[strongSwan] strongswan with mikrotik

Andreas Steffen andreas.steffen at strongswan.org
Tue Jul 27 11:49:18 CEST 2010 

And if you set

ike=3des-sha1-modp1024
esp=3des-md5

Regards

Andreas

On 27.07.2010 10:34, zux wrote:
> Hello,
> I'm new to strongswan and ipsec and I'm having problems with configuring 
> strongswan to work with mikrotik router, the strange thing is that 
> mikrotik is able to initiate the connection and everything works then, 
> but strongswan can not initiate the connection. The problem is, that if 
> the strongswan box is rebooted, the connection is not reestablished 
> until I reset it from the mikrotik side. The configuration on the 
> mikrotik is the same as other, that work well between other mikrotik 
> boxes. Besides, I have changed the lifetime on mikrotik from 1 day to 
> one hour, and then if i reboot strongswan, the connection is established 
> after that hour. (or less, if the connection was up for some time)
> I'm sorry if this problem has nothing to do with strongswan, but maybe 
> someone can give some useful tips.
> 
> The error on Mikrotik, when strongswan tries to connect is this:
> 
> Recieved ISAKMP packet from <strongswan IP>, phase 1, Identity Protection
> responding phase 1, starting mode Identity Protection (local <mikrotik 
> IP>:500)(remote <strongswan IP>)
> no acceptable proposal found (remote unknown)
> failed to process packet
> 
> This is the mikrotik configuration:
> 
> Ipsec Policy:
>      Src. Address: 192.168.1.0/24
>      Dst. Address: 192.168.156.0/24
>      Action: encrypt
>      Level: require
>      IPsec Protocols: esp
>      Tunnel = yes
>      SA Src. Address: <mikrotik IP>
>      SA Dst. Address: <strongswan IP>
>      Proposal: pleskava
>      Manual SA: None
> 
> IPsec Peer:
>      Address: <strongswan IP>
>      Port: 500
>      Secret: <password>
>      Exchange Mode: main
>      Send initial Contact = yes
>      Proposal Check: obey
>      Hash Algoritm: sha
>      Encrypt Algorithm: 3des
>      DH Group: modp1024
>      Generate policy = yes
>      Lifetime: 1d 00:00:00
> 
> Ipsec Proposal:
>      Name: pleskava
>      Auth. Algorithms: md5
>      Encr. Algorithms: 3des
>      Lifetime: 01:00:00
>      PFS Goup: none
> 
> 
> and this ir strongswan configuration:
> root at kristaps:~# cat /etc/ipsec.conf
> # ipsec.conf - strongSwan IPsec configuration file
> 
> # basic configuration
> 
> config setup
>      interfaces="ipsec0=eth0"
>      klipsdebug=none
>      plutodebug=all
>       uniqueids=yes
> 
> conn %default
>      keyingtries=0
>      authby=rsasig
> 
> conn riga
>      left=<stronswan IP>
>      leftsubnet=192.168.156.0/24
>      right=<mikrotik IP>
>      rightsubnet=192.168.1.0/24
>      keyexchange=ike
>      authby=secret
>      auth=esp
>      ike=3des-md5-modp1024
>      esp=3des-md5-modp1024
>      pfs=no
>      type=tunnel
>      auto=start
> 
> 
> root at kristaps:~# cat /etc/ipsec.secrets
> <strongswan IP> <mikrotik IP> : PSK "password"
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list