I have an RB2011 the new hardware revision so im stuck using 6.x.
We set it up identically to an existing RB2011 but its the older hardware revision running 5.24.
The routers main purpose is to terminate IPSec LAN to LAN VPN's
The only config issue I had moving to 6.2 was the generate-policy under the peer has to be changed to generate-policy=port-override instead of generate-policy=yes.
None of the remote routers will connect the IPSec tunnel, I turned on IPSec logging and found the error: No Policy Found, it then shows the policy requested by the router.
The peer config is set to generate the policy so I dont know why its looking for one in the first place, if I manually create the policy based on what the router asked for then the VPN connects fine.
I have even tried setting generate-policy=port-strict with no change.
Is the policy generation broke in 6.x? or is there some other steps that must now be taken to make this work?
Re: IPSec Policy not found when Generate enabled
One thing that was introduced in 6.x is policy templates. I don't remember documentation mentioning policy templates as being mandatory in case you have generate-policy enabled, but I'd checked if defining a template solves your problem.
Search here for policy group and policy templates.
Search here for policy group and policy templates.
Re: IPSec Policy not found when Generate enabled
I added a template:
add group=default template=yes src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default
But I still have the same issue...
The router is requesting 172.16.1.0/27 to 0.0.0.0/0, tried the above and even tried the template having exactly this and it still dident find it...
Is there no way to make generate behave like 5.x?
add group=default template=yes src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default
But I still have the same issue...
The router is requesting 172.16.1.0/27 to 0.0.0.0/0, tried the above and even tried the template having exactly this and it still dident find it...
Is there no way to make generate behave like 5.x?
Re: IPSec Policy not found when Generate enabled
Bump here.
Can't get this to work with remote peer set to 0.0.0.0/0. Log says "no configuration found for 0.0.0.0".
And if I instread use the IP that the other router has at this moment - works.
This is frustrating.
Can't get this to work with remote peer set to 0.0.0.0/0. Log says "no configuration found for 0.0.0.0".
And if I instread use the IP that the other router has at this moment - works.
This is frustrating.
Re: IPSec Policy not found when Generate enabled
Hi, after an upgrade in "ip ipsec policy" there is a default policy which is disabled:
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all
proposal=default template=yes
Enable it and try to connect with remote router. It worked for me
mIRO
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all
proposal=default template=yes
Enable it and try to connect with remote router. It worked for me
mIRO