Hello,
I have the following situation: Trying to connect Site A (internal network 192.168.2.0/24) with Site B (multiple internal networks - 192.168.10.0/24, 192.168.11.0/24, 192.168.12.0/24) via IPSEC tunnel. Both sites have dynamic public IPs and I use Dynamic DNS to create the domains sitea.com and siteb.com which point to their respective public IPs.
I have created at each site an IPSEC peer with address set as the domain of the other site. I have also created the tunnel policies (3 in each site) for the internal source/destination networks. The problem is that when the dynamic IP of one site changes, then some policies keep using the old IP and failing to establish, while others refresh to the correct sa-dst-address and establish. Note again that they are all using the same IPSEC peer so this seems like a bug to me. Disabling and re-enabling the failed IPSEC policies does not refresh the destination IP.
This is how my IPSEC config on both sites looks like right now after changing the public dynamic IP of SiteB (with tunnel towards 192.168.10.0/24 failing right now). Note that the sa-dst-address fields in the policies are updated automatically from the IPSEC peer and I cannot change them.
Site A:
/ip ipsec peer
add address=SiteB.com comment=SiteB name=peer1 send-initial-contact=no
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-128
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,aes-128-ctr
/ip ipsec identity
add peer=peer1 secret="password"
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.10.0/24 level=unique peer=peer1 sa-dst-address=[old Site B IP] sa-src-address=0.0.0.0 src-address=192.168.2.0/24 tunnel=yes
add dst-address=192.168.11.0/24 level=unique peer=peer1 sa-dst-address=[latest Site B IP] sa-src-address=0.0.0.0 src-address=192.168.6.0/24 tunnel=yes
add dst-address=192.168.12.0/24 level=unique peer=peer1 sa-dst-address=[latest Site B IP] sa-src-address=0.0.0.0 src-address=192.168.2.0/24 tunnel=yes
Site B
/ip ipsec peer
add address=SiteA.com comment=SiteA name=peer1 send-initial-contact=no
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-128
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,aes-128-ctr
/ip ipsec identity
add peer=peer1 secret="password"
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.2.0/24 level=unique peer=peer1 sa-dst-address=[latest SiteA IP] sa-src-address=0.0.0.0 src-address=192.168.10.0/24 tunnel=yes
add dst-address=192.168.2.0/24 level=unique peer=peer1 sa-dst-address=[latest SiteA IP] sa-src-address=0.0.0.0 src-address=192.168.11.0/24 tunnel=yes
add dst-address=192.168.2.0/24 level=unique peer=peer1 sa-dst-address=[latest SiteA IP] sa-src-address=0.0.0.0 src-address=192.168.12.0/24 tunnel=yes
Anyone else experiencing this issue? Any suggestions?