Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 35087 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC site to site tunnel between mirkotik & XG105 failing second phase "peer did not accept any proposal sent"

NicolásRomero Giménez

Hi All,

Hope you can direct me into solving this issue, I've tried hundreds of configurations on both ends with no luck... it won't go past Pase2 SA rekeying.

 

I'm trying to connect our branch office (Mikrotik hEX) to our main site (XG105) through IPSEC tunnel. Both devices have a public IP assigned directly to their WAN interface (which belong to the same provider thus under the very same subnet).

I fisrtly used a TP-LINK TL-R600 router at our branch, which I could flawlessly connect to our XG using the DefaultHeadOffice IPSEC profile. This indicates that the connection is possible, just that something is escaping from my knowledge with mikrotik/xg. Unfortunately that TL-R600 router does not allow me to route traffic through the VPN tunnel, thus I could only reach one of our subnets (directly connected one through the tunnel) and not any of the other subnets behind our L3 Switch at main site. 

I've tried using the DefaultHeadOffice profile with the mikrotik (configuring the mikrotik accordingly) but that would not even start negotiations. Then I created and applied an IPSEC profile, screencap attached.

I'm also attaching all configurations on both ends and error logs.

 

Many thanks!

 

 



This thread was automatically locked due to age.
Parents
  • 0

    I'm not familiar with Mikrotik, but I had a similar issue wen creating a VPN between a SonicWall and the XG. On the XG I had to switch PFS Group (DH Group) to None. Then removed it from the SonicWall side as well. Not sure what your requirements are at your organization, but we didn't require it and removing the PFS Group fixed the VPN issue for me.

  • 0 in reply to ChrisHowell

    Hi Chris,


    Thank you for your answer.

     

    I've already tried disabling DH Group for Phase 2 on the XG (won't allow me to disable it for phase 1) as well as disabling it on the mikrotik proposal configuration (it won't allow me to disable it on the mikrotik peer definition. 

     

    Still no luck, won't connect, same error as previously in the logs on both sides. ("Peer sent a dead packet for a phase 2 connection"- mikrotik "initiating phase 2 rekeying using phase 1 SA, peer did not accept any proposal sent") Anything else I could try? I'm about to contact support but I'm afraid that they would throw the ball on mikrotik and vice-versa.

     

    I've read through various communities (including this one) and I'm sure that this can be achieved. Yet I haven't found any detailed guides on how to do it or where the issue might be. 

     

    Hope someone can bring some light into this.


    Nico.

  • +1 in reply to NicolásRomero Giménez

    Issue solved. This is related to a mikrotik v6 bug/option  http://serverfault.com/questions/646466/mikrotik-ipsec-tunnels-not-working-after-routeros-upgrade

     

    finally made it work with the following details:

     

    XG:

    no rekeying

    unlimited key negotiation tries

    aggressive mode auth

    disabled data compression

    phase1 3des md5 dh1024

    keylife 86400

    rekey 120

    randomize 0

    dead peer disabled

    phase2 3des md5 same as phase1 keylife 3600

     

    Mikrotik:

     

    Policy: 

    Protocol 255 (All)

    action: encrypt

    level: require

    ipsec protocol: esp

    tunnel: checked

    proposal: default

    priority: 0

     

    IPSEC GROUP: NONE

     

    Ipsec Peer:

    auth: psk

    exchange mode: main

    passive: no

    policy template group: should be empty after erasing ipsec group

    initial contact: no

    NAT traversal: no

    id: auto

    generate policy: no

    lifetime: 1d

    dpd:120

    dpd max: 5

    proposal: obey

    hash: md5

    enc: 3des

    dh: modp1024

     

    PROPOSAL

    enabled: yes

    name: default

    auth: md5

    enc: 3des

    lifetime: 1h

    pfs: modp1024

     

     

     

  • 0 in reply to NicolásRomero Giménez

    We found solution for this issue, without using "insecure" authorization, like md5.

    Sophos XG SFOS 17.0.1 MR-1 successful connected via IPSec with Mikrotik RB 433 with RouterOS v6.39.3

     

    XG config:

     VPN -> IPSec Profiles -> ADD

      Name 'optional'

      DHGroup : 14, 16, 18

      rest like on picture:

     After save, switch to IPSec Connection:

    Connection Type: Site-to-Site

    Gateway Type: Initiate the connection

    Policy : select new added policy

    Authentication Type: Preshared Key and type two times defined key

    Local Gateway : select port with public IP to IPSec

    Local Subnet : select subnet, that You want to share with VPN Client

    Gateway Address : type public IP address of remote device

     Remote subnet : select subnet, for remote device

     

    MT config:

    IPsec Policy

     src. address local address subnet (remote subnet from XG)

     dst. address remote address subnet (local subnet from XG)

     action encrypt

     level require

     Ipsec Protocols esp

     Tunnel checkbox checked

     SA Src. public IP

     SA Dst. remote public IP

     Proposal default

     

    Peers:

     Address remote public IP

     Auth. method pre shared key

     Exchange IKE2

     Secret 'defined in XG phrase'

    Encryption:

      Hash sha256

      Encryption algorith aes-256

      DHGroup modp2048

     

    Proposal:

     name default (optional add new proposal and after config, use it in Policy)

     auth sha256

     encr aes-256-cbc

     PFS Group modp2048

     

  • 0 in reply to Guillermo William Suárez

    Thanks, it works with Mikrotik RoS ver 6.46.5

     

    BTW,  Any host in local LAN  can ping any host in remote LAN and vice versa, but Mikrotik does not answer to ping.

    No manual records in routing tables required. 

Reply Children
No Data