Hi everyone, If anyone came across with below mentioned issue, I will need your guidance. Thank you in advance.
I am facing issue with IPsec in aggressive mode for router os version above 6.43.13 hence I was not using any newer version of routeros. But now recently I have purchased some new hardware RB1100ahx4 which comes with factory default version 6.45.4 and I cant degrade it.
I have tested both latest stable(6.47.8) and long term(6.46.8) but IPsec is not getting established.
Network scenario -
IPsec server - RB11ahx4 router with Internet leased line static ip
IPsec client - Openwrt router with 4g sim dynamic ip
I am having this setup running with more than 3 qty RB1100ahx4 which consists above 1000 ipsec clients. and it is working properly till ros 6.43.13
On router os version - 6.43.13 and below -
Aggressive mode IPsec successfully gets established with openwrt router 4g sim(dynamic public ip) and RB100ahx4 (static public ip) connectivity.
My router RB1100ahx4 is behind NAT(firewall) hence I am using my-id type address and it's working properly without issue
On router os version above 6.43.13 -
1. Aggressive IPsec works only if peer ip is fixed and unchecked the passive option
2. Aggressive IPsec doesn't work if peer ip is 0.0.0.0/0 . Also we cant unchecked the passive mode, it gets check automatically. Peer ip 0.0.0.0/0 works for version 6.43.13 and below.
I have also tested the setting my-id type auto and address for peer ip as suggested by support but it did not work.
Support ticket is already open [SUP-34332] but not getting any proper resolution yet.
Attachments -
1. ipsec_config_aggr_mikrotik6.43.13.txt
2. ipsec_config_aggr_mikrotik6.47.8.txt
3. ipsec_config_aggr_openwrt.txt
4. mikrotik6.47.8_ipsec_aggr_peer_ip_fixed_successfull.rsc
5. mikrotik6.47.8_ipsec_aggr_peer_ip_0.0.0.0_failed.rsc