MikroTik RouterOS v2.9 Reference Manual page 321

AH - in transport mode
level ( acquire | require | use ; default: require ) - specifies what to do if some of the SAs for this
policy cannot be found:
• use - skip this transform, do not drop packet and do not acquire SA from IKE daemon
• acquire - skip this transform, but acquire SA for it from IKE daemon
• require - drop packet but acquire SA
manual-sa ( name ; default: none ) - name of manual-sa template that will be used to create SAs
for this policy
• none - no manual keys are set
not-decrypted ( integer ) - how many incoming packets the policy attempted to decrypt. but
discarded for any reason
not-encrypted ( integer ) - how many outgoing packets the policy attempted to encrypt. but
discarded for any reason
out-accepted ( integer ) - how many outgoing packets were passed through by the policy without
an attempt to encrypt
out-dropped ( integer ) - how many outgoing packets were dropped by the policy without an
attempt to encrypt
ph2-state ( read-only: expired | no-phase2 | established ) - indication of the progress of key
establishing
• expired - there are some leftovers from previous phase2. In general it is similar to no-phase2
• no-phase2 - no keys are estabilished at the moment
• estabilished - Appropriate SAs are in place and everything should be working fine
proposal ( name ; default: default ) - name of proposal information that will be sent by IKE
daemon to establish SAs for this policy
protocol ( name | integer ; default: all ) - protocol name or number
sa-dst-address ( IP address ; default: 0.0.0.0 ) - SA destination IP address
sa-src-address ( IP address ; default: 0.0.0.0 ) - SA source IP address
src-address ( IP address | netmask | port ; default: 0.0.0.0/32:any ) - source IP address
tunnel ( yes | no ; default: no ) - specifies whether to use tunnel mode
Notes
All packets are IPIP encapsulated in tunnel mode, and their new IP header src-address and
dst-address are set to sa-src-address and sa-dst-address values of this policy. If you do not use
tunnel mode (id est you use transport mode), then only packets whose source and destination
addresses are the same as sa-src-address and sa-dst-address can be processed by this policy.
Transport mode can only work with packets that originate at and are destined for IPsec peers (hosts
that established security associations). To encrypt traffic between networks (or a network and a
host) you have to use tunnel mode.
It is good to have dont-fragment cleared because encrypted packets are always bigger than original
and thus they may need fragmentation.
If you are using IKE to establish SAs automatically, then policies on both routers must exactly
Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Page 307 of 695