The Mikrotik documentation often assumes the reader is familiar with the standards regarding the protocol (...)
send-initial-contact literally means "send the INITIAL_CONTACT IKE notification", which suggests the recipient to drop any already existing connections authenticated using the same set of credentials that are used for the IKE session within which this notification has arrived. In another words, it has no effect on the initiator/responder role. And yes, it took me months to find that out.
I think I am actually familiar with IPSEC, but what is actually missing for me is exactly how that protocol is implemented on Mikrotik. I am really struggling to understand:
Can you be more clear?
...which suggests the recipient to drop any already existing connections...
How this parameter works if it is used by initiator? and how does it work if used by responder?
Do I understand correctly, that:
- if Mikrotik is used as a responder than send-initial-contact is simply ignored, and will not be used (meaning that Mikrotik always drops existing SAs for a new IKE from the same peer). So There is no parameter informing Mikrotik to allow multiple connections from the same identity?
- if Mikrotik is used as an initiator than it will include INITIAL_CONTACT notify payload in the first IKE_AUTH request?
I found this in Huawei documentation:
The INITIAL_CONTACT notify payload asserts that an IKE SA (that is currently negotiated 'control' connection) is the only active IKE SA between a pair of IKE peers. By default, the device will delete the old IKE SA without the INITIAL_CONTACT notify payload after the new IKE SA is created. When the remote end requires the INITIAL_CONTACT notify payload to delete the old IKE SA, configure this parameter.
When the local device restarts or expects to use the current IKE SA for establishing an IPSec tunnel only, run this command to enable the device to send the INITIAL_CONTACT notify payload in the first IKE_AUTH request so that the remote device deletes the old IKE SA.
Does this work the same for Mikrotik?
Btw it would be enough to include just the sentence "nclude INITIAL_CONTACT notify payload in the first IKE_AUTH request" in wiki for this to be precise and clear.