IPSec Templates Not Setting Proposal Correctly.

efaden · October 22, 2013, 5:32pm

See the export… No matter what the dynamically generated policy has the proposal “default” despite the template specifying a proposal.
/ip ipsec mode-cfg
add address-pool=ipsec-pool name=ipsec-roadwarrior split-include=10.0.0.0/24,10.0.1.0/24,10.0.10.0/24,10.0.11.0/24
/ip ipsec policy group
add name=ipsec-roadwarrior
/ip ipsec proposal
add auth-algorithms=md5 name=ipsec-roadwarrior
/ip ipsec peer
add auth-method=pre-shared-key-xauth comment=“IPSec Roadwarrior” generate-policy=port-override mode-cfg=ipsec-roadwarrior nat-traversal=yes passive=yes policy-group=ipsec-roadwarrior secret=
“SOMESECRET” send-initial-contact=no
/ip ipsec policy
add comment=“IPSec Roadwarrior” dst-address=10.0.1.0/24 group=ipsec-roadwarrior proposal=ipsec-roadwarrior src-address=10.0.11.0/24 template=yesIf I connect and list out the dynamic policies … this is what I see

2 D src-address=10.0.11.199/32 src-port=any dst-address=10.0.1.0/24 dst-port=any protocol=udp action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=RemoteIP
sa-dst-address=LocalIP proposal=default priority=2

3 T ;;; IPSec Roadwarrior
group=ipsec-roadwarrior src-address=10.0.11.0/24 dst-address=10.0.1.0/24 protocol=all proposal=ipsec-roadwarrior template=yes

My question is why does the dynamically generated policy still list “default” as the proposal… shouldn’t it be “ipsec-roadwarrior”?.. Thanks

Adam84 · October 22, 2013, 8:47pm

Well, it should be like u write, but it isn’t.

In fact if u set ipsec policy as template (template=yes) RoS ignores every other setting except dst-address, group, src-address. But u can go around and set default proposal to match your roadwarrior setup, and create second proposal as substitute for default and use it everywhere else;)

efaden · October 22, 2013, 9:01pm

Their documentation on the wiki says proposal is used by the template though.

Sent from my SCH-I545 using Tapatalk