no IKEv1 peer config for x.x.x.x

RouterOS General
1

I just upgraded a central router that is running a lot of IPsec tunnels from RouterOS v6.36 to v6.40.5, but now I am getting a lot of IPsec log messages that don’t quite make any sense to me. The tunnels appear to be working without issue, so it is mostly an annoyance.

The log messages are:

Jan/03/2018 11:??:??    ipsec    ipsec    no IKEv1 peer config for a.a.a.a
Jan/03/2018 11:??:??    ipsec    ipsec    no IKEv1 peer config for a.a.a.a
Jan/03/2018 11:??:??    ipsec    ipsec    no IKEv1 peer config for a.a.a.a
Jan/03/2018 11:??:??    ipsec    ipsec    no IKEv1 peer config for a.a.a.a
Jan/03/2018 11:??:??    ipsec    ipsec    no IKEv1 peer config for a.a.a.a

I have googled and searched the forum with no luck.

Anyone know what this log message means?

The IPsec config is as follows:

/ip ipsec proposal
add auth-algorithms=md5 enc-algorithms=aes-128-cbc lifetime=8h name=md5-aes128-8h pfs-group=none
/ip ipsec peer
add address=a.a.a.a/32 dh-group=modp1024 dpd-interval=disable-dpd enc-algorithm=aes-128 hash-algorithm=md5 \
    lifetime=8h local-address=b.b.b.b nat-traversal=no passive=yes secret=password send-initial-contact=no
/ip ipsec policy
set 0 disabled=yes
add dst-address=c.c.c.c/24 proposal=md5-aes128-8h sa-dst-address=a.a.a.a sa-src-address=b.b.b.b src-address=d.d.d.d/24 tunnel=yes
add dst-address=c.c.c.c/24 proposal=md5-aes128-8h sa-dst-address=a.a.a.a sa-src-address=b.b.b.b src-address=e.e.e.e/24 tunnel=yes

Clients are also MikroTik routers, running RouterOS v6.39.2 and they are configured with:

/ip ipsec proposal
add auth-algorithms=md5 enc-algorithms=aes-128-cbc lifetime=8h name=\
    md5-aes128-8h pfs-group=none
/ip ipsec peer
add address=b.b.b.b/32 dpd-interval=20s dpd-maximum-failures=1 \
    enc-algorithm=aes-128 hash-algorithm=md5 lifetime=8h \
    nat-traversal=no secret=password
/ip ipsec policy
set 0 disabled=yes
add dst-address=d.d.d.d/24 proposal=md5-aes128-8h sa-dst-address=b.b.b.b sa-src-address=a.a.a.a/24 src-address=c.c.c.c/24 tunnel=yes
add dst-address=e.e.e.e/20 proposal=md5-aes128-8h sa-dst-address=b.b.b.b sa-src-address=a.a.a.a/24 src-address=c.c.c.c/24 tunnel=yes
2

I found the issue.
This is because the router is receiving IPsec requests from routers that isn’t expected.

The central router doesn’t have an IPsec peer for the connecting client router.
The sere number of the log messages made me not even think about checking for old client routers with orphan IPsec peers.