Hi,
I have a strange issue when using IPSEC - once connection is established at least once, and then terminated (regardless of reason), attempt to look at “Installed SAs” just hangs all IPSEC related functions, UI becomes unusable, CLI is responsive but hangs on anything below
/ip/ipsec
Once this happens, one CPU core is consuming 100% - the only fix is to reboot the router (at least this helps and works - but only from the CLI).
Funny thing is that this happens only if there are no connections active - as long as it is active (= there are established SAs), everything is fine. Even if it was disconnected and then connected again - the problem is triggered only when you try to look at SAs when there are none after successful connection.
The problem is reproducible on firmware 7.6, 7.14.3 and 7.16.1, on three different routers (2x RB5009 and one RB750Gr3) - so it is unlikely hardware dependent.
My IPSEC config is quite simple - just a few changes from the default:
/ip ipsec peer
add address=192.168.7.10/32 name=Office
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 dpd-interval=5s enc-algorithm=aes-256 lifetime=1h proposal-check=claim
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm lifetime=1h pfs-group=modp2048
/ip ipsec identity
add peer=Office
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.10.0/24 peer=Office src-address=192.168.8.0/24 tunnel=yes
Other parts of configuration seems to have no effect - I tried to change few things, like not using bridge, disabling HW offloading etc. IPSEC parameters also seems not to change anything.
Before I report it, I just want to ask - did somebody experienced something like this?
Thank you!