IPSec policy generation uses public IP for policy dest

hydroksyde · May 31, 2013, 9:12pm

Hi there,

I set up road warrior IPSec VPNs, more or less as per http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_with_Mode_Conf (haven’t set up xauth yet, but that shouldn’t affect it, should it?)

/ip pool
add name=RW-vpn ranges=192.168.250.2-192.168.250.254

/ip ipsec mode-cfg
add address-pool=RW-vpn name=RW-cfg split-include=\
    192.168.254.0/24,192.168.253.0/24

/ip ipsec policy group
add name=RoadWarrior

/ip ipsec peer
add generate-policy=port-strict mode-cfg=RW-cfg nat-traversal=yes passive=yes \
    policy-group=RoadWarrior secret=_______________ \
    send-initial-contact=no

/ip ipsec policy
add dst-address=192.168.250.0/24 group=RoadWarrior src-address=192.168.254.0/24 \
    template=yes
add dst-address=192.168.250.0/24 group=RoadWarrior src-address=192.168.253.0/24 \
    template=yes

When I connect, before I added in templates, it would add in a useless policy with the dst-address as the client’s public IP. Since I added the templates, it wont add any policy at all, since it doesn’t match.

I see this in the log:

May/31/2013 21:05:37 ipsec,debug,packet get a src address from ID payload 192.168.250.253[0] prefixlen=32 ul_proto=255
May/31/2013 21:05:37 ipsec,debug,packet get dst address from ID payload 192.168.253.0[0] prefixlen=24 ul_proto=255
May/31/2013 21:05:37 ipsec,debug,packet 0x7fb7f334 masked with /32: 192.168.250.253[0]
May/31/2013 21:05:37 ipsec,debug,packet 0xbdee0 masked with /32: 192.168.254.15[0]

...
(more of the above two lines)
...

May/31/2013 21:05:37 ipsec,debug,packet get a source address of SP index from phase1 address because peer is behind NAT and we have to generate policy.
May/31/2013 21:05:37 ipsec,debug no policy found, try to generate the policy : 125.236.218.184/32[4500] 192.168.253.0/24[0] proto=any dir=in port_override=0
May/31/2013 21:05:37 ipsec,debug no policy template matching!

If I create a policy manually afterwards, it starts passing traffic fine

add dst-address=192.168.250.253/32 sa-dst-address=125.236.218.184 \
    sa-src-address=219.89.204.2 src-address=192.168.254.0/24 tunnel=yes

Anyone have any ideas?