invalid ipsec policy when defined manually

jdjurici · November 26, 2012, 12:36pm

Hi,

I have noticed an issue with RB751U-2HnD and 5.22 version (did not try older 5.19 that was installed, since my wife had issues there with wifi and windows 7 - worked flawlessly with my gentoo ).

So I configured few VPN IPSec tunnels and noticed something weird. When I try to define static policy it ends up being invalid, but if I create a peer with create dynamic policy enable it creates same rules and they work normally.

So this are static:
[admin@MikroTik] /ip ipsec policy> print
Flags: X - disabled, D - dynamic, I - inactive
0 src-address=10.0.0.0/8 src-port=any dst-address=172.16.250.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=my_static_ip sa-dst-address=remote_peer_ip proposal=default priority=2

1 I src-address=172.16.250.0/24 src-port=any dst-address=10.0.0.0/8 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=remote_peer_ip sa-dst-address=my_static_ip proposal=default priority=2Dynamic ones:
[admin@MikroTik] /ip ipsec policy> print
Flags: X - disabled, D - dynamic, I - inactive
0 D src-address=10.0.0.0/8 src-port=any dst-address=172.16.250.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=my_static_ip sa-dst-address=remote_peer_ip proposal=default priority=2

1 D src-address=10.0.0.0/8 src-port=any dst-address=172.16.250.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=my_static_ip sa-dst-address=remote_peer_ip proposal=default priority=2

2 D src-address=172.16.250.0/24 src-port=any dst-address=10.0.0.0/8 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=remote_peer_ip sa-dst-address=my_static_ip proposal=default priority=2I would call it a bug in 5.22, but want to confirm first with rest of you?

BR,

Josip

mrz · November 26, 2012, 12:51pm

You need only one static policy.

Ipsec creates three dynamic policies only to show what is installed in kernel.

jdjurici · November 26, 2012, 12:57pm

Even though I created both policies since one is invalid it should have worked without a problem with the one valid. Unfortunately it is not the case.

Any ideas? I can live with Dynamic ones, but would prefer it to be manually defined.

jdjurici · November 27, 2012, 11:25pm

Doesnt help either. But as mentioned, it would not matter since even though one policy is invalid the other valid one should have worked. So I have to conclude that this version is not working with static policy.

Another thing that seams to be broken is Send Initial Contact. If I understand manual correctly when this option is enabled Routerboard should initiate the tunnel. Running tcpdump proves no initiate packets are sent to other side of the tunnel and nothing gets initiated.