I have yet to figure out how to use the new ipsec policy templates, but during some testing I found this rather weird behavior on 6.19 and 6.20.
The idea was that I wanted to get a list of all ipsec policies, so I tired this:
:put [:len [/ip ipsec policy find]]
Sadly it also returned the templates which I was not interested in.
So I went to the logical step and tried this:
:put [:len [/ip ipsec policy find template=no]]
Only it didn’t return anything at all.
I then for fun tried this:
:put [:len [/ip ipsec policy find template=yes]]
This actually returned the template and nothing else as expected.
Here is a console dump:
[admin@router] > /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T * group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes
1 src-address=xxx.xxx.xxx.0/24 src-port=any dst-address=xxx.xxx.xxx.0/24 dst-port=any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=xxx.xxx.xxx.xxx sa-dst-address=xxx.xxx.xxx.xxx proposal=default priority=0
2 src-address=xxx.xxx.xxx.0/24 src-port=any dst-address=xxx.xxx.xxx.0/24 dst-port=any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=xxx.xxx.xxx.xxx sa-dst-address=xxx.xxx.xxx.xxx proposal=default priority=0
[admin@router] > :put [:len [/ip ipsec policy find]]
3
[admin@router] > :put [:len [/ip ipsec policy find template=no]]
0
[admin@router] > :put [:len [/ip ipsec policy find template=yes]]
1
I am guessing it is happening because the non-template policies doesn’t even have a “template” field, and therefore is not “no”.
PS: Hope this is the correct place to post a bug report.