Community discussions

MikroTik App
 
User avatar
Damago1
just joined
Topic Author
Posts: 13
Joined: Wed Jan 10, 2024 9:25 pm

Identity selection when Mikrotik working as initiator in ipsec

Sun Sep 15, 2024 9:51 pm

I have two questions reagrding identity /ip/ipsec/identity selection.

1. can the same identity be shared among several peer configurations? I read somewhere that it can, but from what I see the peer=xxx field is mandatory in identity.

2. How Mikrotik selects the identity when working as INITIATOR?
My understanding is that if Mikrotik is working as initiator, than the flow is as follows:
1. Mikrotik periodically scans the /ip/ipsec/peer table and detects that it has a peer with passive=no, so it will try to establish connection. Let's assume it is
/ip/ipsec/peer add name=test passive=no etc....
2. It will scan all the identity configurations that can be used - that is all that have peer=test.

Now the question:
- will it just find the first matching identity and will try to use it?
- or will it place all matching identities somehow together in the IKE_AUTH packet?
- or will it send paralelly IKE_AUTH packets for each matchin identity possibly creating parallel connections?
- or will it try all matching identity members one by one until it will find one that will succesfully connect?
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11017
Joined: Mon Dec 04, 2017 9:19 pm

Re: Identity selection when Mikrotik working as initiator in ipsec

Sun Sep 15, 2024 10:33 pm

1. can the same identity be shared among several peer configurations? I read somewhere that it can, but from what I see the peer=xxx field is mandatory in identity.
It may be a misinterpretation. Multiple "peers" as in "remote devices" can indeed match (hence "use") the same row in the identity table on the responder if all of them use the same ID-I and ID-R; a single row in the identity table cannot be linked to multiple rows in the peer table.

2. How Mikrotik selects the identity when working as INITIATOR?
If you try to link a second identity row to a peer with passive=no, you get an error message "failure: initiator peer can have only one identity". I guess that answers all the questions at once.

Who is online

Users browsing this forum: No registered users and 45 guests