proposal-check=exact
Posted: Wed Feb 28, 2007 5:34 pm
Hi,
we have some strangeness while establishing an ipsec tunnel using peer poposal-check=exact:
In the log, it says "phase 2 established" immediately followed by "phase 2 expired". The SAs are actually installed (and ipsec works), but checking the stats says "no phase 2".
I checked the proposal options multiple times: They are exactely the same as required by "poposal-check=exact" (machines are in different timezones and using NTP sync'ed time).
If I switch to proposal-check=obey it works as expected.
Can I get more debug information about _what_ is causing this immediate "established" followed by "expired".
Thanks for any comments here.
Achim
BTW RouterOS 2.9.39
we have some strangeness while establishing an ipsec tunnel using peer poposal-check=exact:
In the log, it says "phase 2 established" immediately followed by "phase 2 expired". The SAs are actually installed (and ipsec works), but checking the stats says "no phase 2".
I checked the proposal options multiple times: They are exactely the same as required by "poposal-check=exact" (machines are in different timezones and using NTP sync'ed time).
If I switch to proposal-check=obey it works as expected.
Can I get more debug information about _what_ is causing this immediate "established" followed by "expired".
Thanks for any comments here.
Achim
BTW RouterOS 2.9.39