Is anyone else having weirdness with 7.21 on CCR1009-7G-1C-1S+?
If I upgrade from 7.20.6 to 7.21rc (tried 4) then my working IPSec config stops passing traffic. I see counters go up but nothing useful goes back down the VPN.
/ip ipsec mode-config
add address-pool=vpn_man address-prefix-length=32 name=mobile split-include=0.0.0.0/0,10.10.0.0/16
/ip ipsec policy group
add name=bmmt
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
add dh-group=modp2048,modp1536,modp1024 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name=mobile
/ip ipsec peer
add exchange-mode=ike2 name=responder passive=yes profile=mobile
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha512,sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm lifetime=8h name=mobile pfs-group=none
/ip ipsec identity
add generate-policy=port-strict mode-config=mobile my-id=fqdn:<snip> peer=responder policy-template-group=bmmt remote-id=user-fqdn:<snip>
/ip ipsec policy
set 0 disabled=yes dst-address=0.0.0.0/0 group=bmmt proposal=mobile src-address=0.0.0.0/0
add dst-address=10.10.9.0/24 group=bmmt proposal=mobile src-address=0.0.0.0/0 template=yes
add dst-address=10.10.9.0/24 group=bmmt proposal=mobile src-address=10.10.0.0/24 template=yes
When a user connects, it creates the 0.0.0.0 mapping but no traffic goes back to them. In 7.20 this works absolutely fine. I’ve put the more specific match in there to try but still the same issue.