This issue exists in the 6.38.* and 6.39.* rc releases.
We have an issue when /29 network with and even n*8 network address is used. It looks like the Hex box is trying to negotiate a bigger network slice. In the case of the attached logging.
172.26.28.128/29 vs 172.26.28.128/25
We are using strongswan 5.2.1 on the other side of the tunnel.
Logging:
RouterOS IPsec Debug Log:
16:01:57 ipsec initiator selector: 172.26.28.128/29
16:01:57 ipsec adding payload: TS_I
16:01:57 ipsec,debug => (size 0x18)
16:01:57 ipsec,debug 00000018 01000000 07000010 0000ffff ac1a1c80 ac1a1c87
16:01:57 ipsec responder selector: ...
16:01:57 ipsec adding payload: TS_R
16:01:57 ipsec,debug => (size 0x18)
[…]
16:01:57 ipsec peer selected tunnel mode
16:01:57 ipsec processing payload: TS_I
16:01:57 ipsec 172.26.28.128/25
16:01:57 ipsec processing payload: TS_R
16:01:57 ipsec ...
16:01:57 ipsec my vs peer’s selectors:
16:01:57 ipsec 172.26.28.128/29 vs 172.26.28.128/25
16:01:57 ipsec ... vs ...
16:01:57 ipsec selectors are not the same or narrowed
16:01:57 ipsec send notify: TS_UNACCEPTABLE
16:01:57 ipsec adding payload: NOTIFY
16:01:57 ipsec notify: TS_UNACCEPTABLE
[…]
16:01:57 ipsec,info killing ike2 SA: 172.26.35.170[4500]-...[4500] spi:cd03c30d9731cb17:eceac56cf9292fb7
16:01:57 ipsec adding payload: DELETE
16:01:57 ipsec,debug => (size 0x8)
16:01:57 ipsec,debug 00000008 01000000
16:01:57 ipsec already requested!
Strongswan 5.2.1 log:
ipsec[1318]: 05[CFG] proposing traffic selectors for us:
ipsec[1318]: 05[CFG] 0.0.0.0/0
ipsec[1318]: 05[CFG] proposing traffic selectors for other:
ipsec[1318]: 05[CFG] 172.26.28.128/29
ipsec[1318]: 05[CFG] 172.26.30.128/29
ipsec[1318]: 05[CFG] candidate “-hex17" with prio 1+5
ipsec[1318]: 05[CFG] found matching child config "-hex17” with prio 6
ipsec[1318]: 05[CFG] selecting proposal:
ipsec[1318]: 05[CFG] proposal matches
ipsec[1318]: 05[CFG] received proposals: ESP:AES_CBC_256/AES_CBC_192/AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
ipsec[1318]: 05[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
ipsec[1318]: 05[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
ipsec[1318]: 05[CFG] selecting traffic selectors for us:
ipsec[1318]: 05[CFG] config: 0.0.0.0/0, received: .../32 => match: .../32
ipsec[1318]: 05[CFG] selecting traffic selectors for other:
ipsec[1318]: 05[CFG] config: 172.26.28.128/29, received: 172.26.28.128/29 => match: 172.26.28.128/29
ipsec[1318]: 05[CFG] config: 172.26.30.128/29, received: 172.26.28.128/29 => no match
ipsec[1318]: 05[IKE] CHILD_SA ho-hex17{15460} established with SPIs cecf725a_i 0d040cc5_o and TS .../32 === 172.26.28.128/29
ipsec[1318]: 05[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT AUTH SA TSi TSr N(AUTH_LFT) ]
charon[1370]: 12[ENC] parsed INFORMATIONAL request 2 [ N(TS_UNACCEPT) ]
ipsec[1318]: 05[NET] sending packet: from ...[4500] to 172.26.35.103[4500] (2352 bytes)
charon[1370]: 12[ENC] generating INFORMATIONAL response 2
charon[1370]: 12[NET] sending packet: from ...[4500] to 172.26.35.103[4500] (80 bytes)
charon[1370]: 09[NET] received packet: from 172.26.35.103[4500] to ...[4500] (224 bytes)
charon[1370]: 09[ENC] parsed INFORMATIONAL request 3 [ D ]
charon[1370]: 09[IKE] received DELETE for IKE_SA *-hex17[14542]
charon[1370]: 09[IKE] received DELETE for IKE_SA *-hex17[14542]
Private data (IP addresses / DNS names have been anonymised