ipsec policy match...

amode · April 4, 2007, 9:09pm

Hi,

my understanding of ipsec is, that packets are matched against the Security Policy Database (SPD) to find a matching rule and using this for doing encryption oder other stuff.

Router is at 192.168.2.1. Why does

/ip ipsec policy src-address=192.168.2.0/24 dst-address=172.17.0.0/16 …

NOT work, while

/ip ipsec policy src-address=0.0.0.0/0 dst-address=172.17.0.0/16 …

works? For verification purposes I have added a logging rule to the postrouting chain and this ‘verifies’ that my packet really is

src=192.168.2.99 to dst=172.17.1.6

Why, the heck, does this not match the SPD?

Thanks for any comments here? Bug?

Achim

amode · April 5, 2007, 4:38pm

Okay, I found it.

It worked, but only after REBOOTING the router. I was expecting that all the changes in ipsec should be handeled without a reboot.

Is this a bug? Or any additional info here which I’m not aware of…?

Thanks,
Achim

JJCinAZ · April 5, 2007, 5:11pm

That should have worked without the reboot. I’ve never had to reboot to get those working. Maybe the underlying IPSEC code got into a bad state with the Mikrotik front-end code.

amode · April 5, 2007, 6:09pm

Yes, I was also thinking that it should work without reboot. This was driving me crazy yesterday and I was crying loudly as it worked after the reboot…

Besides the flush command for the SAs, there is no other helpful command for clearing ipsec stuff, isn’t it?

Achim