hello
i have several branches connected via ip tunnel (ipsec) and all is well
but during the night , they turn off their equipment and my logs is filled with
phase1 negotiation failed due to time up 192.168.121.100[500]<=>192.168.121.26[500] 8810e0c9c53de3e9:0000000000000000
how can i disable logging for certain interfaces ?!
thank you
Sadly, there is no way to selectively suppress IPsec logs per peer (or interface logs per interface, …). If you can the peers at your side to passive mode, you can reduce that to a single error as the branch disconnects.
can you please explain about the “passive mode”
One of the parameters of an /ip ipsec peer item is passive; if you set it to yes, the device will only act as a responder for that peer, i.e. it will not try to establish a connection to it actively (i.e. act as an initiator). With passive set to no, which is the default, it does both.
If you use IPIP or similar tunnels and ask RouterOS to create the IPsec configuration dynamically by setting the ipsec-secret item, you’ll have to convert that dynamically created configuration to a manual one to be able to change the passive setting for the peer.
i use ipip tunnels from each side , i don’t see any passive options
That’s the case I have anticipated above - you’ve told RouterOS to create the IPsec configuration providing the IPsec encryption for the IPIP tunnel for you automatically, by setting ipsec-secret parameter of the row of /interface/ipip to a non-empty string. In particular, RouterOS creates items in /ip/ipsec branches peer, policy, and identity, using the default item in profile and a policy template in group default, which in turn refers to the default item proposal.
So on the central site, for each IPIP tunnel, you have to create a copy of the corresponding peer, give it another name, and create a copy of the policy and identity and link them to that added peer. Once you do that, you can set the ipsec-secret parameter of teh corresponding row of /interface/ipip to an empty string, which will remove the dynamically created items and keep only their “manually configured” copies in place, taking over their role. And then you can set the passive parameter of the peer item to yes, finally reaching the goal of the exercise.