Community discussions

MikroTik App
  4. RouterOS
  5. General

IPSec server can't find static policy on client connection

Post Reply
 
midenok
newbie
Topic Author
Posts: 39
Joined: Fri Dec 27, 2013 5:34 pm

IPSec server can't find static policy on client connection

Fri Nov 21, 2014 11:36 am

Code: Select all
/ip ipsec peer> print
0    address=0.0.0.0/0 local-address=0.0.0.0 passive=yes port=500 auth-method=rsa-signature 
      certificate=limbo-ipsec remote-certificate=sip-ipsec generate-policy=no exchange-mode=main 
      send-initial-contact=no nat-traversal=yes proposal-check=obey hash-algorithm=sha1 
      enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m 
      dpd-maximum-failures=5
Code: Select all
/ip ipsec policy> print
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 

 1     src-address=0.0.0.0/0 src-port=any dst-address=192.168.35.0/24 dst-port=any protocol=all 
       action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=195.90.80.70 
       sa-dst-address=37.107.11.12 proposal=default priority=2
Code: Select all
ipsec,debug no policy found: 0.0.0.0/0[0] 192.168.35.0/24[0] proto=any dir=in
Though, generated policy works pretty well:
Code: Select all
/ip ipsec peer> print
0    address=0.0.0.0/0 local-address=0.0.0.0 passive=yes port=500 auth-method=rsa-signature 
      certificate=limbo-ipsec remote-certificate=sip-ipsec generate-policy=port-strict 
      exchange-mode=main send-initial-contact=no nat-traversal=yes proposal-check=obey 
      hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d lifebytes=0 
      dpd-interval=2m dpd-maximum-failures=5
Code: Select all
/ip ipsec policy> print
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 

 1     src-address=0.0.0.0/0 src-port=any dst-address=192.168.35.0/24 dst-port=any protocol=all 
       action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=195.90.80.70 
       sa-dst-address=37.107.11.12 proposal=default priority=2 

 2  D  src-address=0.0.0.0/0 src-port=any dst-address=192.168.35.0/24 dst-port=any protocol=all 
       action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=195.90.80.70 
       sa-dst-address=37.107.11.12 priority=2
Why it can't find policy 1 in case of 'generate-policy=no' though it generates exactly same policy?
Last edited by midenok on Mon Dec 01, 2014 12:34 pm, edited 1 time in total.
Top
 
midenok
newbie
Topic Author
Posts: 39
Joined: Fri Dec 27, 2013 5:34 pm

Re: IPSec can't find static policy

Mon Dec 01, 2014 12:28 pm

bump

Though enabling static policy turns off access from home network (192.168.35.0/24). This means, that policy actually works. Only it can't be matched by connected IPSec client.

It is not chicken and egg problem, because dynamic policy works perfectly well when static policy is ON.
Top
Post Reply

Who is online

Users browsing this forum: gkhun, GmbH, Google [Bot], HeinoHomm, raiser and 116 guests
  4. RouterOS
  5. General