Page 1 of 1

Ipsec import issue

Posted: Fri Jan 10, 2020 12:32 pm
by marypoppins
Dear All,


I have a strange error. I have a routerboard 1100AHx2, routerOS 6.43.4 with the same routerboot version. There are some ipsec configuration on it. I upgraded it to the most recent 6.46.1 version. Export the config, reset the router and import the config and when it stops at the ipsec policy add line:
/ip ipsec policy add dst-address=<ip_add> proposal=prop_conf sa-dst-address=<ip_add> sa-src-address=<ip_add> src-address=<ip_add> tunnel=yes
failure: Peer not set!

When I try to add it manually with adding the "peer=peer_conf" at the and it works like the charm:
ip ipsec policy add dst-address=<ip_add> proposal=prop_conf sa-dst-address=<ip_add> sa-src-address=<ip_add> src-address=<ip_add> tunnel=yes peer=peer_conf

However there are peer in the config, and it is successfully imported some lines before. As for me it seems like the export forgets to add the peer configuration to the "/ip ipsec policy add" line.
I tried it with 6.46 and 6.45.7 versions as well with the same end: failure peer not set...
Is it possible that I did something wrong, because it is strange that the problem nowhere appears...

The exact steps:
1) routerboard os 6.43.4
2) copy packages and routeros v6.46.1 to the board via serial
3) reboot
4) router version 6.46.1
5) /export file=export_file terse
6) /system reset-config
7) /import file-name=export_file verbose=yes

then "failure peer not set" happen...

thank you

Re: Ipsec import issue

Posted: Fri Jan 10, 2020 1:59 pm
by emils
This behavior is expected because the router can not know which peer the policy should be assigned after upgrading your router. Please specify the peer for your policy and export configuration after that - it should consist of the peer parameter then.

Re: Ipsec import issue

Posted: Fri Jan 10, 2020 2:10 pm
by marypoppins
Ohh I see! Thank you very much for your answer!

Have a nice day!

Re: Ipsec import issue

Posted: Sun Feb 09, 2020 11:55 pm
by OndrejHolas
This is known problem. There were substantial changes in IPSec configuration structure in 6.43 (introduced peer profiles) and in 6.44 (identity). I've also observed the same errors when pasting working IPSec configuration to the new box. For somewhat reason now ROS requires to set the peer at the policy level, although in older versions (up to 6.42, maybe even later) this was not required and the policy obviously worked then. Upgrade to later versions does not know, which peer to use and the peer remains unconfigured on the policy elements, but the policy still works.

In my case, the configuration was initially set on 6.42.6, then upgraded to every new version up to current 6.46.3. In such upgraded configuration, the policy has missing peer and goes active the same way as in original version where it was configured (here I use transport mode, peer address is the same as remote IP address, so dynamically selecting peer configuration to use is trivial):

> /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
 #     PEER              TUNNEL SRC-ADDRESS    DST-ADDRESS    PROTOCOL ACTION  LEVEL   PH2-COUNT
 0 T *                          ::/0           ::/0           all
 1  A  ;;; peer not set
                         no     192.168.4.6/32 192.168.4.5/32 all      encrypt require         2

Export of IPSec policies is also without peers and thus invalid to import in 6.46. The same workaround (add explicit peer to policy elements) worked for me as well.

Ondrej

Re: Ipsec import issue

Posted: Mon Feb 10, 2020 12:22 am
by Sob
For somewhat reason now ROS requires to set the peer at the policy level, although in older versions (up to 6.42, maybe even later) this was not required and the policy obviously worked then.
You didn't have to set peer, but you had to set SA src/dst address for policy. So you had to repeat same remote and local address from peer settings, which was more work than selecting peer. And if peer used hostname instead of IP address, you couldn't use it for policy, because it accepted only IP address. In short, new way is better.

Re: Ipsec import issue

Posted: Mon Feb 10, 2020 1:00 am
by OndrejHolas
You didn't have to set peer, but you had to set SA src/dst address for policy.

Indeed. But for transport mode, the SA src/dst configuration was removed in 6.38.4:

*) ipsec - hide SA address for transport policies

The reason for this change was that SA src/dst addresses were not used at all in transport mode. Dynamic peer selection did its job and this works in 6.46 as well (when upgraded).

In short, new way is better.

Agreed.

Ondrej