Filter
Top Products
AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers 191
RouterOS v3 Configuration and User Guide
Example
To add a policy to encrypt all the traffic between two hosts (10.0.0.147 and 10.0.0.148), we need do the
following:
[admin@WiFi] ip ipsec policy> add sa-src-address=10.0.0.147 \
\... sa-dst-address=10.0.0.148 action=encrypt
[admin@WiFi] ip ipsec policy> print
Flags: X - disabled, D - dynamic, I - inactive
0 src-address=10.0.0.147/32:any dst-address=10.0.0.148/32:any protocol=all
action=encrypt level=require ipsec-protocols=esp tunnel=no
sa-src-address=10.0.0.147 sa-dst-address=10.0.0.148 proposal=default
manual-sa=none priority=0
[admin@WiFi] ip ipsec policy>
to view the policy statistics, do the following:
[admin@WiFi] ip ipsec policy> print stats
Flags: X - disabled, D - dynamic, I - invalid
0 src-address=10.0.0.147/32:any dst-address=10.0.0.148/32:any
protocol=all ph2-state=no-phase2 in-accepted=0 in-dropped=0
out-accepted=0 out-dropped=0 encrypted=0 not-encrypted=0 decrypted=0
not-decrypted=0
[admin@WiFi] ip ipsec policy>
8.8.3 Peers
Submenu level: /ip ipsec peer
Description
Peer configuration settings are used to establish connections between IKE daemons (phase 1
configuration). This connection then will be used to negotiate keys and algorithms for SAs.
Property Description
address (IP address/netmask:port; default: 0.0.0.0/32:500) - address prefix. If remote peer's address
matches this prefix, then this peer configuration is used while authenticating and establishing phase 1. If
several peer's addresses matches several configuration entries, the most specific one (i.e. the one with
largest netmask) will be used
auth-method (pre-shared-key | rsa-signature; default: pre-shared-key) - authentication method
pre-shared-key - authenticate by a password (secret) string shared between the peers
rsa-signature - authenticate using a pair of RSA certificates
certificate (name) - name of a certificate on the local side (signing packets; the certificate must have
private key). Only needed if RSA signature authentication method is used
dh-group (multiple choice: ec2n155 | ec2n185 | modp768 | modp1024 | modp1536; default: modp1024) -
Diffie-Hellman group (cipher strength)
enc-algorithm (multiple choice: des | 3des | aes-128 | aes-192 | aes-256; default: 3des) - encryption
algorithm. Algorithms are named in strength increasing order
exchange-mode (multiple choice: main | aggressive | base; default: main) - different ISAKMP phase 1
exchange modes according to RFC 2408. Do not use other modes then main unless you know what you
are doing
generate-policy (yes | no; default: no) - allow this peer to establish SA for non-existing policies. Such
policies are created dynamically for the lifetime of SA. This way it is possible, for example, to create IPsec
secured L2TP tunnels, or any other setup where remote peer's IP address is not known at the
configuration time
hash-algorithm (multiple choice: md5 | sha1; default: md5) - hashing algorithm. SHA (Secure Hash
Algorithm) is stronger, but slower
lifebytes (integer; default: 0) - phase 1 lifetime: specifies how much bytes can be transferred before SA is
discarded
0 - SA expiration will not be due to byte count excess