I have one ROS device on 1.2.3.236/25 that I have been playing around with.
I have a transport ipsec tunnel configured towards 1.2.3.234/25. The gateway
on that network is 1.2.3.129. When that tunnel is up and running everything
is working fine but I started to notice a strange behavior when the .234
was down. When I did try to get the tunnel up (by doing a ping from 1.2.3.236
towards 1.2.3.234) I get a timeout which is normal when the .234 is down
However if I after this try to ping the gateway, that was working before, I get timeouts
as well.
What I did was the following:
(Using 3.6 on a RB600)
/system reset-configuration
/user set admin password=SUPERSECRET
/ip firewall service-port
set 0 disabled=yes
set 1 disabled=yes
set 2 disabled=yes
set 3 disabled=yes
set 4 disabled=yes
set 5 disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set winbox disabled=yes
/ip addresses
add interface=ether1 address=1.2.3.236/25
add interface=ether2 address=10.0.2.1/24
/ip route
add dst-address=0.0.0.0/0 gateway=1.2.3.129
/system identity set name=newname
/ip ipsec peer
add address=1.2.3.234/32:500 auth-method=pre-shared-key dh-group=modp1024 disabled=no \
enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=md5 lifebytes=0 \
lifetime=8h nat-traversal=no proposal-check=obey secret="secret" send-initial-contact=yes
/ip ipsec proposal
add auth-algorithms=md5 disabled=no lifetime=1h name=phase2proposal pfs-group=modp1024
enc-algorithms=3de
/ip ipsec policy
add action=encrypt disabled=no dst-address=1.2.3.234/32:any ipsec-protocols=esp \
level=require manual-sa=none priority=0 proposal=phase2proposal protocol=all \
sa-dst-address=1.2.3.234 sa-src-address=1.2.3.236 src-address=1.2.3.236/32:any \
tunnel=no
/ping 1.2.3.129
Works fine
/ping 1.2.3.234
Timeouts, not strange since the 234 is down.
/ping 1.2.3.129
Timeouts, strange
/ip ipsec policy set 0 disabled=yes
/ping 1.2.3.129
Works fine
/ping 1.2.3.234
Timeouts, not strange since the 234 is down
/ping 1.2.3.129
Works fine
/ip ipsec policy set 0 disabled=no
/ip ipsec policy set 0 level=use
/ping 1.2.3.129
Works fine
/ping 1.2.3.234
Timeouts, not strange since the 234 is down
/ping 1.2.3.129
Works fine
So the problem seems to be that when the ipsec policy is set level=require and the box can't
require a SA it stops the outgoing traffic although it doesn't match the ipsec policy which seems
wrong. But is there any way to solve this?
Looking forward to some input!
Anyone that can verify this or have a similar problem?