Hello guys.
I have a weird behaviour on a CRS125-24G-1S
I was running 1 IPsec tunnel. All good.
Was having some issues establishing ha second ipsec connection to another location (phase 2 issues), so decided to run an update just in case issue was related.
when the unit came back up, all policies were marked as invalid. all of them
any IP i would put.
even test IPs like 1.1.1.0/24 or 10.1.10.0/24 or anything (My LAN is 192.168.1.0/24)
inmidiatly after clicking save, invalid.
i bend over backwards, and couldnt figure out why. (including, starting to load old os versions like 6.45.2, 6.45.6, 6.45.1…)
disabled the default policy.
changed names. changed ips.
nothing.
Did a factory default with one of the older versions.
re-configured the whole thing. still the issue.
I also have a hAP lite for testing. I put it on the same 6.46.3 OS. similar config
works no problem. multiple policies.
I loaded a bunch with wrong info just to test.
at least they dont go to invalid.
{now im going crazy}
I did another factory on CRS125-24G-1S
took it to 6.46.3
this time, did minimal config for ip.
try to put the ipsec back.[flash=] stablished. [/flash]
ok,
let me load now the other ipsec.
doesnt let me load a second one. goes invalid
[flash=]Am I crazy, dumb, or what? [/flash]
as I understand for documentation
Whether this policy is invalid - possible cause is duplicate policy with the same src-address and dst-address.
not only I dont have such thing, but I’ve try with a bunch of weird IPs just to test. putting anything on the field, and i get the invalid
both web console and terminal
[flash=]please, help. pleeease.
ive been doing all kind of testings for 12 hours already. [/flash]
thanks in advance
I have location
A: CRS125-24G-1S with a 192.168.1.0/24
B: a sonnic wall 192.168.99.0/24 and 71.105.X.X/32
(these 2 IPsec up)
C: a fortigate, 192.168.88.0/24 and and 64.X.X.X/32 (this is the second location im adding)
[Adm1n@MikroTik] /ip ipsec> export
# feb/08/2020 16:47:41 by RouterOS 6.46.3
# software id = 1WRH-S130
#
# model = CRS125-24G-1S
/ip ipsec peer
add address=71.105.X.X/32 name=nyc passive=yes
add address=64.X.X.X/32 name=btmcloud passive=yes
/ip ipsec policy group
add name=btmgroup
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=md5
add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=md5 name=btmcloud
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=aes-256-cbc
add auth-algorithms=md5 enc-algorithms=aes-256-cbc name=btmcloud pfs-group=none
/ip ipsec identity
add peer=embark-nyc secret="passs"
add peer=btm-cloud policy-template-group=btmgroup secret="passs"
/ip ipsec policy
add dst-address=192.168.99.0/24 peer=embark-nyc sa-dst-address=71.105.X.X sa-src-address=50.X.X>X src-address=192.168.1.0/24 tunnel=yes
add dst-address=192.168.88.0/24 peer=btm-cloud proposal=btmcloud src-address=192.168.1.0/24 tunnel=yes
