thanks this was the missing infoPost full IPsec debug logs. If I recall correctly, you have to use my-id=key-id when connecting to cisco XAuth server.
only from the accept list ipsSo, if you don't have allowed addresses in Winbox IP service, but you have an input accept filter rule with address list for 8291, you're vulnerable?
"20 hour plane ride away", my god Please don't. Stay on bugfix or Long-term how it's called now.I'm afraid of upgrading my 941 and 952 devices as they don't have the 60mb for the leak and most of them are remote (like 20 hour plane ride away)
/ip firewall filter chain=input action=accept src-address=YourLanRange dst-port=8291 protocol=tcp
/ip firewall filter chain=input action=drop in-interface=YourWanInterface
dual chain wireless vs triple chain for hAP acThe hAP ac2 is missing a few features that the hAP ac had:
- PoE out on ether5
- SFP port
Storage size 16 MB!!!!hAP ac² - CPU is IPQ-4018 716 MHz
PDF: https://uloz.to/!KboRhNGccV6O/en-datash ... -tower-pdf
many have raised this bug but no answer yet, perhaps it will be fixed in the next bugfixIn this release address list entry timeout option is broken! Entry is removed from address list randomly, but much more faster than specified amount of time