After working with my RB951-2n for the last two days getting the Site to Site VPN set up on it and experimenting with getting some kind of VoIP prioritization set up, I upgraded it from 6.7 to 6.9.
Now, every time I reboot it, the policy for my VPN says ‘Invalid’ until I open it and click apply - then it magically says ‘not invalid’ and the tunnel comes up.
I thought maybe it was something odd lingering so I removed it and went to re-create it, and it would not let me create it with 0.0.0.0 in the ‘SA Src/ Address’ field. Didn’t have any problem doing that in 6.7. I then tried putting the public IP The connection is coming from, which did not work. I put the private NAT IP assigned to the WAN interface and the tunnel came up (It’s currently behind a Linksys for Nat-T testing). After that was saved and the tunnel was established, it allowed me to change the ‘SA Src. Address’ back to 0.0.0.0 and the tunnel comes up fine. But when I reboot, it still goes back to ‘Invalid’. I ‘downgraded’ back to 6.7 and the VPN tunnel comes up at boot without issue.
thats disappointing, was gonna try it in a couple days, but i have had my second Hard crash on my 2011. i have to pull power, i need to use a console cable next time to see whats going on. really disappointed with this 6.x stuff.
That may be true… BUT… in my case, it’s a pretty simple setup - the only ‘mistake’ as far as the VPN config is would be the 0.0.0.0 for the SA Source. putting an address in there is all well and good when you are dealing with a Site to Site VPN that’s static on both ends. But when the end the device is on is dynamic, you can’t specify an address.
Maybe having 0.0.0.0 in there is ‘wrong’, but you need SOME way to allow the device to function as a dynamic endpoint.
The client. At the server end I have a Cisco ASA 5510 with a /27 block of static IPs set up with a Dynamic L2L VPN in addition to the static ones. The plan for the Mikrotiks is to have them at the users Home Offices to allow the Avaya IP Phones to contact the phone system without using the built-in VPN functionality as it’s a bit flaky, causing dropped calls. The Mikrotik has been running great as a VPN endpoint. It even works behind a Linksys NAT firewall (But won’t work through my uVerse connections NAT for some reason).
With this setup, the client end doesn’t need to be static as the connection is being initiated from there by the phone. There’s no need for the main office end to ‘reach back’ through the VPN to the Home Office.
Yes, ‘sa-src-address=’ in ‘/ip ipsec policy’. 6.9 would not allow that to be 0.0.0.0 and when that endpoint is dynamic, you cannot specify an IP as when it changes, it will no longer work.
The pfSense firewall I’ve been using has a dropdown for ‘My Identifier’,which I believe is what ‘SA Src Address’ is referring to, with several options when creating a SA: 'My IP Address, which will use whatever the external IP address is, ‘IP Address’, which when selects, gives you a field to populate with an IP, along with several others, including DN, User DN and a few others.
Another thing that would be VERY useful is if the ROS IPSec setup could specify a hostname (vpn.mydomain.com) as a SA Destination address, rather than IP. It’s not often that the target address needs to be changed, but it’s not unheard of.
