v6.45beta [testing] is released!

emils · Thu Jun 13, 2019 11:11 am

Great, much appreciated! Can't wait for it...
Will we see this before version 6.45 final release?

Currently looks like no, it will not make it into 6.45. We are already finalizing the 6.45 version. VTI support requires new kernel and we are still not sure whether it should or should not be implemented in version 7.

eworm · Thu Jun 13, 2019 11:47 am

No rc versions this time?

pe1chl · Thu Jun 13, 2019 12:07 pm

But not only that, distinct interfaces would make everything more clear and admin friendly. More interoperable too. And the whole thing doesn't even sound too complicated.

Well, I remember the days when all Linux systems did that, but it was changed because others (BSD, Cisco) were not using separate interfaces but only those policies.
I always considered it a bad move. Dedicated interfaces for IPsec traffic were so much clearer.
Apparently later (and currently) the option to use interfaces was re-introduced, but today I am not using plain Linux systems as routers anymore so I lost track of that.

Whenever possible, I use a tunnel over IPsec transport. I use GRE because it has some other use cases, but you can use IPIP too.
In fact, IPIP over IPsec transport is almost the same as an IPsec tunnel at the protocol layer. I.e. there is no extra overhead.
But of course this can only be done when you manage both ends, as they cannot be interconnected.

bnw · Thu Jun 13, 2019 6:02 pm

One thing I would like to see in 6.45 is some hardware SNMP improvement for the CCR1072.
As stated in ticket #2019032822004818, many hardware OIDs are missing for this device, compared to what Winbox shows :
- Board temperature
- Board temparature 2
- Fan speed 3
- Fan speed 4
- PSU1 status (should be OID .15 (*))
- PSU2 status (should be OID .16 (*))
(*) as seen on other models such as the CRS317-1G-16S+.

We are then clearly at risk with our CCR1072-1G-8S+, not being able to monitor all their hardware components, which is a rather tricky situation for core devices.

I found other topics complaining about this : viewtopic.php?f=1&t=143899 / viewtopic.php?f=2&t=117322

Many thanks for your support Mikrotik dev' team !

LynxChaus · Thu Jun 13, 2019 8:26 pm

*) tr069-client - added LTE CQI and IMSI parameter support;

Why only in tr069? Export in SNMP too, with all other info.

LeftyTs · Fri Jun 14, 2019 12:32 am

One thing I would like to see in 6.45 is some hardware SNMP improvement for the CCR1072.
As stated in ticket #2019032822004818, many hardware OIDs are missing for this device, compared to what Winbox shows :
- Board temperature
- Board temparature 2
- Fan speed 3
- Fan speed 4
- PSU1 status (should be OID .15 (*))
- PSU2 status (should be OID .16 (*))
(*) as seen on other models such as the CRS317-1G-16S+.

We are then clearly at risk with our CCR1072-1G-8S+, not being able to monitor all their hardware components, which is a rather tricky situation for core devices.

I found other topics complaining about this : viewtopic.php?f=1&t=143899 / viewtopic.php?f=2&t=117322

Many thanks for your support Mikrotik dev' team !

+1

Jotne · Fri Jun 14, 2019 12:46 am

If you can see this system info in the cli, you can easily send it out to a monitor system using script and Syslog.

I have stopped using SNMP, since for every new unit I setup, I have to tell the system that there are a nye Router/Switch, or have a program that scan a net. Scanning net does not work it the router are spread around in many net.

Using Sylog is easy. Just add a script to the router when you are setting it up. It will then call home with all info you need.

Look at my Mikrotik for Splunk in my signature.

bnw · Fri Jun 14, 2019 1:31 am

If you can see this system info in the cli, you can easily send it out to a monitor system using script and Syslog.

We use SNMP for all our (network) devices from our enterprise monitoring & reporting solution, I think as many other companies.
We simply can't rely on workarounds.
We then expect Mikrotik to complete the SNMP tree for the CCR1072 hardware components, to have something reliable.
Thank you anyway !

emils · Fri Jun 14, 2019 8:37 am

Version 6.45beta62 has been released.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 6.45beta62 (2019-Jun-13 10:13):

MAJOR CHANGES IN v6.45:
----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control;
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator;
!) user - removed insecure password storage;
----------------------

Changes in this release:

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control;
!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator;
*) bridge - correctly handle bridge host table;
*) capsman - fixed CAP system upgrading process for MMIPS;
*) certificate - added "key-type" field;
*) certificate - added support for ECDSA certificates (prime256v1, secp384r1, secp521r1);
*) crs3xx - fixed "tx-drop" counter;
*) defconf - fixed channel width selection for RU locked devices;
*) dhcpv4-server - added "client-mac-limit" parameter;
*) dhcpv6-client - added option to disable rapid-commit;
*) dhcpv6-server - added additional RADIUS parameters for Prefix delegation, "rate-limit" and "life-time";
*) dhcpv6-server - added "address-list" support for bindings;
*) dhcpv6-server - added "insert-queue-before" and "parent-queue" parameters;
*) dhcpv6-server - added RADIUS accounting support with queue based statistics;
*) dhcpv6-server - added "route-distance" parameter;
*) e-mail - properly release e-mail sending session if the server's domain name can not be resolved;
*) ipsec - added dynamic comment field for "active-peers" menu inherited from identity;
*) ipsec - added "ph2-total" counter to "active-peers" menu;
*) ipsec - added support for RADIUS accounting for "eap-radius" and "pre-shared-key-xauth" authentication methods;
*) ipsec - added traffic statistics to "active-peers" menu;
*) ipsec - disallow setting "src-address" and "dst-address" for transport mode policies;
*) ipsec - renamed "remote-peers" to "active-peers";
*) ltap - renamed SIM slots "up" and "down" to "2" and "3";
*) lte - added passthrough interface subnet selection;
*) lte - fixed LTE interface running state on RBSXTLTE3-7 (introduced in v6.45beta);
*) m33g - added support for additional Serial Console port on GPIO headers;
*) routerboard - renamed 'sim' menu to 'modem';
*) snmp - fixed "send-trap" not working when "trap-generators" does not contain "temp-exception";
*) snmp - improved reliability on SNMP service packet validation;
*) winbox - added "System/SwOS" menu for all dual-boot devices;
*) winbox - do not allow setting "dns-lookup-interval" to "0";

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as expected or after crash.

Fri Jun 14, 2019 10:58 am

*) ipsec - added support for RADIUS accounting for "eap-radius" and "pre-shared-key-xauth" authentication methods;

Will it also work for "rsa-signature-hybrid"?

msatter · Fri Jun 14, 2019 11:43 am

Does anyone knows where to find this setting? I am looking for it for years now.

*) winbox - do not allow setting "dns-lookup-interval" to "0";

Many support mails about addresslists and DNS timings but this was never mentioned to me. I have now a limiter only for DNS so that when there is no upstream DNS it will not flood my local DNS server with countless resolve requests.

Update:
Found it on a Polish site and it a setting not applying to what I was looking for.

So the limiter and drop line stays active.

anuser · Fri Jun 14, 2019 2:05 pm

Version 6.45beta62 has been released.
*) bridge - correctly handle bridge host table;

What kind of issue was there actually?

osc86 · Fri Jun 14, 2019 2:42 pm

Will it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.

pe1chl · Fri Jun 14, 2019 5:38 pm

Please implement "advertise-local-dns" option in IPv6 ND that makes router advertise the local address (same as gateway) as DNS server, instead of the IPv6 DNS servers configured in /ip dns.
(to make IPv6 systems use the local DNS resolver instead of going directly to the ISP DNS servers)

This is necessary to make locally configured DNS static names visible to IPv6 capable clients.

raffav · Fri Jun 14, 2019 5:46 pm

Will it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.

+1K
I think the log part need to be rebuild, for betther debugging

Cha0s · Sat Jun 15, 2019 2:18 pm

Will it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.

+1

Florian · Sat Jun 15, 2019 7:29 pm

Please implement "advertise-local-dns" option in IPv6 ND that makes router advertise the local address (same as gateway) as DNS server, instead of the IPv6 DNS servers configured in /ip dns.
(to make IPv6 systems use the local DNS resolver instead of going directly to the ISP DNS servers)

This is necessary to make locally configured DNS static names visible to IPv6 capable clients.

You can do this :

viewtopic.php?t=132657

That's what I do, it's working.

pe1chl · Sat Jun 15, 2019 10:11 pm

I don't think I understand what is going on there. I use ND, not DHCPv6, for setting those parameters.

LeftyTs · Sun Jun 16, 2019 3:23 am

Will it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.
+1K
I think the log part need to be rebuild, for betther debugging

For better debugging and analysis you should consider sending to a remote log server. Makes life much easier.

pawelkopec88 · Sun Jun 16, 2019 10:34 am

Hi,

HW Offloading doesnt work on HAP AC on RouterBOARD 962UiGS-5HacT2HnT ROS 6.45beta62 . On stable Stable 6.44.3 HW Offloading is working. I was send an email to your support with rif files

eworm · Sun Jun 16, 2019 11:25 am

I don't think I understand what is going on there. I use ND, not DHCPv6, for setting those parameters.

That's the point. With ND you can not specify the DNS server, with DHCPv6 you can. Consider to switch...
Works just fine, I've set it up this way as well. Only Android does not support DHCPv6 and does not get this specific setting.

TimurA · Sun Jun 16, 2019 12:06 pm

Good job 6.45beta62! wifi 5ghz, 2 days running without crashing on RB4011.

pe1chl · Sun Jun 16, 2019 12:50 pm

I don't think I understand what is going on there. I use ND, not DHCPv6, for setting those parameters.
That's the point. With ND you can not specify the DNS server, with DHCPv6 you can. Consider to switch...
Works just fine, I've set it up this way as well. Only Android does not support DHCPv6 and does not get this specific setting.

~85% of our users have Android. then maybe 10% Apple and 5% Windows.

I think it should not be that difficult to add an option to have ND advertise the local address (same as it advertises for gateway) as DNS server instead of the IPv6 addresses configured in /ip dns.
And when at that, also have some option in the DHCPv6 server to do the same thing. Other changes in DHCPv6 are in the changelist so apparently someone is working on it.
In the DHCPv4 server there is a field to specify own DNS servers and even a special checkmark to suppress the automatic advertisement of DNS servers... why not in IPv6?

pe1chl · Sun Jun 16, 2019 12:54 pm

Will it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.
+1K
I think the log part need to be rebuild, for betther debugging
For better debugging and analysis you should consider sending to a remote log server. Makes life much easier.

Well, I agree that when you are running a lot of tunnels and you try to debug one of them, enabling packet-level debugging makes a terrible mess and/or load, even with remote log server.
It could be useful to have some option to enable ipsec debug logging for a single peer, preferably not by filtering but by only logging for that specific peer.

rdelacruz · Tue Jun 18, 2019 2:21 am

rdelacruz - Please note that accounting will work only for those users which has a queue. Data for accounting is taken from queue statistics
Yes, I'm aware of it. Are you referring to this queue?

If yes, can you please confirm that this added feature will work if we use RADIUS for accounting and lease? Thanks

Have you successfully tested this one?

Tue Jun 18, 2019 11:36 am

Version 6.45beta62 has been released.
*) bridge - correctly handle bridge host table;
What kind of issue was there actually?

Under some occasions, hosts did not timed out correctly. Now bridge will make sure hosts are removed.

toxmost · Tue Jun 18, 2019 7:34 pm

Hello!
I have RB4011iGS+5HacQ2HnD with dlink DPN-100 (TW2362H-CDEL-CLX) GPON SFP module (WAN).
IP address receive via DHCP. ALL WORK GREAT! ---> firmware 6.44.3

If im update firmware to 6.45beta62, SFP module have status "link ok", but DHCP address not received, DHCP client all time in status "searching", packet (in module window) TXed, but not RXed.

Can you fix it?

Thank you.

Boomish · Tue Jun 18, 2019 8:40 pm

Can we get the ability to define an ip instead of using the detected IP for ip cloud ddns updates.
I'd like the ability to force the update before i deploy the unit to the field on it's static ip.

It would also be handy if we could force delete a published DDNS Record.

mkx · Tue Jun 18, 2019 9:12 pm

Can we get the ability to define an ip instead of using the detected IP for ip cloud ddns updates.
I'd like the ability to force the update before i deploy the unit to the field on it's static ip.

It would also be handy if we could force delete a published DDNS Record.

Ability to define IP address would bring in all sorts of problems, probability of mis-configuration is just too big.
And, BTW, what benefit would one get by having DDNS configured before unit was up&running instead a minute or two later?

It's been explained that DDNS record gets removed when DDNS is disabled on the unit (but it needs internet connectivity at zhat time).

msatter · Tue Jun 18, 2019 11:25 pm

Hello!
I have RB4011iGS+5HacQ2HnD with dlink DPN-100 (TW2362H-CDEL-CLX) GPON SFP module (WAN).
IP address receive via DHCP. ALL WORK GREAT! ---> firmware 6.44.3

If im update firmware to 6.45beta62, SFP module have status "link ok", but DHCP address not received, DHCP client all time in status "searching", packet (in module window) TXed, but not RXed.

Can you fix it?

Thank you.

Did you try with auto-negotiation disabled?

msatter · Tue Jun 18, 2019 11:29 pm

Great, much appreciated! Can't wait for it...
Will we see this before version 6.45 final release?
Currently looks like no, it will not make it into 6.45. We are already finalizing the 6.45 version. VTI support requires new kernel and we are still not sure whether it should or should not be implemented in version 7.

There is now a wiki-page how to set. I can't place the word 'local' in the last sentence because all is local.

https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS

Boomish · Wed Jun 19, 2019 12:10 am

Can we get the ability to define an ip instead of using the detected IP for ip cloud ddns updates.
I'd like the ability to force the update before i deploy the unit to the field on it's static ip.

It would also be handy if we could force delete a published DDNS Record.
Ability to define IP address would bring in all sorts of problems, probability of mis-configuration is just too big.
And, BTW, what benefit would one get by having DDNS configured before unit was up&running instead a minute or two later?

It's been explained that DDNS record gets removed when DDNS is disabled on the unit (but it needs internet connectivity at zhat time).

It is rather inconvenient to have to disable the individual peers on the hub when they all have the same IP address.

When building all of the spokes prior to sending them out they update their ddns and as a result they all have the same ip address because they are built on the same system.

Even after i disabled the DDNS Update the record wasn't deleted in fact it persisted for multiple days.

Furthermore it would be nice to be able to publish a specific UP when your router is behind another natting device such as a PPPOE AT&T Router that only gives you your static ip's via a 1-1 nat

msatter · Wed Jun 19, 2019 10:56 am

*) ipsec - added dynamic comment field for "active-peers" menu inherited from identity;

Where can I set that identity?

I also noticed that the counters are all the same and these are L2tp/IPSEC connections:

wrong-counters.JPG

The local addresses, in PPP screen, are in the 172.20.12.xxx range (multiple connections). Suggestion attach the counters from the Remote Address because the same 172.20.12.xxx can be in the PPP list.

I see in the other screen of IPsec in Identities twice in the list colum "My ID"

emils · Wed Jun 19, 2019 11:37 am

The comment from the Identity that was used for the peer to identify itself is carried over to the active-peers menu. For example, if you have a comment "L2TP server" for the IPsec identity, then this comment will be shown for all active peers which used this Identity. Obviously, it is not possible to set such comment for the dynamic Identity created by L2TP server's "use-ipsec" parameter.

Statistics counters for IKEv1 with no unique ID's will be fixed shortly.

Not sure what you meant with the third paragraph. Can you clarify?

There is nothing we can do about the multiple My-ID fields under Identity menu at this moment because of multiple data types stored in this parameter.

Regarding the IPsec logging requests. We have our thoughts about this and agree it should be improved, however the current logging mechanism in RouterOS is currently limiting what we can do. We will try to come up with a solution in future.

andriys, will see if we can enable RADIUS accounting for rsa-signature-hybrid authentication as well.

msatter · Wed Jun 19, 2019 12:55 pm

The comment from the Identity that was used for the peer to identify itself is carried over to the active-peers menu. For example, if you have a comment "L2TP server" for the IPsec identity, then this comment will be shown for all active peers which used this Identity. Obviously, it is not possible to set such comment for the dynamic Identity created by L2TP server's "use-ipsec" parameter.

For dynamic created ones there is naming available in the PPP menu as name. Limit displaying it to a certain amount of characters. Now I have to identify peers by other means because "peer1205 etc." is not much to go on in relation to the used names in PPP.

Statistics counters for IKEv1 with no unique ID's will be fixed shortly.

Thanks

Not sure what you meant with the third paragraph. Can you clarify?

That was belonging to the picture and as long there is a unique identification in the background I am happy.

There is nothing we can do about the multiple My-ID fields under Identity menu at this moment because of multiple data types stored in this parameter.

It looked already familiar to me being multple My-ID pressent and I have never any content in there. I am only using it as client so this may be for server.

emils · Wed Jun 19, 2019 1:07 pm

The thing is, PPP and IPsec are completely unrelated things and currently there is no way to associate the L2TP and the IPsec sessions with each other.

zryny4 · Wed Jun 19, 2019 5:36 pm

Is routeros affected to CVE-2019-11477, CVE-2019-11478 and CVE-2019-11479?

toxmost · Thu Jun 20, 2019 12:01 pm

Hello!
I have RB4011iGS+5HacQ2HnD with dlink DPN-100 (TW2362H-CDEL-CLX) GPON SFP module (WAN).
IP address receive via DHCP. ALL WORK GREAT! ---> firmware 6.44.3

If im update firmware to 6.45beta62, SFP module have status "link ok", but DHCP address not received, DHCP client all time in status "searching", packet (in module window) TXed, but not RXed.

Can you fix it?

Thank you.
Did you try with auto-negotiation disabled?

I try it. No effect.

nostromog · Fri Jun 21, 2019 5:08 pm

I have two devices upgraded to 6.45beta62, but today I'm seeing this error (several times) while trying to upgrade another one:

 15:04:27 system,error broken package routeros-mipsbe-6.45beta62.npk

Has the download file became corrupt? Is it some problem in this device?

Sat Jun 22, 2019 4:03 am

First time I see tx-queue1-packet being used in a CRS326 switch. It was always the tx-queue0-packet all the time. The switch seems to work faster now in some tests I have done.

will be nice to see multiple queues on each port to make QoS

mkx · Sat Jun 22, 2019 10:34 am

I have two devices upgraded to 6.45beta62, but today I'm seeing this error (several times) while trying to upgrade another one:
Code: Select all
 15:04:27 system,error broken package routeros-mipsbe-6.45beta62.npk 
Has the download file became corrupt? Is it some problem in this device?

It is likely that the flash of device became corrupt (check output of /system resource print if it mentions bad blocks higher than 0%). But it can also happen that the downloaded npk got corrupted somewhere.

You can try to manually download the package from download.mikrotik.com - choose extra packages which is a ZIP file. Then extract all the packages (npk files) you need - get the list of installed and enabled packages from router itself. Upload those npk files to router and reboot the router afterwards.
If it doesn't upgrade during reboot, check the log for any information.

nostromog · Sat Jun 22, 2019 2:03 pm

You can try to manually download the package from download.mikrotik.com - choose extra packages which is a ZIP file. Then extract all the packages (npk files) you need - get the list of installed and enabled packages from router itself. Upload those npk files to router and reboot the router afterwards.
If it doesn't upgrade during reboot, check the log for any information.

I did it this way and I worked, so I guess either the CDN or the copy in the download site itself got corrupted...

Still a pretty useless thing, given that packages with patches for the linux SACK of death thing are forthcoming...

Paternot · Sat Jun 22, 2019 8:05 pm

I know the router tests integrity before installation, but Mikrotik could put the md5sums on the site too. It would be one easy way to find out if our download was corrupted.

EDIT

Nevermind, silly me. Just found the link to them. Not very practical, but it is there.

611 · Sat Jun 22, 2019 9:10 pm

Does anyone knows where to find this setting? I am looking for it for years now.
*) winbox - do not allow setting "dns-lookup-interval" to "0";
Update:
Found it on a Polish site and it a setting not applying to what I was looking for.

It was a very "funny" bug actually - a device added to Dude via Winbox with default settings caused instant 100% CPU load with 50% going to Dude server and another 50% to DNS resolver as Dude was polling it with zero interval.
Creating a device with such settings is impossible with Dude client.

LynxChaus · Mon Jun 24, 2019 4:34 pm

Has the download file became corrupt? Is it some problem in this device?

Upload is corrupt - CDN (upgrade.mikrotik.com) serve broken files:

# ls -1las routeros-mipsbe-6.45beta62.npk-*
12056166 Jun 14 08:28 routeros-mipsbe-6.45beta62.npk-download.mikrotik.com
11583488 Jun 14 08:31 routeros-mipsbe-6.45beta62.npk-upgrade.mikrotik.com

# md5sum routeros-mipsbe-6.45beta62.npk-*
d7b9284935f8123cbf4df0c735c995c3  routeros-mipsbe-6.45beta62.npk-download.mikrotik.com
637a0bbb58bb0a3012ae9289dc9e7cbc  routeros-mipsbe-6.45beta62.npk-upgrade.mikrotik.com

mducharme · Mon Jun 24, 2019 8:26 pm

Are there any plans to add a simple EAP server authentication where there is no RADIUS server? i.e. Something like xauth for IKEv1 where you can define local users on the router itself? We have a few situations where there is no local RADIUS and certificates are more complicated for end users where they would like to use IKEv2.

pe1chl · Mon Jun 24, 2019 10:22 pm

MikroTik has a RADIUS server called "usermanager" that can run on some router models.
Unfortunately it is quite limited. The natural way to solve this is to make it capable of handling these requests.

Tobei · Wed Jun 26, 2019 3:45 pm

Hi,

HW Offloading doesnt work on HAP AC on RouterBOARD 962UiGS-5HacT2HnT ROS 6.45beta62 . On stable Stable 6.44.3 HW Offloading is working. I was send an email to your support with rif files

the user 611 and I observe the same, see also viewtopic.php?f=1&t=149552

Best regards
Tobias

ztx · Sat Jun 29, 2019 5:13 pm

Version 6.45beta62 has been released.

!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator;

I can connect to a vpn server in windows using ikev2 with username and password only, can this work on routeros?

msatter · Sat Jun 29, 2019 5:22 pm

Have a look at this page for NordVPN, if your provider has no specific certificate then you need the root cert from/for that provider

https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS

ztx · Sat Jun 29, 2019 9:00 pm

Have a look at this page for NordVPN, if your provider has no specific certificate then you need the root cert from/for that provider

https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS

In windows, it needs username and password only.
I found a setup guide for strongswan:
1. launch the app and then tap on Add VPN profile.
2. Now you’ll need to enter a VPN server address.
3. Now choose the VPN type. Select Ikev2 EAP (username/password).
4. Next, enter PureVPN provided credentials in Username and Password fields.
5. Next, check the CA certificate.
6. Profile Name: PureVPN Ikev2 (you may type anything).
Now tap on show advanced settings and type in server identity: pointtoserver.com
Finally, hit save and then connect to the newly created Ikev2 profile.
How can I setup on routeros?
thanks!

ztx · Sun Jun 30, 2019 9:36 am

msatter All EAP methods require at least the root CA certificate for IKEv2. On Windows, it is possible, that the CA certificate is already in the Trusted Windows Certificate store so you do not have to import anything. Either ask your provider for the CA certificate or try finding out which certificate is used on Windows and export it to RouterOS.

Also there is no wildcard support for remote-id fqdn field. I would suggest leaving the remote-id to auto.

mezzovide no, conntrack has nothing to do with it, however we have already fixes for your described issues in previous betas. Did you try the latest beta and can verify the issue is still present?

emils How can I find which certificate is used? thanks!

msatter · Sun Jun 30, 2019 10:58 am

I am not Emils however I can answer your question.

You need the comodo-root.crt and import it in system-certificate. Stae that you ignore the check on it in the ipsec screen.

viewtopic.php?f=21&t=146087&p=731038&hi ... er#p731253

mattgorecki · Sun Jun 30, 2019 10:28 pm

The current download of 6.45beta62 for MIPSBE is giving me a checksum error.

On my mac:

MD5 (routeros-mipsbe-6.45beta62.npk) = 637a0bbb58bb0a3012ae9289dc9e7cbc

The website says it should be:

MD5 routeros-mipsbe-6.45beta62.npk: d7b9284935f8123cbf4df0c735c995c3

emils · Mon Jul 01, 2019 10:15 am

New version 6.45.1 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=149786

Who is online