I need static ARP because PCI-DSS..
and I tried make static in /ip arp but I get this: "Couldn't add New ARP - already have such arp (6)"
I have 6.5 and 6.7 os versions.
What could be the problem?

The problem is not on my side. The partner has wrong config.
I have bulit a test system and I simulated each side and my config is good.

So, I have two policy route rule for this ipsec. Question, can I have two policy rule for one ipsec peer? If don't then how can I solve this? I need to route to remote side two exact IP (not a net) eg. 10.1.42.27 and 10.1.48.193 therefore I made it. If I have two policy route then I will have two SA...

I don't know what would be the problem.
I made packet-sniffer and other ...now I think packet go to good interface but only one IP.
About the second IP I don't see where does it want to go. I see when it come from server but I don't see when it goes to out.

New problem is that if I change or add a new ipsec/vpn peer then all established vpn is disconnected until I flush all SA

Someone should rename this topic to a more meaningful name. Anyhow, same problem here with L2TP/IPSec and multiple clients behind one public IP. Is there really no solution or workaround? OpenVPN w/ mikrotik isn't a solution since UDP support is missing; PPTP on the other hand isn't secure. Why can...

Hi, I have a problem. We have a lot of ipsec vpn and leased line and we are using vlan and other things but we don't have ipsec vpn with srcnat yet (only dnat) Unfortunately we have a partner and it need 10.0.0.0/8 and therefore I have a static route for it. But, now I need a new ipsec vpn and remot...

Don't use i- pad/phone.. use Linux/Android..

so you can chose a simple client for openvpn: http://openvpn.net/index.php/open-source.html it is working well.
(and Linux knows openvpn basically)

I had about 60 VPN users and they are offten on the same remote LAN and need to connect to office, but they cant...

Ok, but this is not problem of the mikrotik!
This is a property of ipsec.
a solution: use openvpn

and how could you test it? from same public IP? because ipsec can not generate policy rule if you come same public IP. (I tested it) eg. if your users behind same firewall and it has a public IP and it is NATing your users then they will be shown with same public IP this is what I need to solve. I ...

Please check assigned IPs for userA and userB. Do you use pool for local and remote IP assignements? Solutions: 1. you assign from pool but you need set for local and remote too!! (you can not give fix IP for local and dynamic for remote! because /30 mask) 2. you give fix IP for local and remote too...

Ok, you are right! Need NAT-T for NATed user. But I don't understand your all config because I tested today with my 1100AH (ROS 5.14) and I needed this: mod: I tested with: win7, winXP and Android phone are working well. 1. (you need separate l2tp-server /user with user-name) /interface l2tp-server ...

"nat-traversal=yes "
Why?

and where is this?
add action=accept chain=input disabled=no protocol=ipsec-esp in-interface=eth01.WAN;
(ip protocol 50 for ESP)

Yes, but this is the problem: /ip ipsec installed-sa flush sa-type=all that I have written I can not flush all SA because I have a lot of ipsec VPN and all tunnel under using and if I flush all SA then all TCP opened session will be lost. Therefore I am waiting this feature. (that I can restart one ...

What is your ROS version??

I think you have one l2tp server (?) and one secret config (?) if you have a lot of user you need separetly secret and l2tp server for each user. (but this is a idea I haven't done l2tp only openvpn and ipsec tunnel) yes, there is posibility to turn on only one server and users are dynamic no, ever...

I written to support and they have sent answers.
They said I can not restart one ipsec tunnel now but they will put this function to a future OS version.

I am waiting it very!

I think you have one l2tp server (?) and one secret config (?) if you have a lot of user you need separetly secret and l2tp server for each user.
(but this is a idea I haven't done l2tp only openvpn and ipsec tunnel)

Hi, I am new here but not in IT professional. So, we have a lot of mt1100ah and we have a lot of ipsec vpn. Sometimes I have seen vpn is establised but I can not send packet through tunnel. I would like to restart this connection but this feature is not supported just each ipsec tunnel. I can not re...