[Openswan Users] no phase 2, openswan 1:2.6.23+dfsg-1ubuntu1 + mikrotik 6.11

Vladimir Obukhov stncldbsh at gmail.com
Thu Apr 10 04:58:22 EDT 2014 

Hello,

I am trying to make a tunnel between
Linux Openswan U2.6.23/K2.6.32-50-generic-pae (netkey)
and RouterOS 6.11
they are connected as follows:
LAN 192.168.20.0/24===[ 88.888.8.88 OPENSWAN ] ...INTERNET... [ 77.777.77.7
ROUTEROS ]===192.168.17.0/24 LAN;

here's what I see on linux box
# ipsec auto --status
"md-ene-mikrotik":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 1340s; newest ISAKMP; lastdpd=70s(seq in:0 out:0);
idle; import:not set

on mikrotik I also see
> ip ipsec remote-peers print
 0 local-address=77.777.77.7 remote-address=88.888.8.88 state=established
side=initiator established=38m5s

so the first phase goes right

but I see no sa-installed on microtic
[admin at MikroTik] > ip ipsec installed-sa print

# ip xfrm state
gives nothing


below are the settings on both sides, let me know if more info is needed
by the way, there is one more tunnel between this mikrotik and another one,
works fine.
Thanks!

here's my /etc/ipsec.conf

config setup
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        oe=off
        protostack=netkey

conn md-ene-mikrotik
    esp=3des-sha1
    ike=3des-md5-modp1024
    authby=secret
    keylife=28800s
    left=88.888.8.88
    leftsubnet=192.168.20.0/24
    leftsourceip=192.168.20.1
    right=77.777.77.7
    rightsubnet=192.168.17.0/24
    rightsourceip=192.168.17.1
    auto=add
    type=tunnel
    pfs=no

here's mikrotik conf
> ip ipsec peer print
 1   address=88.888.8.88/32 local-address=0.0.0.0 passive=no port=500
auth-method=pre-shared-key secret="cthdbc" generate-policy=no
exchange-mode=main send-initial-contact=yes proposal-check=obey
hash-algorithm=md5 enc-algorithm=3des
     dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m
dpd-maximum-failures=5

> ip ipsec policy print
 1    src-address=192.168.17.0/24 src-port=any
dst-address=192.168.20.0/24dst-port=any protocol=all action=encrypt
level=require ipsec-protocols=esp
tunnel=yes sa-src-address=77.777.77.7 sa-dst-address=88.888.8.88
proposal=proposal1 priority=0

> ip ipsec proposal print
 1    name="proposal1" auth-algorithms=sha1 enc-algorithms=3des lifetime=8h
pfs-group=modp1024
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140410/9aeaaa74/attachment.html>

More information about the Users mailing list