All, We have an IPSec hub and spoke design. I have a 750GL (spoke) that is connected via IPsec back to a Juniper (Hub). I initiate the connection from the 750 and it creates a tunnel (2 SA's) and then I can ping to a device sitting behind the Juniper. If I try and ping back from the device behind the Juniper to a loopback address applied to the 750, it creates another set of SA's (now I have 4 SA's). This should not happen. The spokes should be the initiator and ONLY the initiator because all spoke locations (750's) are either static, dhcp or pppoe. My question is since the SA is already created by the spoke as the initiator (I have 2 SA's per connection to be exact) should the traffic from behind the Juniper already utilize the tunnel that was created by the spoke? Why does another tunnel (2 SA's) get created? If I clear the connection on the Juniper and start a ping from the device sitting behind it to the spoke, it creates a tunnel and then I start a ping from the spoke top the device behind the Juniper, it utilized the existing tunnel and passes traffic. A second set of SA's does not get created.
# oct/23/2012 21:27:52 by RouterOS 5.21 # software id = 182Q-xxxx # /interface bridge add name=loopback1 /interface ethernet set 0 name=ether1-gateway set 1 name=ether2-master-local set 2 master-port=ether2-master-local name=ether3-slave-local set 3 master-port=ether2-master-local name=ether4-slave-local set 4 master-port=ether2-master-local name=ether5-slave-local /ip hotspot user profile set [ find default=yes ] idle-timeout=none keepalive-timeout=2m /ip ipsec proposal add name=juniper pfs-group=none /ip pool add name=default-dhcp ranges=192.168.100.10-192.168.100.254 /ip dhcp-server add add-arp=yes address-pool=default-dhcp disabled=no interface=ether2-master-local name=default /ip address add address=192.168.100.1/24 comment="default configuration" interface=ether2-master-local add address=50.104.x.x/30 interface=ether1-gateway add address=5.1.1.10/32 interface=loopback1 network=5.1.1.10 /ip dhcp-server network add address=192.168.100.0/24 comment="default configuration" dns-server=208.67.220.220,208.67.222.222 gateway=192.168.100.1 /ip dns set allow-remote-requests=yes servers=208.67.220.220,208.67.222.222 /ip dns static add address=192.168.88.1 name=router /ip firewall filter add chain=input comment="default configuration" protocol=icmp add chain=input comment="default configuration" connection-state=established add chain=input comment="default configuration" connection-state=related add chain=input dst-address=5.1.1.10 dst-port=161 protocol=udp src-address= 10.94.64.16/29 add chain=input dst-port=22,80,443,8291 protocol=tcp src-address=68.167.x.x/24 add chain=input dst-port=22,80,443,8291 protocol=tcp src-address=68.106.x.x/26 add chain=input dst-port=22,80,443,8291 protocol=tcp src-address=68.106.x.x add chain=input dst-port=22,80,443,8291 protocol=tcp src-address=10.94.x.x/29 add chain=input dst-port=22,80,443,8291 protocol=tcp src-address=216.231.x.x/24 add chain=input dst-port=22,80,443,8291 protocol=tcp src-address=216.231.x.x/24 add chain=input dst-port=22,80,443,8291 protocol=tcp src-address=76.168.x.x add action=drop chain=input comment="default configuration" in-interface=ether1-gateway /ip firewall nat add chain=srcnat dst-address=10.94.64.16/29 src-address=192.168.100.0/24 add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway src-address=192.168.100.0/24 /ip firewall service-port set sip disabled=yes /ip ipsec peer add address=216.231.198.14/32 dpd-interval=1m dpd-maximum-failures=2 exchange-mode=aggressive hash-algorithm=sha1 lifetime=10h \ my-id-user-fqdn=cs750...@xxxxx.com <cs750...@schwab.com> /ip ipsec policy add dst-address=10.94.64.16/29 proposal=juniper sa-dst-address=216.231.x.x sa-src-address=0.0.0.0 src-address=5.1.1.10/32 \ tunnel=yes add dst-address=10.94.64.16/29 proposal=juniper sa-dst-address=216.231.x.x sa-src-address=0.0.0.0 src-address= 192.168.100.0/24 \ tunnel=yes /ip neighbor discovery set ether1-gateway disabled=yes /ip route add distance=1 gateway=50.104.x.x /system identity set name=CS750-10 /system logging add topics=snmp /system ntp client set enabled=yes mode=unicast primary-ntp=50.116.38.157 secondary-ntp=208.38.65.35 /system scheduler add interval=10s name=schedule1 on-event=ping-vpn policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \ start-date=may/15/2012 start-time=22:08:12 /system script add name=ping-vpn policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api source=\ ":put [/ping interface=loopback1 10.94.64.19 count=5]" add name=email-reboots policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api source=":while ( [:pick [/syst\ em clock get date] 7 11]<\"2003\" ) do={ :delay 10s }\r\ \n/log info \"time updated; uptime: \$[/system resource get uptime]\"\r\ \n:local es \"\$[/system identity get name] rebooted on \$[/system clock get date] \$[/system clock get time]\"\r\ \n:delay 90s\r\ \n:local eb \"Log contents (with 90 seconds delay):\\r\\n\"\r\ \n:foreach le in=[/log print as-value] do={\r\ \n :set eb \"\$eb\$[:pick [:tostr [:pick \$le 1]] 5 100] \$[:pick [:tostr [:pick \$le 2]] 7 100]: \$[:pick [:tostr [:pick \$l\ e 3]] 8 1000]\\r\\n\"\r\ \n}" /tool mac-server add disabled=no interface=ether2-master-local add disabled=no interface=ether3-slave-local add disabled=no interface=ether4-slave-local add disabled=no interface=ether5-slave-local /tool mac-server mac-winbox set [ find default=yes ] disabled=yes add interface=ether2-master-local add interface=ether3-slave-local add interface=ether4-slave-local add interface=ether5-slave-local [admin@CS750-10] > *Jerry Roy* Sr. Systems Engineer MTCNA/MTCRE/MTCTCE <http://www.ipass.com/> <http://www.ipass.com/> 1 949 681 5054 1 562 305 9545 Cell Managed Network Services *An iPass Company* 125 Technology Drive Suite 100 Irvine, CA 92618 *Read and share our white paper - *The Next Generation Network: "Why the Distributed Enterprise Should Consider Multi-circuit WAN VPN Solutions" <http://bit.ly/julyMNSWP> *iPass.com/blog* <http://www.ipass.com/blog>* | **facebook.com/iPass*<http://www.facebook.com/ipass> * | **twitter.com/iPass <http://www.twitter.com/ipass/>* -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.butchevans.com/pipermail/mikrotik/attachments/20121023/37c9c351/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 2041 bytes Desc: not available URL: <http://www.butchevans.com/pipermail/mikrotik/attachments/20121023/37c9c351/attachment.gif> _______________________________________________ Mikrotik mailing list Mikrotik@mail.butchevans.com http://www.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS