IPsec policy status Invalid

zerobase · December 16, 2020, 11:56am

I am trying to setup another GRE over IPSEC tunnel, but run into the issue that the policy I want to create immediately gets the status ‘Invalid’:

[admin@router] /ip ipsec policy> print detail
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default
 0 T X* group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes

 1   I  peer=gre1 tunnel=yes src-address=10.0.0.9/32 src-port=any dst-address=10.0.0.10/32 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp sa-src-address=:: sa-dst-address=::
        proposal=vpn-s2s ph2-count=0

I did configure the sa-src-address and sa-dst-address but probably due to the invalid status these are not accepted. Even adding the policy by only specifying the peer and the name of the policy (‘/ip ipsec policy add name=“gre1” peer=gre1’) will result in an invalid status.

The peer configuration:

[admin@router] /ip ipsec peer> print
 0   R ;;; GRE Tunnel
       name="gre1" address=2.2.2.2/32 local-address=1.1.1.1 passive=yes profile=vpn-s2s exchange-mode=main send-initial-contact=no

The profile:

[admin@router] /ip ipsec profile> print
Flags: * - default
 0 * name="default" hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp2048,modp1024 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5

 1   name="vpn-s2s" hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d proposal-check=obey nat-traversal=no dpd-interval=30s dpd-maximum-failures=3

Rebooting the router does not help, the issue remains.

Anyone have a clue what could be happening here?

erkexzcx · December 16, 2020, 2:02pm

This might help: http://forum.mikrotik.com/t/mikrotik-behind-nat-to-mikrotik-ipsec-ike2-with-certs-tunnel-eoip/144952/1

zerobase · December 17, 2020, 12:25pm

@erkexzcx: The link you refer to use certificates, I plan on using PSK. Not as secure as certificates, but it is just a private link.

I have two other policies with exactly the same configuration and they do not give an error. One is to another mikrotik router and the other is StrongSwan running on a raspberry Pi. Both are up and running.

I just created a dummy peer:

3   R name="Test" address=5.5.5.5/32 local-address=1.1.1.1 passive=yes profile=vpn-s2s exchange-mode=aggressive send-initial-contact=no

And then a new policy:

 3   I  peer=Test tunnel=no src-address=10.0.0.9/32 src-port=any dst-address=10.0.0.10/32 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp proposal=default ph2-count=0

It immediately turns to the status invalid. Trying to create a new policy through winbox will make it crash immediately as soon as I hit the ‘+’ button.

I have send Mikrotik Support a support.rif, maybe they can find out where things are going wrong.

emils · December 17, 2020, 1:00pm

The policy is invalid because the peer is not established. Once you establish a connection to this passive peer, the policy will be available.
Note that you have tunnel=no (transport) policy configured with different IP addresses than the peer is running on. The policy will also be automatically changed to reflect current phase 1 addresses. Perhaps you want to have tunnel mode?

If WinBox is crashing, make sure you are running an up to date version (3.27 currently).

zerobase · December 17, 2020, 3:21pm

@emils: That explains it all. I was not expecting an invalid status on an inactive policy. Screenoutput above the output mentions the I means invalid, however it means Inactive in this case.