IPSec Policy Invalid

romulolimas · June 14, 2011, 5:38pm

Hi,

I have Mikrotik (RouterOS V5.4) working with a cisco router via IPSEC VPN (Tunnel), how we need redundancy, we use two peers for connection, but When I enable the peer policies, only one becomes active, the other becomes invalid. I really don´t know what happend.
Other problem I’ve noted is when I disable (manually) the active policy the other remains invalid.
I really apreciate help for this issue because, without this I have not redundancy on my VPN.

Thanks a lot.

Best Regards,
Rômulo Lima

sergejs · June 15, 2011, 9:16am

Please post /ip ipsec policy configuration, when policy uses the same src/dst-address, it will become invalid.

romulolimas · June 15, 2011, 12:48pm

Hi Sergejs,

In fact, the source and destination addresses are the same on both policies, but if the two peers serve for the same networks , how could I use diferent addresses?
My idea is work with two peers, where one is active and the other is in standby.

You undesrtand?

Follows the policy configuration:

/ip ipsec policy
add action=encrypt comment=“Embratel Peer - 189.x.x.117” disabled=no dst-address=192.168.0.0/24 dst-port=any ipsec-protocols=esp level=require priority=10
proposal=proposal_killing protocol=all sa-dst-address=189.x.x.117 sa-src-address=201.x.x.114 src-address=192.168.4.0/24 src-port=any tunnel=yes
add action=encrypt comment=“Embratel Peer - 189.X.x.141” disabled=no dst-address=192.168.0.0/24 dst-port=any ipsec-protocols=esp level=require priority=15
proposal=proposal_killing protocol=all sa-dst-address=189.x.x.141 sa-src-address=201.x.x.114 src-address=192.168.4.0/24 src-port=any tunnel=yes

Thank you.

sergejs · June 15, 2011, 1:01pm

Yes, it was clear from your description in the original post. Currently there is no such option, first policy should be disabled before second will start work without “i” letters.

romulolimas · June 16, 2011, 1:23am

Ok Sergejs,

Thank you for the explanation. I will to try make redundancy with scripts, anyway.

Best Regards,

Rômulo Lima

sergejs · June 16, 2011, 5:17am

Currently this is the only way. We are working on option to change this behavior in the future.

pylon · June 26, 2011, 4:08pm

Hi Rômulo Lima,

I’m also stuck with this problem.
Did you come up with a script-based solution in the meantime and mind to share it?

I’d highly appreciate it.

Thanks and best regards,
-pylon

eganclose · February 20, 2015, 12:58am

Iam also stuck with the exact same problem
Can you please advise if you manage to get it resolved and if you can share your solution
regards

eganclose · February 20, 2015, 5:51am

Hi Is this problem solved ?
Iam also stuck with the same issue.
Unfortunately I cannot have redundancy because of this

fl0pp · January 5, 2017, 10:55am

I have the same problem. What is the priority option for, if the policy is stuck in invalid?