We deploy the Mikrotik hEX (GR3) to many customers. We have run into something and I believe it is a bug. I wanted to know if anyone has experienced this 1st hand?
When applying the ipsec policy, the template has sa-src-address set as all zero’s, example sa-src-address=0.0.0.0 But after the template is applied, we see that sa-src-address= is set as the IP of the loopback address that is assigned to src-address=. Below, you can see src-address=5.2.0.166/32 setting. We are running 6.40.5. (IP’s to actual systems have last 2 octets modified)
I’m not sure I get you properly, especially with the loopback address. Do you mean that you use some other than 127.0.0.0/8 address on a loopback (port-less bridge) interface because you use some dynamic routing protocols?
Policy templates have no sa-src-address and sa-dst-address value specified for a reason, because sa-src-address of the generated policy needs to be set to the local address used by the local peer which has generated it, and the sa-dst-address needs to be set to the address of the remote peer on whose request it was generated.
So unless I’ve misunderstood something, the behaviour you describe seems perfectly OK to me.
No routing protocols, just IPsec settings. I create the file for a site with the necessary fields (IP’s, etc…) by pulling the fields in brackets from a database.
Below is what is generated when run. (We have close to 1000 sites that were created with this process. Looks to only have started this issue in the newer 6.x.x code revisions.)
So what would normally look like this: sa-src-address=0.0.0.0 src-address=5.2.0.105/32 tunnel=yes
Ends up looking like this: sa-src-address=5.2.0.105 src-address=5.2.0.105/32 tunnel=yes
The file that I generate has everything correct, what happens after I apply the file is the MT changes the IP assigned for the sa-src-address= field to the IP assigned to the src-address=5.2.0.105/32 field.