We have been testing the IPSec functionality under 3.0rc6, but we’re not having much luck. We tried different hardware (and VMs), but we cannot seem to get an IPSec tunnel to “remain” operational. At times (randomly), we can get a tunnel (or two) to function, but then, after bringing up another tunnel, all of them go down, and we’re then unable to bring any of them up again. Sometimes, after a couple of reboots, we might get a tunnel to work, but its very sporadic.
Based on the logs, it appears that the system is not even attempting to bring up the tunnels. The exact same setup works 100% fine in 2.9. Are we the only ones experiencing problems with IPSec Tunnels on rc6?
Thanks,
Shaun
Correction: I tried the same setup under the lastest 2.9 version and I’m seeing similar results. I have three IPSec tunnel setup, and only 3 out of 4 function. The funny thing is that the ones that work are random. The next time I reboot, it’s not always the same three tunnels that work.
I’m attaching a supout.rif file.
Shaun
EDIT 2007-10-31 : supout.zip removed → Problem solved.
On both of my RouterOS boxes, I have two WAN interfaces, one LAN interfaces, and four VLAN interfaces. The IPSec tunnels are created between the VLAN interfaces. Please take a look at the attached diagram for a detailed explanation.
The tunnels are created as such:
10.0.0.1 ↔ 10.0.0.2 via 1.1.1.2 and 3.1.1.2
10.0.0.5 ↔ 10.0.0.6 via 1.1.1.2 and 4.1.1.2
10.0.0.9 ↔ 10.0.0.10 via 2.1.1.2 and 3.1.1.2
10.0.0.13 ↔ 10.0.0.14 via 2.1.1.2 and 4.1.1.2
I noticed that when everything works ok, in the Winbox GUI under the IPSec “Remote Peer” screen, the “Local Address” and “Remote Address” appear as expected. But when the tunnels won’t go up, the “Local Address” is wrong!! For example, the tunnel between 10.0.0.1 and 10.0.0.2 is supposed to be created between 1.1.1.2 and 3.1.1.2, but when things don’t work, the “Remote Peer” screen is showing 2.1.1.2 and 3.1.1.2!
I’ve been trying to get this working for quite a few days, without much luck. Anyone think this is a bug or a misconfiguration?
Thanks,
Shaun
P.S. For those who are wondering, my goal is to create a fully redundant VPN connection between all of my sites utilizing dual WAN and the OSPF protocol.
EDIT: Diagram removed 2007-10-30 → Problem solved
Problem solved. Due to the Dual WAN configuration, the IPSec tunnels were not working “out of the box” because we needed to tell the router how to properly route the packets.
We were able to solve the problem by specifying a Mangle Rule for each of our WAN interfaces, marking them with a specific “routing mark”. We then specified two Route Rules for the two Mangle rules, and specified two Static Routes (0.0.0.0/0 → 1.1.1.1 for Mark WAN1 and 0.0.0.0/0 → 2.1.1.2 for Mark WAN2). After resolving the routing issues, IPSec started working like a charm.
Regards