Code: Select all
/ip ipsec mode-config
add address-pool=ipsec-roadwarrior address-prefix-length=32 name=roadwarrior split-include=192.168.0.0/16 system-dns=no
/ip ipsec policy group
add name=roadwarrior
/ip ipsec profile
add dh-group=ecp256,modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=roadwarrior prf-algorithm=sha256 \
proposal-check=claim
/ip ipsec peer
add exchange-mode=ike2 name=roadwarrior passive=yes profile=roadwarrior send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=1h name=roadwarrior pfs-group=none
/ip ipsec identity
add generate-policy=port-strict mode-config=roadwarrior my-id=fqdn:... peer=roadwarrior policy-template-group=roadwarrior remote-id=ignore secret=...
/ip ipsec policy
set 0 disabled=yes
add comment=roadwarrior dst-address=10.13.37.0/24 group=roadwarrior proposal=roadwarrior src-address=0.0.0.0/0 template=yes
/ip ipsec settings
set accounting=no
/system logging
add topics=ipsec
When my laptop is connected to the internet via Google Fiber, IPsec consistently breaks due to DPD failure. What is supremely strange is that I can ssh into the router via this very same IPsec connection and see the failures in realtime. I just run `/log print follow` and see that after 2 minutes (as configured) a DPD is sent followed by 4 (as configured) retransmits at which point IPsec stops working as the router kills the association.
When I connect from any other network (say cafe's XFINITY), it works just fine.
If I retry the test using global IPv4 address of the router, then everything works fine.
How come all ESPs are coming through (I follow logging in realtime) but ISAKMP for DPD aren't, and why could it happen only behind Google Fiber?