Can't update Installed SAs

calandri · July 9, 2019, 6:24am

Hi all,
I’ve always had an IPSec tunnel between two Mikrotiks (using public IP) and everything has always worked well.
Today I had to change one of two public IP designated for tunnel, I updated the configuration with the new IP in the peer, the NAT, the Route etc.

The Peer is established correctly (Active Peers > State=established). The problem is that the Installed SAs still remain with old IP, so the Phase 2 is not successful.

I’ve already tried to reboot both Mikrotik and also use Flush button, but the Installed SAs still remain with old IP.

Any suggestion?

sindy · July 9, 2019, 6:58pm

Have you also updated the sa-dst-address in /ip ipsec policy? If yes, post both configurations, see my automatic signature below regarding anonymisation.

calandri · July 10, 2019, 7:31am

No. I would do it willingly, but is not a editable field:

P.S.
I currently run v6.45.1 and I have seen in 6.46beta6 this change:

*) ipsec - improved stability for peer initialization (introduced in v6.45)

Maybe it could be this problem…

sindy · July 10, 2019, 7:43am

If disabling and re-enabling one of the peers doesn’t help, post your configuration exports (check my automatic signature below for anonymization hints). If you cannot change sa-dst-address manually, it had to be created dynamically and thus it should follow peer address.

eworm · July 10, 2019, 2:10pm

Looks like there is still a bug with dynamic policies and addresses. I am suffering a similar issue where I have duplicate policies, one with old dynamic address, one with new dynamic address. I am already in contact with Mikrotik support.

calandri · July 10, 2019, 3:02pm

Thanks, I assumed it was a bug. I am also in contact with Mikrotik’s support.

calandri · July 12, 2019, 4:58am

I solved the problem by performing the downgrade from stable v6.45.1 to long term v6.44.5