Identity selection when Mikrotik working as initiator in ipsec

RouterOS General
1

I have two questions reagrding identity /ip/ipsec/identity selection.

  1. can the same identity be shared among several peer configurations? I read somewhere that it can, but from what I see the peer=xxx field is mandatory in identity.

  2. How Mikrotik selects the identity when working as INITIATOR?
    My understanding is that if Mikrotik is working as initiator, than the flow is as follows:

  3. Mikrotik periodically scans the /ip/ipsec/peer table and detects that it has a peer with passive=no, so it will try to establish connection. Let’s assume it is

/ip/ipsec/peer add name=test passive=no etc....
  1. It will scan all the identity configurations that can be used - that is all that have peer=test.

Now the question:

  • will it just find the first matching identity and will try to use it?
  • or will it place all matching identities somehow together in the IKE_AUTH packet?
  • or will it send paralelly IKE_AUTH packets for each matchin identity possibly creating parallel connections?
  • or will it try all matching identity members one by one until it will find one that will succesfully connect?
2

It may be a misinterpretation. Multiple “peers” as in “remote devices” can indeed match (hence “use”) the same row in the identity table on the responder if all of them use the same ID-I and ID-R; a single row in the identity table cannot be linked to multiple rows in the peer table.


If you try to link a second identity row to a peer with passive=no, you get an error message “failure: initiator peer can have only one identity”. I guess that answers all the questions at once.