After working with my RB951-2n for the last two days getting the Site to Site VPN set up on it and experimenting with getting some kind of VoIP prioritization set up, I upgraded it from 6.7 to 6.9.

Now, every time I reboot it, the policy for my VPN says 'Invalid' until I open it and click apply - then it magically says 'not invalid' and the tunnel comes up.

I thought maybe it was something odd lingering so I removed it and went to re-create it, and it would not let me create it with 0.0.0.0 in the 'SA Src/ Address' field. Didn't have any problem doing that in 6.7. I then tried putting the public IP The connection is coming from, which did not work. I put the private NAT IP assigned to the WAN interface and the tunnel came up (It's currently behind a Linksys for Nat-T testing). After that was saved and the tunnel was established, it allowed me to change the 'SA Src. Address' back to 0.0.0.0 and the tunnel comes up fine. But when I reboot, it still goes back to 'Invalid'. I 'downgraded' back to 6.7 and the VPN tunnel comes up at boot without issue.

After working with my RB951-2n for the last two days getting the Site to Site VPN set up on it and experimenting with getting some kind of VoIP prioritization set up, I upgraded it from 6.7 to 6.9.

Now, every time I reboot it, the policy for my VPN says 'Invalid' until I open it and click apply - then it magically says 'not invalid' and the tunnel comes up.

I thought maybe it was something odd lingering so I removed it and went to re-create it, and it would not let me create it with 0.0.0.0 in the 'SA Src/ Address' field. Didn't have any problem doing that in 6.7. I then tried putting the public IP The connection is coming from, which did not work. I put the private NAT IP assigned to the WAN interface and the tunnel came up (It's currently behind a Linksys for Nat-T testing). After that was saved and the tunnel was established, it allowed me to change the 'SA Src. Address' back to 0.0.0.0 and the tunnel comes up fine. But when I reboot, it still goes back to 'Invalid'. I 'downgraded' back to 6.7 and the VPN tunnel comes up at boot without issue.

6.9 is very broken. If you use any vpn/ppp, it is best to stay on 6.7 until they fix it.

x2

there is already a beta out with fixes.

6.9 broke my vpn stuff all over the board

x2

there is already a beta out with fixes.

6.9 broke my vpn stuff all over the board

I tried 6.10 yesterday. Unfortunately, it did not fix it. Downgrading to 6.7 fixed it.

Are you using eoip?
http://forum.mikrotik.com/viewtopic.php ... 14#p407972

Are you using eoip?
http://forum.mikrotik.com/viewtopic.php ... 14#p407972

No, i am using pptp and sstp.

sstp works with other 6.9 devices ... but 6.7 devices cannot connect.

6.9 cannot connect to linux pptp servers as a client. 6.7 connects fine to linux pptp servers

x2

there is already a beta out with fixes.

6.9 broke my vpn stuff all over the board

I tried 6.10 yesterday. Unfortunately, it did not fix it. Downgrading to 6.7 fixed it.

thats disappointing, was gonna try it in a couple days, but i have had my second Hard crash on my 2011. i have to pull power, i need to use a console cable next time to see whats going on. really disappointed with this 6.x stuff.

my 5.26 stuff is flawless

I just set up a site-to-site VPN with a RB433AH ROS v6.5 as the pptp server and a RB433 ROS v6.9 as the pptp client and it works fine. ??

edit: Just to make sure all is well, I upgraded the RB433AH to ROS v6.9 (daring indeed!) and it works just as well with that version.

It's a bit scary that 6.9 was released in such a broken state...

It's a bit scary that 6.9 was released in such a broken state...

I have tried this supposed "fail" and I can't find where it is broken. My site-to-site vpn works with v6.9.

I agree with karina in this post.
http://forum.mikrotik.com/viewtopic.php ... 14#p407972

It's a bit scary that 6.9 was released in such a broken state...

I have tried this supposed "fail" and I can't find where it is broken. My site-to-site vpn works with v6.9.

I agree with karina in this post.
http://forum.mikrotik.com/viewtopic.php ... 14#p407972

That may be true.... BUT... in my case, it's a pretty simple setup - the only 'mistake' as far as the VPN config is would be the 0.0.0.0 for the SA Source. putting an address in there is all well and good when you are dealing with a Site to Site VPN that's static on both ends. But when the end the device is on is dynamic, you can't specify an address.

Maybe having 0.0.0.0 in there is 'wrong', but you need SOME way to allow the device to function as a dynamic endpoint.

I think I see your challenge. Which end device is dynamic? The server or client?

I think I see your challenge. Which end device is dynamic? The server or client?

The client. At the server end I have a Cisco ASA 5510 with a /27 block of static IPs set up with a Dynamic L2L VPN in addition to the static ones. The plan for the Mikrotiks is to have them at the users Home Offices to allow the Avaya IP Phones to contact the phone system without using the built-in VPN functionality as it's a bit flaky, causing dropped calls. The Mikrotik has been running great as a VPN endpoint. It even works behind a Linksys NAT firewall (But won't work through my uVerse connections NAT for some reason).

With this setup, the client end doesn't need to be static as the connection is being initiated from there by the phone. There's no need for the main office end to 'reach back' through the VPN to the Home Office.

I just set my client as dynamic. It got a new ip and connected to the server again and is working fine.

Where are you trying to enter this 0.0.0.0? I see no src-address setting here.

edit: but I think ipsec has a src-address setting. Is that what you mean?

I just set my client as dynamic. It got a new ip and connected to the server again and is working fine.

Where are you trying to enter this 0.0.0.0? I see no src-address setting here.

edit: but I think ipsec has a src-address setting. Is that what you mean?

Yes, 'sa-src-address=' in '/ip ipsec policy'. 6.9 would not allow that to be 0.0.0.0 and when that endpoint is dynamic, you cannot specify an IP as when it changes, it will no longer work.

The pfSense firewall I've been using has a dropdown for 'My Identifier',which I believe is what 'SA Src Address' is referring to, with several options when creating a SA: 'My IP Address, which will use whatever the external IP address is, 'IP Address', which when selects, gives you a field to populate with an IP, along with several others, including DN, User DN and a few others.

Another thing that would be VERY useful is if the ROS IPSec setup could specify a hostname (vpn.mydomain.com) as a SA Destination address, rather than IP. It's not often that the target address needs to be changed, but it's not unheard of.