IPSec Problem - it try to use wrong SA

lscrlstld · June 6, 2009, 1:42pm

I have configured with one peer two policies, for each policy it is installed on pair of SA. But the MK try to use the wrong SA to send data, it send data from one policy to SA from another policy.

I am using a RB450 with v3.19.

My configs
0 src-address=0.0.0.0/0:any dst-address=10.10.0.0/19:any protocol=all action=encrypt
level=require ipsec-protocols=esp tunnel=yes sa-src-address=189.XX.XX.XX
sa-dst-address=201.YY.YY.YY proposal=vpn_sp manual-sa=none priority=0

2 src-address=192.168.131.0/29:any dst-address=172.19.16.136/29:any protocol=all
action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=189.XX.XX.XX
sa-dst-address=201.YY.YY.YY proposal=vpn_sp manual-sa=none priority=0

sergejs · June 8, 2009, 8:21am

use level=unique for /ip ipsec policy,
unique - same as require, but establish a unique SA for this policy (i.e., this SA may not be shared with other policy)

lscrlstld · June 8, 2009, 11:29am

Is it a mandatory rule? ie, all time if I have more than one role to same peer I need use “unique” ?