I have had many problems with ipsec and I am wondering if anyone else out there is having similar issues. First of all, my policies are invalid, so I disable and reenable them and then it works fine. Then a couple of days later they seem to just go invalid again, so I repeat. But, today here’s what happened after I disabled and enabled a few policies:
[admin@lizard] ip ipsec policy> pr
TIMEOUT
[admin@lizard] ip ipsec policy> ..
[admin@lizard] ip ipsec> installed-sa
[admin@lizard] ip ipsec installed-sa> pr
TIMEOUT
[admin@lizard] ip ipsec installed-sa> ..
[admin@lizard] ip ipsec> remote-peers pr
TIMEOUT
Even after a reboot the same problem happens.
Also, as there is no documentation on how to install a manual sa can somebody post an example?
I will definately send the output to support. As for the manual sa, this is because me ipsec peer agreements keep timing out and then as a result somehow the policies get changed to invalid. Then when packets hit the policy they get rejected. The only remendy I found was to disable and enable the policy. I think that the SAs are timing out or something. This seems to be a bug with the Mikrotik software, because this behavior is very inconsistent.
I figure with a manual SA I can set them to have no timeout and hopefully correct this problem.
It’s very easy. Do /ip ipsec installed-sa print and copy all the relevant information to the /ip ipsec manual-sa. You’ll have two SAs per one IPsec connection, one for incoming and one for outgoing traffic.