AutoKey Advanced > Gateway
Click New
Gateway Name: Site B GW
Security Level: Custom
Remote Gateway: Click Static, and enter IP address: <peer IP>
Preshared Key: <secret>
Outgoing Interface: untrust (or whichever interface goes out to the Internet)
Click Advanced
Phase 1 Proposal: pre-g1-des-sha
Mode (Initiator): Main
Click Return
Click OK
Click Autokey IKE
Click New
VPN Name: Site B VPN
Security Level: Custom
Remote Gateway: Click Predefined, and select Site B GW from the pulldown menu
Click Advanced
Phase 2 Proposal: nopfs-esp-des-md5
Bind to: None
Click Return
Click OK
Click Policy
Select From Trust to Untrust Zone, and click New
Source Address: Click New Address : <Private network src>
Destination Address: Click New Address: <Private network dest>
Service: Any
Action: Tunnel
Tunnel: Site B VPN
Modify matching bidirectional VPN policy: Enabled
Click Ok
Position at Top: Enabled
===========>>
Mikrotik does not have clear demarcation between phase1 & phase2. However peer setting can be regarded as phase 1 and policy & proposal (esp-des-md5) can be regarded as phase2. We will established policy based VPN tunnel between Mikrotik & Juniper. Here is the configuration.
Mikrotik 450G
==============
Peer: Address: <peer-address>
port:500
Auth. Method: pre-sharedkey
Exchange Mode: main
Send Initial Contact: enable
NAT Traversal: do not enable
Proposal check: obey
Hash Algorithm: md5
Encryption Algorithm: des
DH Group: modp768(this is same as group 1)
Generate Policy: do not enable
other thing: leave as it is.
Policy: General:
Specify Src Address & Dst. Address
Action:
Action:encrypt
Level: unique
IPsec Protocols: esp
Tunnel: enable
SA Src. Address: <Local Public IP>
SA Dst. Address: <Remote public IP>
Proposal: default
Proposal:
Auth Algorithms: md5
Enc Algorithms: des
PFS Group: none
Juniper SSG-350M
==================
Click VPNs > AutoKey Advanced > Gateway
Click New
Gateway Name: Site B GW
Security Level: Custom
Remote Gateway: Click Static, and enter IP address: <peer IP>
Preshared Key: <secret>
Outgoing Interface: untrust (or whichever interface goes out to the Internet)
Click Advanced
Phase 1 Proposal: pre-g1-des-sha
Mode (Initiator): Main
Click Return
Click OK
Click Autokey IKE
Click New
VPN Name: Site B VPN
Security Level: Custom
Remote Gateway: Click Predefined, and select Site B GW from the pulldown menu
Click Advanced
Phase 2 Proposal: nopfs-esp-des-md5
Bind to: None
Click Return
Click OK
Click Policy
Select From Trust to Untrust Zone, and click New
Source Address: Click New Address : <Private network src>
Destination Address: Click New Address: <Private network dest>
Service: Any
Action: Tunnel
Tunnel: Site B VPN
Modify matching bidirectional VPN policy: Enabled
Click Ok
Position at Top: Enabled
3 comments:
Hi,
I do like so on both sides and it does not work. I get this log on Juniper: infoIKE a.b.c.d Phase 1: Retransmission limit has been reached.
me also not work i got this message can u give any clue
2016-02-12 17:44:29 info IKE<103.247.121.74>: Received initial contact notification and removed Phase 1 SAs.
2016-02-12 17:44:29 info IKE<103.247.121.74>: Received initial contact notification and removed Phase 2 SAs.
2016-02-12 17:44:29 info IKE<103.247.121.74>: Received a notification message for DOI <1> <24578> .
2016-02-12 17:44:29 info IKE<103.247.121.74> Phase 1: Completed Main mode negotiations with a <28800>-second lifetime.
2016-02-12 17:44:29 info IKE<103.247.121.74> Phase 1: Responder starts MAIN mode negotiations.
http://blog.rlufe.kz/2016/03/mikrotik-routeros-ipsec-vpn-site-to.html#more
Post a Comment