Regarding Aggressive mode ipsec not working for peer (0.0.0.0/0) on ros above 6.43.13

Hi everyone, If anyone came across with below mentioned issue, I will need your guidance. Thank you in advance.

I am facing issue with IPsec in aggressive mode for router os version above 6.43.13 hence I was not using any newer version of routeros. But now recently I have purchased some new hardware RB1100ahx4 which comes with factory default version 6.45.4 and I cant degrade it.

I have tested both latest stable(6.47.8) and long term(6.46.8) but IPsec is not getting established.

Network scenario -
IPsec server - RB11ahx4 router with Internet leased line static ip
IPsec client - Openwrt router with 4g sim dynamic ip
I am having this setup running with more than 3 qty RB1100ahx4 which consists above 1000 ipsec clients. and it is working properly till ros 6.43.13

On router os version - 6.43.13 and below -
Aggressive mode IPsec successfully gets established with openwrt router 4g sim(dynamic public ip) and RB100ahx4 (static public ip) connectivity.
My router RB1100ahx4 is behind NAT(firewall) hence I am using my-id type address and it’s working properly without issue


On router os version above 6.43.13 -

1. Aggressive IPsec works only if peer ip is fixed and unchecked the passive option
2. Aggressive IPsec doesn’t work if peer ip is 0.0.0.0/0 . Also we cant unchecked the passive mode, it gets check automatically. Peer ip 0.0.0.0/0 works for version 6.43.13 and below.
   I have also tested the setting my-id type auto and address for peer ip as suggested by support but it did not work.
   
   
   Support ticket is already open [SUP-34332] but not getting any proper resolution yet.

Attachments -

1. ipsec_config_aggr_mikrotik6.43.13.txt
2. ipsec_config_aggr_mikrotik6.47.8.txt
3. ipsec_config_aggr_openwrt.txt
4. mikrotik6.47.8_ipsec_aggr_peer_ip_fixed_successfull.rsc
5. mikrotik6.47.8_ipsec_aggr_peer_ip_0.0.0.0_failed.rsc
   1. ipsec_config_aggr_mikrotik6.43.13.txt (422 Bytes)
   3. ipsec_config_aggr_openwrt.txt (1.69 KB)
   2. ipsec_config_aggr_mikrotik6.47.8.txt (360 Bytes)
   5. mikrotik6.47.8_ipsec_aggr_peer_ip_0.0.0.0_failed.rsc (2.47 KB)
   4. mikrotik6.47.8_ipsec_aggr_peer_ip_fixed_successfull.rsc (2.48 KB)

if you enable “ipsec” debug logging in both Mikrotik and OpenWRT, what does the log says?

Thank you for the support.

I have tested this in router os 6.47.7 and 6.48.2. It’s working now.

Now I can able to configure aggressive mode IPSec where one end has dynamic IP address.



For the Global IP on wan interface - IPsec is connecting with my old configuration untouched.

For the natted IP on wan interface - I have configured right ID in phase 1 of openwrt router and its working fine.