[strongSwan] strongswan with mikrotik

zux zux at pie-dabas.net
Tue Jul 27 10:34:51 CEST 2010 

Hello,
I'm new to strongswan and ipsec and I'm having problems with configuring 
strongswan to work with mikrotik router, the strange thing is that 
mikrotik is able to initiate the connection and everything works then, 
but strongswan can not initiate the connection. The problem is, that if 
the strongswan box is rebooted, the connection is not reestablished 
until I reset it from the mikrotik side. The configuration on the 
mikrotik is the same as other, that work well between other mikrotik 
boxes. Besides, I have changed the lifetime on mikrotik from 1 day to 
one hour, and then if i reboot strongswan, the connection is established 
after that hour. (or less, if the connection was up for some time)
I'm sorry if this problem has nothing to do with strongswan, but maybe 
someone can give some useful tips.

The error on Mikrotik, when strongswan tries to connect is this:

Recieved ISAKMP packet from <strongswan IP>, phase 1, Identity Protection
responding phase 1, starting mode Identity Protection (local <mikrotik 
IP>:500)(remote <strongswan IP>)
no acceptable proposal found (remote unknown)
failed to process packet

This is the mikrotik configuration:

Ipsec Policy:
     Src. Address: 192.168.1.0/24
     Dst. Address: 192.168.156.0/24
     Action: encrypt
     Level: require
     IPsec Protocols: esp
     Tunnel = yes
     SA Src. Address: <mikrotik IP>
     SA Dst. Address: <strongswan IP>
     Proposal: pleskava
     Manual SA: None

IPsec Peer:
     Address: <strongswan IP>
     Port: 500
     Secret: <password>
     Exchange Mode: main
     Send initial Contact = yes
     Proposal Check: obey
     Hash Algoritm: sha
     Encrypt Algorithm: 3des
     DH Group: modp1024
     Generate policy = yes
     Lifetime: 1d 00:00:00

Ipsec Proposal:
     Name: pleskava
     Auth. Algorithms: md5
     Encr. Algorithms: 3des
     Lifetime: 01:00:00
     PFS Goup: none


and this ir strongswan configuration:
root at kristaps:~# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
     interfaces="ipsec0=eth0"
     klipsdebug=none
     plutodebug=all
      uniqueids=yes

conn %default
     keyingtries=0
     authby=rsasig

conn riga
     left=<stronswan IP>
     leftsubnet=192.168.156.0/24
     right=<mikrotik IP>
     rightsubnet=192.168.1.0/24
     keyexchange=ike
     authby=secret
     auth=esp
     ike=3des-md5-modp1024
     esp=3des-md5-modp1024
     pfs=no
     type=tunnel
     auto=start


root at kristaps:~# cat /etc/ipsec.secrets
<strongswan IP> <mikrotik IP> : PSK "password"

More information about the Users mailing list