Community discussions

MikroTik App
 
dfdf
newbie
Topic Author
Posts: 36
Joined: Wed Dec 08, 2021 3:51 pm

ipsec + peer FQDN + Static DNS FWD entry

Wed Apr 12, 2023 12:56 pm

I observed the following regression in ROS 7.8 (after upgrade from 7.7):
If i have an IPSec peer address written in FQDN format (instead of IP) AND have a static DNS FWD entry for that FQDN (pointed to DNS server REACHABLE WITHOUT IPSec tunnel) after RESTART router will not establish ipsec tunnel until almost any manual change in ipsec configuration.
The simplest way to force tunnel up after startup is just to disable/enable peer or even change peer's comment.

WITHOUT static DNS FWD entry tunnel goes up successfully after reboot.

DOH is not used.

Enabling debug ipsec logging showed up TOTALLY NO events about any attempt to establish ipsec tunnel.
After startup only 4 generic events about listening for ipsec traffic on ports 500 and 4500 are logged.
After startup
:put [:resolve ipsecpeer.some.domain]
(see config below) works fine.

Any comments regarding this bug are appreciated.
/ip ipsec peer
add address=ipsecpeer.some.domain exchange-mode=ike2 name=aName profile=aProfile send-initial-contact=no

/ip dns static
add forward-to=80.0.0.1 regexp=".*\\.some\\.domain\$" ttl=10m type=FWD

Current workaround is:
/system scheduler
add name=tunnelUP on-event="/ip ipsec peer {\r\
    \n disable [find where name=\"aName\"]\r\
    \n enable [find where name=\"aName\"]\r\
    \n}\r\
    \n" policy=read,write,policy,test start-time=startup

Who is online

Users browsing this forum: No registered users and 22 guests