MikroTik

Hi all.

The first is express my opinion about MT that is a wonderfull Router OS, but in the version 3.X it has a lot of problems with VPN IPSEC.
About my experience, it was working better in previous versions.

And my question is about the explanation of the field PRIORITY when you configure a policy IPSEC. What did it mean?

REGARDS

comaco, thank you for the comments.

priority (integer; default: 0) - policy ordering classificator (signed integer). Larger number means higher priority
What kind of problems do you have with IPSec in v3 ?

Hi and thanks.

I have just find it in the manual. Apologize me.
But i have problems with it, because i don't understand how it work. If i have some proporsal with different priority, what can i do with it?

In the other hand, i have some problems with VPN like that i must reboot the MT to apply changes or to go up a VPN, problems with two or more peers, and in resume, with previous version I can make some VPN with various peer CISCO and now i have to work hard to make a VPN with a Cisco or with a MT (more strange).

I will detail my problems in future post.

Comaco, as I see from documentation, priority is used for policies, policy with higher priority will be used, if there are few policies with different proposals for example.

It would be great you can contact support and describe all your problems in details [support@mikrotik.com].

I have the same problem when changing some IPsec settings they do not negotiate a new connection and also sometimes in normal business they do not negotiate a new connection. The only solution is to restart the routers. See also [Ticket#2008061266000311]

Ipsec is working fine b/w mkt and openswan by following the example given on mkt website. but i have one issue with multiple lan subnets at openswan side didnt work. only one whose packet goes first esablish tunnel work and other didnt work. heres wat i have done..

mkt side
-------
one WAN side on internet.
one peer connecting to openswan WAN side with 3des and md5
lan side pool 172.20.100.0/24 (src address)
2 same policies just a difference of destination address of openswan LAN
e.g one policy with dst address = 192.168.0.0/24 and other policy with dst address = 192.168.1.0/24 keeping the rest of the things same.

openswan side..
-------------
2 connection in ipsec conf keeping everything same except leftsubnet. one connection with 192.168.0.0/24 another connection with leftsubnet 192.168.1.0/24 keeping evrything same and ipsec securyt thr one shared key beczuse its connecting to the same global IP of mkt.


now here how its working...

when i ping from mkt lan that is 172.20.100.0/24 to any of the ip of Openswan LAN that is 192.168.1.0/24 or 192.168.0.0/24 it connects automatically and start pinging the other side sucessfully.

The Problem is, if in start I ping any ip of 192.168.0.0/24 from mkt lan 172.20.100.0/24 it connects using tunnel and encrption and start pinging 192.168.0.0/24 pool ips but not the 192.168.1.0/24 pool ips...

on the other hand if in start I ping any ip of 192.168.1.0/24 from mkt lan 172.20.100.0/24 it connects and start pinging but not the other subnet of openswan i.e 192.168.0.0/24..

it measn which packet goes first be4 connecting the tunnel is routed but it ignores the other policy ... one at a time. and if i try to ping other subnet it gives error of ISAK key error on console of mkt. but if WAN IPs are same and secret is same both subnet shud be routed using the same key thr no keys in policy and conn config of either opnswan or mkt,

wat must be the prb and if anyone can tell me how to setup multiple subnet using ipsec tunnel and one peer. do i need to stablish another peer which i am doubtfull and how to ..

Regards

Fiz