Community discussions

MikroTik App
  4. RouterOS
  5. General

BUG: (another one) ipsec policy netmask

Post Reply
 
Uwe
just joined
Topic Author
Posts: 6
Joined: Wed Jan 13, 2016 3:42 pm

BUG: (another one) ipsec policy netmask

Mon Jun 19, 2017 12:11 pm

Another bug, causing some of our scripts to fail:

Generally an iP address with netmask can be entered via CLI like this, for example setting the IP address:
Code: Select all
/ip address
add address=192.168.88.1/24 interface=bridge
or
Code: Select all
add address=192.168.88.1/255.255.255.0 interface=bridge
Starting with 6.39.1 this doesn't work with ipsec policy anymore:
Code: Select all
/ip ipsec policy
add dst-address=4.4.4.0/24 level=unique proposal=default sa-dst-address=1.2.3.4 sa-src-address=0.0.0.0 src-address=192.168.88.0/255.255.255.0 tunnel=yes
invalid value for argument src-address:
    value of prefix6 must have IPv6 address before '/'
    value of prefix4 must have number address after '/'
Entering netmask in the form /24 instead of 255.255.255.0 still works.
Seems that only ipsec policy is affected by this bug.

Please correct.
Uwe
Top
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7188
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:
Contact mrz

Re: BUG: (another one) ipsec policy netmask

Mon Jun 19, 2017 12:15 pm

SrcAddress ::= Prefix6 | Prefix4
Prefix4 ::= A.B.C.D/M (IP prefix)
Prefix6 ::= IPv6/0..128 (IPv6 prefix)

Policy does not support windows-like netmasks.
Top
 
Uwe
just joined
Topic Author
Posts: 6
Joined: Wed Jan 13, 2016 3:42 pm

Re: BUG: (another one) ipsec policy netmask

Mon Jun 19, 2017 12:43 pm

Hi mrz,

thank you for your reply, but this worked until 6.38.5

Is your answer (definition of prefix) specified somewhere in the documentation?

Uwe
Top
 
petrushka
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Mon May 10, 2010 12:25 pm

Re: BUG: (another one) ipsec policy netmask

Sun Oct 18, 2020 11:43 am

Hi guys, having the same issue with adding this line, it won't accept dst address:

/ip ipsec policy add src-address=10.0.35.0/24:any dst-address=10.0.10.0/24:any sa-src-address=10.0.56.30 sa-dst-address=10.0.56.29 tunnel=yes action=encrypt proposal=default

invalid value for argument dst-address:
value of prefix6 must have IPv6 address before '/'
value of prefix4 must have number address after '/'

/ip ipsec policy add src-address=10.0.35.0/24:any dst-address=24/10.0.10.0:any sa-src-address=10.0.56.30 sa-dst-address=10.0.56.29 tunnel=yes action=encrypt proposal=default

invalid value for argument dst-address:
value of prefix6 must have IPv6 address before '/'
value of prefix4 must have ip address before '/'

Anything wrong there???

ROS 6.47.4

Thanks
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11206
Joined: Mon Dec 04, 2017 9:19 pm

Re: BUG: (another one) ipsec policy netmask

Sun Oct 18, 2020 12:31 pm

Why do you need the ":any"?
Top
 
petrushka
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Mon May 10, 2010 12:25 pm

Re: BUG: (another one) ipsec policy netmask

Wed Oct 21, 2020 12:19 am

Oh, don't know, just tried to play with some wiki sample

Thank you
Top
Post Reply

Who is online

Users browsing this forum: Et3rnal, sindy and 32 guests
  4. RouterOS
  5. General