First of all I am sorry for the delayed response. You requested ipsec logs and the Supout.rif file, however since the problem was diagnosed on an active secure system handling financial data I could not supply those due to our strict network policy. My only solution was to recreate the problem with other devices, and this is what I did. I setup a small lab network with two laptops, one behind a Mikrotik CRS125-24G-1S and the second behind an ASA5505 firewall. I setup the firewall in the exact same way as our corporate one with different networks and passwords of course, and I setup an IPSec tunnel between the CRS and the ASA.
The topology is the following:
LAPTOP1 <----> CRS125 ASA5505 <----> LAPTOP2
10.0.2.2/24 10.0.2.1/24 10.0.5.1/24 10.0.5.2/24
10.0.1.16/24 <----> CISCO SWITCH <----> 10.0.1.254/24
At first, I put as SA Src. Address in the IPSec Policy “10.0.1.16”. The tunnel came up and one laptop could ping the other fine.
I got all the related logs and also created a supoutOK.rif
Then I changed the SA Src. Address to “0.0.0.0” and rebooted the CRS.
Again, the tunnel came up, but the two laptops could no longer communicate due to the symptom mentioned to my original e-mail. The “remote peers” table was populated with two peer routes, one with the actual outside address (10.0.1.16) and the other with the (0.0.0.0). This behavior started with 6.30 version, whereas on version 6.29.1 and before 0.0.0.0 was/is working fine.
I got a screenshot of the Remote peers, created a supoutBAD.rif and also got all the IPSec logs.
Everything is attached to my support e-mail, the Ticket number is 2015072466000023
Thank you for your time, I hope this is resolved soon, because I need to be able to establish IPSec site to site VPN from dynamic addresses.