Mikrotik Router Site to Site IPSec VPN Tunnel Configuration has One side DHCP Address

Fig:Mikrotik Router Site-to-site IPSec VPN Tunnel Configuration has One side DHCP Address
[admin@HQ] > ip dhcp-client add interface=ether1  use-peer-dns=yes add-default-route=yes disabled=no
[admin@HQ] > ip address  add address= 192.168.2.1/24 interface=ether2
[admin@HQ] > ip firewall nat  add  chain=srcnat action=accept src-address=192.168.2.0/24 dst-address=192.168.1.0/24

[admin@HQ] > ip firewall nat Add chain=srcnat action=masquerade out-interface=ether1

 [admin@HQ] > ip ipsec peer add address=180.140.100.2/32:500 auth-method=pre-shared-key secret="password" generate-policy=no exchange-mode=main
     send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des
     dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1

[admin@HQ] > ip ipsec proposal add name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1024
[admin@HQ] > ip ipsec  policy add  src-address=0.0.0.0/0:any dst-address=0.0.0.0/0:any protocol=all action=encrypt level=require ipsec-protocols=esp
     tunnel=yes sa-src-address=0.0.0.0 sa-dst-address=180.140.100.2 proposal=default priority=0
Branch router configuration:
[admin@Remote] > ip address  add address= 80.140.100.2/30 interface=ether1

[admin@Remote] > ip  address  add address= 192.168.1.1/24 interface=ether2
[admin@Remote] > ip firewall nat  add  chain=srcnat action=accept src-address=192.168.1.0/24 dst-address=192.168.2.0/24

[admin@Remote] > ip firewall nat Add chain=srcnat action=masquerade out-interface=ether1

[admin@Remote] > i p route add dst-address=0.0.0.0 gateway=180.140.100.1

[admin@Remote] > ip ipsec proposal add name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1024
[admin@Remote] > ip ipsec peer add address=0.0.0.0/0 port=500 auth-method=pre-shared-key secret="password"
     generate-policy=yes exchange-mode=main send-initial-contact=yes
     nat-traversal=no my-id-user-fqdn="" proposal-check=obey
     hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d
     lifebytes=0 dpd-interval=2m dpd-maximum-failures=5

HQ Router verification:
[admin@HQ] > ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs
 0 E  spi=0x436DF5F src-address=180.140.100.2 dst-address=103.31.178.102 auth-algorithm=sha1 enc-algorithm=3des replay=4
      state=mature auth-key="434ca089824ff93f2801b2e53fc4efb0e3a7d1f9"
      enc-key="9c1199ae6253133fc8279df3b757b31876068a10d6ac6fdc" addtime=jan/02/1970 02:09:15 add-lifetime=24m/30m
      usetime=jan/02/1970 02:09:54 use-lifetime=0s/0s current-bytes=4083 lifebytes=0/0

 1 E  spi=0xAC08649 src-address=103.31.178.102 dst-address=180.140.100.2 auth-algorithm=sha1 enc-algorithm=3des replay=4
      state=mature auth-key="d817f3af871df84a14d7c5f648474313c6a64928"
      enc-key="155124dc47519e8c226ffbcd53475fe31fff0a084f6daa0b" addtime=jan/02/1970 02:09:15 add-lifetime=24m/30m
      usetime=jan/02/1970 02:10:14 use-lifetime=0s/0s current-bytes=1649 lifebytes=0/0
[admin@HQ] >ip ipsec remote-peers print
 0 local-address=103.31.178.102 remote-address=180.140.100.2 state=established side=initiator established=17m59s

Remote Router Verification:
[admin@Remote] > ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs
 0 E  spi=0x436DF5F src-address=180.140.100.2 dst-address=103.31.178.102
      auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature
      auth-key="434ca089824ff93f2801b2e53fc4efb0e3a7d1f9"
      enc-key="9c1199ae6253133fc8279df3b757b31876068a10d6ac6fdc"
      addtime=jan/01/2015 17:25:29 expires-in=10m25s add-lifetime=24m/30m
      current-bytes=4543

 1 E  spi=0xAC08649 src-address=103.31.178.102 dst-address=180.140.100.2
      auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature
      auth-key="d817f3af871df84a14d7c5f648474313c6a64928"
      enc-key="155124dc47519e8c226ffbcd53475fe31fff0a084f6daa0b"
      addtime=jan/01/2015 17:25:29 expires-in=10m25s add-lifetime=24m/30m
[admin@Remote] > ip ipsec remote-peers print
 0 local-address=180.140.100.2 remote-address=103.31.178.102 state=established
   side=responder established=20m27

1 comment:

  1. Hello,
    Thanks a lot.
    A question:
    Did you do not need a Script for find de Dynamic WAN IP Address for Remote Side ?
    Bye.--

    ReplyDelete