Filter
Top Products
192 AT-WR4500 Series - IEEE 802.11abgh Outdoor Wireless Routers
RouterOS v3 Configuration and User Guide
lifetime (time; default: 1d) - phase 1 lifetime: specifies how long the SA will be valid; SA will be discarded
after this time
nat-traversal (yes | no; default: no) - use Linux NAT-T mechanism to solve IPsec incompatibility with
NAT routers inbetween IPsec peers. This can only be used with ESP protocol (AH is not supported by
design, as it signes the complete packet, including IP header, which is changed by NAT, rendering AH
signature invalid). The method encapsulates IPsec ESP traffic into UDP streams in order to overcome
some minor issues that made ESP incompatible with NAT
proposal-check (multiple choice: claim | exact | obey | strict; default: strict) - phase 2 lifetime check
logic:
claim - take shortest of proposed and configured lifetimes and notify initiator about it
exact - require lifetimes to be the same
obey - accept whatever is sent by an initiator
strict - if proposed lifetime is longer than the default then reject proposal otherwise accept proposed
lifetime
remote-certificate (name) - name of a certificate for authenticating the remote side (validating packets;
no private key required). Only needed if RSA signature authentication method is used
secret (text; default: "") - secret string (in case pre-shared key authentication is used). If it starts with
'0x', it is parsed as a hexadecimal value
send-initial-contact (yes | no; default: yes) - specifies whether to send initial IKE information or wait
for remote side
AES (Advanced Encryption Standard) encryption algorithms are much faster than DES, so it is
recommended to use this algorithm class whenever possible. But, AES's speed is also its drawback as it
potentially can be cracked faster, so use AES-256 when you need security or AES-128 when speed is also
important. Both peers MUST have the same encryption and authentication algorithms, DH group and
exchange mode. Some legacy hardware may support only DES and MD5.You should set generate-
policy flag to yes only for trusted peers, because there is no verification done for the established policy.
To protect yourself against possible unwanted events, add policies with action=none for all networks you
don't want to be encrypted at the top of policy list. Since dynamic policies are added at the bottom of the
list, they will not be able to override your configuration. Alternatively you can use policy priorities to enforce
some policies to be active always.
Example
To define new peer configuration for 10.0.0.147 peer with secret=gwejimezyfopmekun:
[admin@WiFi] ip ipsec peer>add address=10.0.0.147/32 \
\... secret=gwejimezyfopmekun
[admin@WiFi] ip ipsec peer> print
Flags: X - disabled
0 address=10.0.0.147/32:500 secret="gwejimezyfopmekun" generate-policy=no
exchange-mode=main send-initial-contact=yes proposal-check=obey
hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0
[admin@WiFi] ip ipsec peer>
8.8.4 Remote Peer Statistics
Submenu level: /ip ipsec remote-peers
Description
This submenu provides you with various statistics about remote peers that currently have established
phase 1 connections with this router. Note that if peer doesn't show up here, it doesn't mean that no
IPsec traffic is being exchanged with it. For example, manually configured SAs will not show up here.
Property Description
local-address (read-only: IP address) - local ISAKMP SA address