I am in the process of setting up a new CHR to provide some IPsec tunnels to legacy users of our network (it currently is on a free CHR for which I plan to install a license once things work).
During configuring this I ran into a very peculiar problem: sometimes an IPsec policy, after creation with just basic parameters of source and destination network, tunnel mode, and peer name, is deemed “invalid” by RouterOS. I found that making whatever tweak to the source or destination network will make it valid, changing it back will usually make it invalid again. But being very persistent sometimes helps and suddenly the policy line, with exactly the same settings, is valid.
I am very much confused… what is going on here? What is invalid about the policy, why is one of them invalid while all the other similar looking ones aren’t, and why can the situation change?
I initially did my work on the stable release, but upgraded to testing without difference. I also exported the config and reset configuration again importing it, no difference.
Also submitted as SUP-155534
During configuring this I ran into a very peculiar problem: sometimes an IPsec policy, after creation with just basic parameters of source and destination network, tunnel mode, and peer name, is deemed “invalid” by RouterOS. I found that making whatever tweak to the source or destination network will make it valid, changing it back will usually make it invalid again. But being very persistent sometimes helps and suddenly the policy line, with exactly the same settings, is valid.
I am very much confused… what is going on here? What is invalid about the policy, why is one of them invalid while all the other similar looking ones aren’t, and why can the situation change?
I initially did my work on the stable release, but upgraded to testing without difference. I also exported the config and reset configuration again importing it, no difference.
Also submitted as SUP-155534
Statistics: Posted by pe1chl — Sun Jun 09, 2024 5:04 pm
