Hi;
I’m doing an IPSec configuration on MikroTik with a Fortigate 100D, but it is showing me the following error. The MikroTik device is configured with Internet access.
The log tells you that an IPsec policy for exactly the same combination of local and remote subnet already exists in your configuration at the moment when the phase2 processing is trying to add it.
So either you have configured the necessary policy manually and in parallel the peer is set with generate-policy set to something else than no, or you have another running IPsec connection in place which has the same policy associated.
If these hints do not help, follow the instructions in my automatic signature, plus add the output of /ip ipsec policy print and /ip ipsec installed-sa print while the peer representing the Fortigate is active,
Did you find a solution to this? I have getting exact same error in IPSEC log for one of my tunnel policies. Just started last week and no changes to the router that should have caused this. Only fix is to reboot the router and then it works. Flushed SAs and that did not help.
Could it be that the roles of initiator and responder are not explicitly specified for each peer (using send-initial-contact at Mikrotik side, no idea how to set that at Fortigate side), so both peers initiate the IPsec “session” almost at the same time and one of them succeeds a small while before the other one, so the other one reports a policy conflict? Normally this should not happen if there is no NAT involved in the scenario as the sa-dst-address and sa-src-address should be the same for both policies, but there may be a bug in the part comparing the sa-addresses which has not been discovered as this happens just rarely?
To investigate more of the log is the only chance to see what else is going on before this failure.