Hello All.
I've installed RB2011 with ROS 5.25 at central office .
There are 4 vpn tunnels exist.
Sometime SAs have strange behavior - they do not disappear, and I can't explain why - see attachment.
As I understood there should only one pair for each tunnel
SRC<->DST /DST<->SRC
but sometimes i have 3 of them for each tunnel

So, could some one of you give me next brief answer on following questions.

1. Why SAs have this behavior? I tend to think that something wrong with config, but i have not clue what exactly

2. If I have same settings of proposal for all tunnel , should i create 4 different proposal or i can use only one.

3. Send Initial Contact
As I understood by using "Send Initial Contact" I can setup what side will be responder.
However, what if on "receiver" will be rebooted. Does responder initiate one more session?
Is it safe to tick "Send Initial Contact " on both sides?

4) Generate-policy
"Allow this peer to establish SA for non-existing policies. Such policies are created dynamically for the lifetime of SA. Automatic policies allows, for example, to create IPsec secured L2TP tunnels, or any other setup where remote peer's IP address is not known at the configuration time. "

This description gives me nothing.
As I understood it somehow related to proposal. If the proposal of one side do not equal to the one that opposite side has, than:

If I do not tick the box , then connection will be established
If I tick the box and proposal do not much the opposite side, then connection will be
Am I right ?
Is it safe to tick "generate-policy " on both sides?

Thank you in advance.
Alex

SA lifetime comes to an end, ipsec generates new SAs and set them as "mature". Old ones are set as "dying" which indicates that they will be soon deleted.

SA lifetime comes to an end, ipsec generates new SAs and set them as "mature". Old ones are set as "dying" which indicates that they will be soon deleted.

well yes, dying means they gonna die , (but when ?)

Why there are 2 dying and 2 mature for 1 VPN tunnel ?
So, it's 8 SAs for one tunnel i that OK?
Is it safe to tick "Send Initial Contact " on both sides?
Is it safe to tick "generate-policy " on both sides?

are you sure it is for the same tunnel?

you can set send initial contact on both ends it will work. But if you want one peer to be passive then you should use passive parameter instead of send initial contact.
generate policy on both sides will not work.

are you sure it is for the same tunnel?
generate policy on both sides will not work.

Yes, I pretty much sure that this is the same tunnel.
I have both generate policy & initial contact ticked at both sides, and it works (somehow) !
I'm gonna to leave generate policy only in the in Main office and will tick it off on branches.
Do you think this will be a good idea?

generate policy on both sides will not work.

Dear MRZ,
Sorry for bothering again but could you briefly explain how it works. And why it should not be ticked at both sides.
Also, what if opposite site is Cisco or Checkpoint or TMG, or any other vendor,
Should we tick the General policy box at MT?

I was trying to find similar parameter on Cisco but with no luck, so apparently it's kind of proprietary MT settings.

Could you please clarify this setting a bit deeply.
Thank you in advance!

P.S
Anyone else?

it is not proprietary.

Remote peer, remote peer sends proposal with policy source and destination addresses, then from this information:
* if static policies are configured (compares if there is a match)
* if generate policy is configured and none of static policies match, then make dynamic ones from received information.

So obviously if there is no static policies and generate-policy is set on both ends then working tunnel is not possible.