I have an issue where when a second ike2 client connects, it boots the first one. I’m using mode-config to define static addresses for the clients and I’ve tried creating two policy groups, but I can’t seem to get it to work. This is what I have:
/ip ipsec mode-config
add address=10.10.10.1 address-prefix-length=32 name=user1vpn
add address=10.10.10.2 address-prefix-length=32 name=user2vpn
/ip ipsec policy group
add name=ike2-policies-user1vpn
add name=ike2-policies-user2vpn
/ip ipsec profile
add name=ike2
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
/ip ipsec proposal
add name=ike2 pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=server generate-policy=port-strict match-by=certificate mode-config=user1vpn peer=ike2 policy-template-group=ike2-policies-user1vpn remote-certificate=user1cert
add auth-method=digital-signature certificate=server generate-policy=port-strict match-by=certificate mode-config=user2vpn peer=ike2 policy-template-group=ike2-policies-user2vpn remote-certificate=user2cert
/ip ipsec policy
add dst-address=10.10.10.1/32 group=ike2-policies-user1vpn proposal=ike2 src-address=0.0.0.0/0 template=yes
add dst-address=10.10.10.2/32 group=ike2-policies-user2vpn proposal=ike2 src-address=0.0.0.0/0 template=yes
Then I have two different HEX s units connecting with normal config. They both connect, but when user2 connects, user1 is booted with:
10:40:56 echo: ipsec SPI fcde84727b8f739 not registered for [1024]
I also tried a policy of:
add dst-address=10.10.10.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes
And a common policy group, but got the same results.
I really need static IP addresses for other stuff I need to do over the tunnel.
Help is much appreciated!