Hello All,
i’m facing following issue. I’m using IPSec tunnels with RouterOS systems on both ends. One is the central system and some CPEs with dynamic IPs on the other end. As the CPEs have dynamic IPs i use a dynamic policies. The CPEs are initiating the connection and get authenticated via xauth. The client ip address ( for the tunnel ) is assigned via the xauth user.
On the central system it looks like this
/ip ipsec user print
# NAME PASSWORD ADDRESS
1 gw-64-64 ************** 192.168.44.11
/ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
1 T group=dyntunnels src-address=192.168.44.1/32 dst-address=192.168.44.0/24 protocol=all proposal=default template=yes
3 D src-address=192.168.44.1/32 src-port=any dst-address=192.168.44.11/32 dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=yy.yyy.9.185 sa-dst-address=xx.xxx.30.28 priority=2
On the CPE
/ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes
2 D src-address=192.168.44.11/32 src-port=any dst-address=192.168.44.1/32 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes
sa-src-address=xx.xxx.30.28 sa-dst-address=yy.yyy.9.185 priority=0
And it works.
But sometime when the CPE has to re-initiate the tunnel it fails with following error.
ipsec,error adding address failed: already have such address (6)
It looks like the IP is not removed from the interface before the CPE re-initiate the tunnel.
Is this a bug?