@emils: That explains it all. I was not expecting an invalid status on an inactive policy. Screenoutput above the output mentions the I means invalid, however it means Inactive in this case.

@erkexzcx: The link you refer to use certificates, I plan on using PSK. Not as secure as certificates, but it is just a private link. I have two other policies with exactly the same configuration and they do not give an error. One is to another mikrotik router and the other is StrongSwan running on ...

I am trying to setup another GRE over IPSEC tunnel, but run into the issue that the policy I want to create immediately gets the status 'Invalid': [admin@router] /ip ipsec policy> print detail Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default 0 T X* gro...

@CZfan: Rebooted the router (R1), but still all local addresses of router R1 show up on router R2 in the '/mpls ldp neighbor' menu (and v.v.)

@mducharme: advertise-filters have been set, but still all addresses show up in the neigbor status page. Not a big issue, but I was just wondering whether this is normal behaviour or not.

What you probably need is an mDNS reflector.

Open-WRT supports this, not sure if DD-WRT does also.

More on mDNS: https://en.wikipedia.org/wiki/Multicast_DNS

I am new to MPLS/VPLS, so bear with me regarding the following question: I have MPLS running between two sites (testing a VPLS tunnel) and noticed that when checking the ldp neighbor status on router R2 it shows all local addresses that are configured on router R1 (and v.v.): R2: [admin@R2] /mpls ld...

Managed to get it working: The vlan interface carrying the multicast traffic should be added to the list of interfaces too (under ' /routing pim interfaces '; Previously, I only added the bridge interface for the physical ports, assuming the bridge vlan filtering would take care of moving the traffi...

Issue: I cannot get multicast routing to work between 2 Mikrotik routers. I am using the example provided in the Mikrotik Wiki: Example Router A: Type: RB750Gr3 (hEX) Subnet I = 192.168.10.0/24 Tunnel IP: 10.0.0.5/30 Router B: Type: RB760iGS (hEX S) Subnet III = 192.168.11.0/24 Tunnel IP: 10.0.0.6/3...

Does your server certificate contain a SAN dns entry? From the wiki (/ip ipsec identity): my-id=auto - tries to use correct ID automatically: IP for pre-shared key, SAN (DN if not present) for certificate based connections When generating the server (and client) certificate, be sure to add an SAN dn...

Got it working. This is how: Create a self-signed CA certificate: /certificate add name="My CA" digest-algorithm=sha256 key-type=rsa country="NL" state="NH" locality="Amsterdam" organization="My Organization" unit="ICT" common-name="My...

Been a while since I got to play any further with connecting my iPhone to a Mikrotik router, but today I gave it another try. Unfortunately I do not have it working yet. The IPSEC tunnel seems to live (SA's are established), but the iPhone still disconnects with a 'User Authentication failed'. 1.1.1...

Problem solved! Turns out that lowering the crypto level for phase 1 (profile) and phase 2 (proposal) solves the issue. I made the following changes: Profile: [admin@router] /ip ipsec profile print Flags: * - default 4 name="vpn-s2s" hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=...

I am trying to setup an GRE over IPsec tunnel between a Mikrotik router (RB750Gr3; Running RouterOS 6.46.4) and a Raspberry Pi running IPsec-Tools and Racoon (The Pi is still running Raspbian Stretch). While setting up a GRE tunnel is fairly easy (and so is IPsec when you get the hang of it), the co...

Setting 'my-id=auto' and 'remote-id=auto' did not work, it keeps erroring out with the previous mentioned error. Just for the sake of it I also recreated all certificates (including the CA) on the router itself, did not help either. For now I reverted back to OpenVPN (running on my server, not on th...

I am trying to setup a VPN between my iPhone and my Mikrotik router, but the process fails with the following error: ' error identity not found for server:server.example.com peer: FQDN: iphone . Here is the full ipsec log from the Mikrotik router: 17:35:12 ipsec -> ike2 request, exchange: SA_INIT:0 ...

To answer my own question: Turns out that setting the 'IKE phase 1 proposal' to a fixed setting in the Draytek did the trick: http://i.imgur.com/3XtiAwu.png There are several options, even a combination of proposals or 'auto', but setting it to a fixed value did the trick. Both tunnels stay up, the ...

I am experiencing some change behaviour with an IPsec Lan2Lan tunnel between a Draytek router (remote) and a Mikrotik RB750Gr3 (local), where the tunnel for the second subnet disconnects after approximately 45 seconds. The local router (Mikrotik) has two subnets (192.168.88.0/24 and 192.168.130.0/24...