IPsec cannot set policy level to unique

aequitasnl · May 17, 2017, 11:36am

I’m trying to setup ipsec with multiple roadwarrior clients. To my knowledge the policy needs to be set to unique for multiple clients to be connected simultaneously. However when trying to set the policy level to unique (per https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_Ikev2_RSA_auth) it has no effect.
I tried using:

console
webif
default template
new template

Also I’m often noticing when editing ipsec peer entries the mode-config attribute get unset sometimes. I have not pinnen on why it happens or what other change might be related. Only experienced in webif so far, not tested in console.

I am running 6.39.1 (current). No error messages or log entries are available related to this issue.

Could this be a bug or am I missing some prerequisite to setting this level?

aequitasnl · May 17, 2017, 9:20pm

I did some testing with winbox, different router, different version.

Both 6.39.1 and 6.40rc5 exhibit the problem

In Winbox there is no problem I can set level to unique on both versions. I can also change other parameters like tunnel.

If the setting has been changed in Winbox the change does not show up in webfig. The generated policy from a connection however does show unique as setting for level. Same as with console.

To me it seems there is a bug in handling this parameter in console and webfig compared to winbox.