If i have an IPSec peer address written in FQDN format (instead of IP) AND have a static DNS FWD entry for that FQDN (pointed to DNS server REACHABLE WITHOUT IPSec tunnel) after RESTART router will not establish ipsec tunnel until almost any manual change in ipsec configuration.
The simplest way to force tunnel up after startup is just to disable/enable peer or even change peer's comment.
WITHOUT static DNS FWD entry tunnel goes up successfully after reboot.
DOH is not used.
Enabling debug ipsec logging showed up TOTALLY NO events about any attempt to establish ipsec tunnel.
After startup only 4 generic events about listening for ipsec traffic on ports 500 and 4500 are logged.
After startup
Code: Select all
:put [:resolve ipsecpeer.some.domain]
Any comments regarding this bug are appreciated.
Code: Select all
/ip ipsec peer
add address=ipsecpeer.some.domain exchange-mode=ike2 name=aName profile=aProfile send-initial-contact=no
/ip dns static
add forward-to=80.0.0.1 regexp=".*\\.some\\.domain\$" ttl=10m type=FWD
Code: Select all
/system scheduler
add name=tunnelUP on-event="/ip ipsec peer {\r\
\n disable [find where name=\"aName\"]\r\
\n enable [find where name=\"aName\"]\r\
\n}\r\
\n" policy=read,write,policy,test start-time=startup