Hi,

my understanding of ipsec is, that packets are matched against the Security Policy Database (SPD) to find a matching rule and using this for doing encryption oder other stuff.

Router is at 192.168.2.1. Why does

/ip ipsec policy src-address=192.168.2.0/24 dst-address=172.17.0.0/16 ....

NOT work, while

/ip ipsec policy src-address=0.0.0.0/0 dst-address=172.17.0.0/16 ...

works? For verification purposes I have added a logging rule to the postrouting chain and this 'verifies' that my packet really is

src=192.168.2.99 to dst=172.17.1.6

Why, the heck, does this not match the SPD?

Thanks for any comments here? Bug?

Achim

Okay, I found it.

It worked, but only after REBOOTING the router. I was expecting that all the changes in ipsec should be handeled without a reboot.

Is this a bug? Or any additional info here which I'm not aware of...?

Thanks,
Achim

That should have worked without the reboot. I've never had to reboot to get those working. Maybe the underlying IPSEC code got into a bad state with the Mikrotik front-end code.

Yes, I was also thinking that it _should_ work without reboot. This was driving me crazy yesterday and I was crying loudly as it worked after the reboot...

Besides the flush command for the SAs, there is no other helpful command for clearing ipsec stuff, isn't it?

Achim