I have an RB2011 the new hardware revision so im stuck using 6.x.
We set it up identically to an existing RB2011 but its the older hardware revision running 5.24.
The routers main purpose is to terminate IPSec LAN to LAN VPN’s
The only config issue I had moving to 6.2 was the generate-policy under the peer has to be changed to generate-policy=port-override instead of generate-policy=yes.
None of the remote routers will connect the IPSec tunnel, I turned on IPSec logging and found the error: No Policy Found, it then shows the policy requested by the router.
The peer config is set to generate the policy so I dont know why its looking for one in the first place, if I manually create the policy based on what the router asked for then the VPN connects fine.
I have even tried setting generate-policy=port-strict with no change.
Is the policy generation broke in 6.x? or is there some other steps that must now be taken to make this work?
One thing that was introduced in 6.x is policy templates. I don’t remember documentation mentioning policy templates as being mandatory in case you have generate-policy enabled, but I’d checked if defining a template solves your problem.
Search here for policy group and policy templates.
I added a template:
add group=default template=yes src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default
But I still have the same issue…
The router is requesting 172.16.1.0/27 to 0.0.0.0/0, tried the above and even tried the template having exactly this and it still dident find it…
Bump here.
Can’t get this to work with remote peer set to 0.0.0.0/0. Log says “no configuration found for 0.0.0.0”.
And if I instread use the IP that the other router has at this moment - works.
This is frustrating.
