Community discussions

MikroTik App
 
drank
just joined
Topic Author
Posts: 19
Joined: Sun Mar 02, 2014 1:50 pm
Location: Sofia, Bulgaria

[6.10] Dynamic IPsec policies not deleted after disconnect

Sun Mar 09, 2014 3:51 pm

Hi,

I don't know if this is a bug or the way it is supposed to work (I'm still new to MikroTik) but after L2TP/IPsec client disconnects, the dynamic IPsec policy is not deleted by the router. It remains present in the Policies list and cannot be deleted even manually. The only way to clean the list is to reboot the router. Is this normal?

Thank you.

Best regards
My setup: RB951G-2HnD, RouterOS v6.10
 
efaden
Forum Guru
Forum Guru
Posts: 1711
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: [6.10] Dynamic IPsec policies not deleted after disconne

Sun Mar 09, 2014 5:23 pm

Hi,

I don't know if this is a bug or the way it is supposed to work (I'm still new to MikroTik) but after L2TP/IPsec client disconnects, the dynamic IPsec policy is not deleted by the router. It remains present in the Policies list and cannot be deleted even manually. The only way to clean the list is to reboot the router. Is this normal?

Thank you.

Best regards
I'm actually seeing this behavior also.... seems to be new to 6.10. You can go flush the connections and it clears them out.
 
drank
just joined
Topic Author
Posts: 19
Joined: Sun Mar 02, 2014 1:50 pm
Location: Sofia, Bulgaria

Re: [6.10] Dynamic IPsec policies not deleted after disconne

Sun Mar 09, 2014 10:30 pm

Yes, flushing the connections works but only when the connections are still active. When the client disconnects, the connections are gone but the policies are still there.
My setup: RB951G-2HnD, RouterOS v6.10
 
efaden
Forum Guru
Forum Guru
Posts: 1711
Joined: Sat Mar 30, 2013 1:55 am
Location: New York, USA

Re: [6.10] Dynamic IPsec policies not deleted after disconne

Sun Mar 09, 2014 10:32 pm

Flush the SAS. That got rid of them for me.

Sent from my SCH-I545 using Tapatalk
 
drank
just joined
Topic Author
Posts: 19
Joined: Sun Mar 02, 2014 1:50 pm
Location: Sofia, Bulgaria

Re: [6.10] Dynamic IPsec policies not deleted after disconne

Sun Mar 09, 2014 11:57 pm

Hmm, if flushing the SAs gets rid of the policies then is it possible that the issue has something to do with the "Lifetime" setting in Peer (Phase 1)? Mine is set to 1 day.
My setup: RB951G-2HnD, RouterOS v6.10
 
User avatar
rmmccann
Member Candidate
Member Candidate
Posts: 182
Joined: Tue Sep 25, 2012 11:15 pm
Location: USA

Re: [6.10] Dynamic IPsec policies not deleted after disconne

Tue Aug 19, 2014 8:19 am

I realize this is an old thread but I ran across it today on a 6.7 router. Does anyone know if the fact that these dynamic policies are not being removed automatically is a bug or a feature? Having to manually flush SAs to clear them out (or reboot the router) isn't really a great option.

Assuming it's a bug - has it been fixed yet?
A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools. --Douglas Adams
 
Anirey
just joined
Posts: 24
Joined: Mon Sep 22, 2014 8:37 am

Re: [6.10] Dynamic IPsec policies not deleted after disconne

Mon Sep 22, 2014 8:42 am

Hi.
I have the same trouble. I use OS v6.19. Are there a solving?
 
sumione
just joined
Posts: 1
Joined: Sun Feb 08, 2015 11:21 am

Re: [6.10] Dynamic IPsec policies not deleted after disconnect

Sun Feb 08, 2015 11:44 am

Hi.
I have the same trouble. Are there a solving? I use OS 6.25

Thank you.

Best regards
 
jo2jo
Forum Veteran
Forum Veteran
Posts: 972
Joined: Fri May 26, 2006 1:25 am

Re: [6.10] Dynamic IPsec policies not deleted after disconnect

Sun Aug 23, 2015 10:42 am

Same issue here, the dynamic policy is created (as it should) from setting the l2tp server to use-ipsec and assigning a pre-shared key. however once the client disconnects from the l2tp/ipsec tunnel, the dynamic plolicy should be removed (and if the user re-connects from the same source IP, then it should again be recreated).

the issue is that the dynamic policy is not removed, and then there is no way to manually remove it (it gives error, can not remove dynamically created policy). If another l2tp (non ipsec) device needs to connect on udp 1701 udp, then they cannot until the prior rule is removed (which there is no way to do so).

should be a somewhat simple bug fix for mikrotik.

thanks

EDIT: CORRECTION, you can "flush" any dynamically created policies by going to "installed SAs" and clicking flush then choose ALL. I still think some kinda of idel timer should be set on dynamically created ipsec policys
:beep :beep :beep

Who is online

Users browsing this forum: freemannnn, mkx, sindy and 74 guests