Dear All,


I have a strange error. I have a routerboard 1100AHx2, routerOS 6.43.4 with the same routerboot version. There are some ipsec configuration on it. I upgraded it to the most recent 6.46.1 version. Export the config, reset the router and import the config and when it stops at the ipsec policy add line:
/ip ipsec policy add dst-address=<ip_add> proposal=prop_conf sa-dst-address=<ip_add> sa-src-address=<ip_add> src-address=<ip_add> tunnel=yes
failure: Peer not set!

When I try to add it manually with adding the "peer=peer_conf" at the and it works like the charm:
ip ipsec policy add dst-address=<ip_add> proposal=prop_conf sa-dst-address=<ip_add> sa-src-address=<ip_add> src-address=<ip_add> tunnel=yes peer=peer_conf

However there are peer in the config, and it is successfully imported some lines before. As for me it seems like the export forgets to add the peer configuration to the "/ip ipsec policy add" line.
I tried it with 6.46 and 6.45.7 versions as well with the same end: failure peer not set...
Is it possible that I did something wrong, because it is strange that the problem nowhere appears...

The exact steps:
1) routerboard os 6.43.4
2) copy packages and routeros v6.46.1 to the board via serial
3) reboot
4) router version 6.46.1
5) /export file=export_file terse
6) /system reset-config
7) /import file-name=export_file verbose=yes

then "failure peer not set" happen...

thank you

This behavior is expected because the router can not know which peer the policy should be assigned after upgrading your router. Please specify the peer for your policy and export configuration after that - it should consist of the peer parameter then.

Ohh I see! Thank you very much for your answer!

Have a nice day!

This is known problem. There were substantial changes in IPSec configuration structure in 6.43 (introduced peer profiles) and in 6.44 (identity). I've also observed the same errors when pasting working IPSec configuration to the new box. For somewhat reason now ROS requires to set the peer at the policy level, although in older versions (up to 6.42, maybe even later) this was not required and the policy obviously worked then. Upgrade to later versions does not know, which peer to use and the peer remains unconfigured on the policy elements, but the policy still works.

In my case, the configuration was initially set on 6.42.6, then upgraded to every new version up to current 6.46.3. In such upgraded configuration, the policy has missing peer and goes active the same way as in original version where it was configured (here I use transport mode, peer address is the same as remote IP address, so dynamically selecting peer configuration to use is trivial):


Export of IPSec policies is also without peers and thus invalid to import in 6.46. The same workaround (add explicit peer to policy elements) worked for me as well.

Ondrej

For somewhat reason now ROS requires to set the peer at the policy level, although in older versions (up to 6.42, maybe even later) this was not required and the policy obviously worked then.

You didn't have to set peer, but you had to set SA src/dst address for policy. So you had to repeat same remote and local address from peer settings, which was more work than selecting peer. And if peer used hostname instead of IP address, you couldn't use it for policy, because it accepted only IP address. In short, new way is better.

You didn't have to set peer, but you had to set SA src/dst address for policy.

Indeed. But for transport mode, the SA src/dst configuration was removed in 6.38.4:

*) ipsec - hide SA address for transport policies

The reason for this change was that SA src/dst addresses were not used at all in transport mode. Dynamic peer selection did its job and this works in 6.46 as well (when upgraded).

In short, new way is better.

Agreed.

Ondrej

I ran into that problem after long time of just running the system and upgrading it regularly (currently it's running 6.48). Now I have to add a new branch.
I can't add a new policy due to the described behaviour. I tried the mentioned solution but failed. PLEASE help with the correct command.

My existing config is:

ipsec policy print

Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default
# PEER TUNNEL SRC-ADDRESS DST-ADDRESS PROTOCOL ACTION LEVEL PH2-COUNT
0 T * ::/0 ::/0 all
1 DA l2tp-in-server no 195.xxx.xx.xxx/32 213.xxx.xxx.xx/32 udp encrypt unique 1
2 DA l2tp-in-server no 195.xxx.xx.xxx/32 89.xx.xx.xxx/32 udp encrypt unique 6
3 DA l2tp-in-server no 195.xxx.xx.xxx/32 24.xxx.xxx.xxx/32 udp encrypt unique 1
4 DA l2tp-in-server no 195.xxx.xx.xxx/32 24.xxx.xx.xx/32 udp encrypt unique 1

I tried to add a new policy:
ipsec policy add dst-address=176.xx.xx.xx/32 proposal=default src-address=195.xxx.xx.xxx/32 tunnel=no peer=l2tp-in-server

The command didn't return an error but upon reissuing ipsec policy print nothing changed.

Any help is reatly appreciated!