Problem with IPsec Mikrotik?

S

Sergey nix2021-02-07 10:33:37

VPN

Sergey nix, 2021-02-07 10:33:37

I am setting up an IPsec tunnel between Mikrotik and Kerio Control. When creating a policy, for some reason it lights up red, and there are no packages.

Here is the config itself:
/ip ipsec peer
add address=80.210.222.**/32 exchange-mode=ike2 name=peer passive=yes
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1536 nat- traversal=no
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des
/ip ipsec identity
add generate-policy=port-override peer=peer secret=** *******
/ip ipsec policy
add dst-address=10.251.0.0/22 peer=peer src-address=10.0.1.0/24 tunnel=yes
ps I did it using a working template in a similar situation.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

C

CityCat4, 2021-02-08
@CityCat4

The policy is red because there are no corresponding Peer and Identity settings, or they are incorrect / not applicable.
Here is a proposal I use for one office that is a little sick in the head:

/ip ipsec proposal
add auth-algorithms=sha256,sha1,md5 enc-algorithms=\
    aes-256-cbc,aes-256-gcm,aes-192-cbc,aes-192-gcm,aes-128-cbc,aes-128-gcm lifetime=1h

The point is to let the other side choose and see what they choose. "There" I have a tsiska, and it selects auth sha1 and the aes256-cbc cipher suite.
In general, in such cases, the log is turned on. Well, besides, remove the passive, let the Mikrotik do it yourself and look at the errors.

S

Smoke User, 2021-02-09
@Astarot

exchange-mode=ike2
Just do ike