I have a problem with Ipsec. The generated policies are assigned a "required" level. This is problematic because if a client connects to me with Ipsec, a policy is generated to require all further traffic to be encrypted... but after the SA's time out and the client decides to connect without Ipsec, she will not be able to do so. In fact no further unencrypted connections from that IP will be possible ever, unless I manually flush the (already non existing SA's) which will clear the generated (dynamic) policies. There is no way to clear dynamic policies ...

A solution to this would be to be able to set the level in peers for the generated policy. So even if I still could not delete the policy, at least it would be "use" level so that non ipsec communication would be possible.

I think making the level part of the peer template would make ipsec usable for dynamic IP VPN use. Right now it works only if customers never mix ipsec and non-ipsec connections, but when they do they will not be able to go back to non-ipsec.... you may think that this is not important, but different client applications support different L2TP. Apple requires IPSEC, while it is optional for windows and non-existent for DD-WRT or other SOHO wifi routers and other small tabletop devices. So people do mix ipsec with non-ipsec even if they don't know about it and just end up running into problems.

GL

Yeah, if you use a dynamically generated policy, there is no way to set the level. Nice catch, I can see when that would be a problem and setting the policy level in peer could help.

However it goes the other way around too. If you configured the level at peer basis, you couldnt have a single Peer config for multiple policies which require different levels if you are using static policies.

The true solution would be to allow us to delete dynamic ipsec policies (if the corresponding SA's are missing for example)

Does enyone know if this is a kernel limitation or a Mikrotik enforced limitation that they could be able to change?

GL