Answer the question
In order to leave comments, you need to log in
Why is encryption disabled when I enable dynamic routing?
Good afternoon friends!
I assembled the circuit on test devices (rb750, rb951), with the latest firmware 6.38.1 and with the default configuration (changed only the addresses. 88.0/24 and 99.0/24).
L2TP server - client, checked the box to use IPSEC, all policies are created dynamically, everything works fine in this mode! SAs are created.
BUT! As soon as I made dynamic routing (OSPF) - encryption was gone :(
SAs are not installed.
And dynamic policies are not created either.
Tell me how to restore encryption?
Here is the configuration:
# jan/30/2017 13:39:06 by RouterOS 6.38.1
# software id = N65M-чччW
#
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=\
ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=\
ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=\
ether5-slave-local
/ip neighbor discovery
set ether1-gateway discover=no
/ip pool
add name=default-dhcp ranges=192.168.99.10-192.168.99.40
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=ether2-master-local \
lease-time=4w2d10m name=default
/routing ospf area
set [ find default=yes ] disabled=yes
/routing ospf instance
set [ find default=yes ] disabled=yes
add name=area1 router-id=10.10.1.1
/routing ospf area
add area-id=0.0.0.1 default-cost=1 inject-summary-lsas=no instance=area1 name=\
area1 type=stub
/interface l2tp-server server
set enabled=yes ipsec-secret=777888 use-ipsec=yes
/ip address
add address=192.168.99.254/24 comment="default configuration" interface=\
ether2-master-local network=192.168.99.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no \
interface=ether1-gateway
/ip dhcp-server network
add address=192.168.99.0/24 comment="default configuration" dns-server=\
192.168.99.254 gateway=192.168.99.254
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=\
established
add action=accept chain=input comment="default configuration" connection-state=\
related
add action=drop chain=input comment="default configuration" disabled=yes \
in-interface=ether1-gateway
add action=accept chain=forward comment="default configuration" \
connection-state=established
add action=accept chain=forward comment="default configuration" \
connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=\
invalid disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway
/ppp secret
add local-address=10.10.1.1 name=test password=555 profile=default-encryption \
remote-address=10.10.1.2 service=l2tp
/routing ospf network
add area=area1 network=192.168.99.0/24
add area=area1 network=10.10.1.2/32
/system clock
set time-zone-name=Europe/Moscow
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
Answer the question
In order to leave comments, you need to log in
Miracle!!! A miracle of miracles happened!
Desperate and almost sat down to write static routes, I tried to play around with the firmware.
And after sorting through the versions, everything worked on such a bunch:
Server - 6.39rc20
Client - 6.37.4 bugfix only
Everything is dynamic. Everything is encrypted. Hooray!
Thanks to everyone who responded! Thanks to you, I was sure that I was doing everything right!
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question