Hello,
I have three mikrotik routers where only one has a public static ip address. Lets call the one with the static ip address A, the others B and C.
B and C have both two different internet connections (UMTS and satelite) with dynamic public ip addresses. Using policy based routing I have always one IPsec connection over both channels, so there are 4 connections.
This connections are used to carry a gre connections ospf is used.
To be able to create this gre connections I use mode-config to hand the remote side a static inner ip address where the respective gre interface is bound to.
router A
/ip ipsec peer add auth-method=pre-shared-key-xauth dh-group=modp4096 enc-algorithm=aes-256 generate-policy=port-strict hash-algorithm=sha512 lifetime=1h local-address=publicstaticofA mode-config=clients passive=yes secret=supersecret send-initial-contact=no
/ip ipsec user add address=172.16.0.2 name=connection1 passwort=123
/ip ipsec user add address=172.16.0.3 name=connection2 passwort=123
/ip ipsec user add address=172.16.0.4 name=connection3 passwort=123
/ip ipsec user add address=172.16.0.5 name=connection4 passwort=123
router B
/ip ipsec peer add address=publicstaticofA auth-method=pre-shared-key-xauth dh-group=modp4096 enc-algorithm=aes-256 generate-policy=port-strict hash-algorithm=sha512 lifetime=1h local-address=privateupstreamIP1 xauth-login=“connection1” xauth-password=“123” generate-policy=port-strict policy-template-group=default exchange-mode=main mode-config=request-only send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha512 enc-algorithm=aes-256 dh-group=modp4096 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
/ip ipsec peer add address=publicstaticofA auth-method=pre-shared-key-xauth dh-group=modp4096 enc-algorithm=aes-256 generate-policy=port-strict hash-algorithm=sha512 lifetime=1h local-address=privateupstreamIP2 xauth-login=“connection2” xauth-password=“123” generate-policy=port-strict policy-template-group=default exchange-mode=main mode-config=request-only send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha512 enc-algorithm=aes-256 dh-group=modp4096 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
router C
/ip ipsec peer add address=publicstaticofA auth-method=pre-shared-key-xauth dh-group=modp4096 enc-algorithm=aes-256 generate-policy=port-strict hash-algorithm=sha512 lifetime=1h local-address=privateupstreamIP3 xauth-login=“connection3” xauth-password=“123” generate-policy=port-strict policy-template-group=default exchange-mode=main mode-config=request-only send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha512 enc-algorithm=aes-256 dh-group=modp4096 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
/ip ipsec peer add address=publicstaticofA auth-method=pre-shared-key-xauth dh-group=modp4096 enc-algorithm=aes-256 generate-policy=port-strict hash-algorithm=sha512 lifetime=1h local-address=privateupstreamIP4 xauth-login=“connection4” xauth-password=“123” generate-policy=port-strict policy-template-group=default exchange-mode=main mode-config=request-only send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha512 enc-algorithm=aes-256 dh-group=modp4096 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
then I create the gre interfaces using the 172.16.0.x addresses.
So far it works, but sometimes router B and C do not get delegated the IP address in mode-config, no dynamic policy is created but phase 1 is up (this is the real problem since the connection will be broken at least until phase1 expires). it seams to me like the router A sometimes simply ignores the mode-config request form the client.
my current workaround is a script that counts the number of established remote-peers and dynamic policies. if the number matches, ok; if not /ip ipsec remote-peers kill-connections.
Oddly most of the time when this problem occurs I have two established phase1 connections with the same uptime, but only one dynamic policy