Community discussions

MikroTik App
 
dnordenberg
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Wed Feb 24, 2016 8:00 pm

IPsec, policies after the first one get no phase2 from start but works after enable is clicked

Thu Jun 03, 2021 3:30 pm

Hi!
After a network disconnect or a disable/enable of the asocciated peer entry I get a problem with the policies after the first one. First go "established" but the rest is "no phase 2". I only get an SA for the first policy. I have to click on each policy (winbox) and click the enable button. Then in switches to "established" and another SA is added. It is like if the SAs is required too fast after the first one so the other ones fails but I don't know if it can happen too fast... I guess the only thing clicking the enable button does is trying to require SA again?

Before enable button is clicked:
ipsec 5.PNG
ipsec 6.PNG
After enable button is clicked:
ipsec 7.PNG
ipsec 8.PNG
Not sure either if I understand exactly what this policy setting "level" does, default is "require" but that does not work for me, if I enable more than one policy connectivity is broken for the first one. So i figured out that "unique" solves this, more than one policy can then be enabled without breaking the connection but I still have this "no phase 2" when all policies tries to start simultaneously :(

Created a script that fix it for me when schedule but a bit uggly solution :(

:local row [/ip ipsec policy find where (ph2-state=no-phase2 && dst-address="XXX.XXX.39.134/31")]
:if ($row != "") do={
/ip ipsec policy enable $row
}
You do not have the required permissions to view the files attached to this post.
 
dnordenberg
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Wed Feb 24, 2016 8:00 pm

Re: IPsec, policies after the first one get no phase2 from start but works after enable is clicked

Tue Jun 08, 2021 1:47 pm

No ideas? :(

Who is online

Users browsing this forum: tangent and 80 guests