MikroTik Changelog Tracker
← Back to search All components

Component: ipsec

296 changelog entries across 97 version(s)

Activity over time (changelog entries per month)

7.21 Stable 2026-Jan-12 (3 weeks ago)
  • fixed CHACHA20 typo in log messages;
  • support Post-Quantum Pre-shared Key (PPK) with QKD integration (CLI only);
7.20 Stable 2025-Sep-29 (4 months ago)
  • fixed degraded IPsec performance for IPQ-6010 (introduced in v7.17);
  • move raw RSA keys to /ip/ipsec/key/rsa;
7.19.2 Stable 2025-Jun-20 (7 months ago)
  • fixed responder on key exchange compute failure (introduced in v7.19);
7.19 Stable 2025-May-22 (8 months ago)
  • fixed system failure on MMIPS devices when using IPsec services;
  • lower standalone cipher, hash priority when using ctr aead;
7.18 Stable 2025-Feb-24 (11 months ago)
  • added hardware acceleration support for hEX refresh;
  • fixed chacha20 poly1305 proposal;
  • fixed installed SAs update process when SAs are removed;
7.17.1 Stable 2025-Jan-30 (1 year ago)
  • fixed chacha20 poly1305 proposal;
  • fixed installed SAs update process when SAs are removed;
7.17 Stable 2025-Jan-16 (1 year ago)
  • ike2 improved process for policies;
7.16 Stable 2024-Sep-20 (1 year ago)
  • changed default dpd-interval from 2 minutes to 8 seconds and dpd-maximum-failures from 5 to 4;
  • improved installed SA statistics update;
7.12 Stable 2023-Nov-09 (2 years ago)
  • fixed Diffie-Hellman public value encoding size;
  • fixed IPSec policy when using modp3072;
  • fixed minor typo in logs;
  • reduce disk writes when started without active configuration;
7.11.1 Stable 2023-Aug-30 (2 years ago)
  • fixed IPSec policy when using modp3072;
7.11 Stable 2023-Aug-15 (2 years ago)
  • fixed public key export (introduced in v7.10);
  • fixed signature authentication using secp521r1 certificate (introduced in v7.10);
  • improved IKE2 rekey process;
  • properly check ph2 approval validity when using IKE1 exchange mode;
7.10 Stable 2023-Jun-15 (2 years ago)
  • added hardware acceleration support for IPQ-5010 (hAP ax lite);
  • refactor public key authentication;
  • removed "ec2n185" and "ec2n155" values from proposal configurations;
7.9 Stable 2023-May-02 (2 years ago)
  • added error log message when peer ID does not match certificate;
  • fixed packet processing by hardware encryption engine on RB850Gx2 device;
  • refactor X.509 implementation;
7.8 Stable 2023-Feb-24 (2 years ago)
  • added support for "Framed-Route" RADIUS attribute support;
  • do not match incoming IKE requests by unresolved DNS name peers;
  • fixed peer matcher for incoming connection with unresolved DNS;
7.7 Stable 2023-Jan-12 (3 years ago)
  • added "current-address" parameter for peers with DNS address;
  • added hardware acceleration support for IPQ-6010;
  • added support for AVX optimized SHA acceleration;
  • improved "H" (hw-aead) flag presence for accelerated SA's;
  • improved IKE payload processing;
  • improved configuration of IPsec proposal auth-algorithms;
  • removed Blowfish and Camellia encryption algorithms for IKE;
7.6 Stable 2022-Oct-17 (3 years ago)
  • added "invalid-packets" counter for Installed SA's menu;
  • fixed packet processing by hardware encryption engine on MMIPS devices;
7.3 Stable 2022-Jun-06 (3 years ago)
  • fixed IPsec IRQ initialization on startup on TILE;
  • fixed printing of active peer statistics;
7.2 Stable 2022-Mar-31 (3 years ago)
  • added hardware acceleration support for CCR2116;
  • fixed "identities" menu emptying after RouterOS upgrade/reboot;
6.49 Stable 2021-Oct-06 (4 years ago)
  • fixed memory leak when processing DHCP packets;
  • improved SA update by SPI;
  • improved system stability on CHR;
  • improved system stability on MMIPS devices;
6.48.5 Long-term 2021-Sep-21 (4 years ago)
  • improved SA update by SPI;
6.47.10 Long-term 2021-May-31 (4 years ago)
  • fixed SA address parameter exporting;
6.48.3 Stable 2021-May-25 (4 years ago)
  • fixed SA address parameter exporting;
6.48.1 Stable 2021-Feb-03 (5 years ago)
  • improved stability when processing IPv6 packets larger than interface MTU;
6.48 Stable 2020-Dec-22 (5 years ago)
  • added SHA384 hash algorithm support for phase 1;
  • do not kill connection when peer's "name" or "comment" is changed;
  • fixed client certificate usage when certificate is renewed with SCEP;
  • fixed multiple warning message display for peers;
  • inactivate peer's policy on disconnect;
  • refresh peer's DNS only when phase 1 is down;
6.47.1 Stable 2020-Jul-08 (5 years ago)
  • do not update peer endpoints for generated policy entries (introduced in v6.47);
6.47 Stable 2020-Jun-02 (5 years ago)
  • added "split-dns" parameter support for mode configuration;
  • added "use-responder-dns" parameter support;
  • allow specifying two peers for a single policy for failover;
  • control CRL validation with global "use-crl" setting;
  • do full certificate validation for identities with explicit certificate;
  • fixed minor spelling mistake in logs;
  • improved IPsec service stability when receiving bogus packets;
  • place dynamically created IPsec policies by L2TP client at the begining of the table;
6.45.9 Long-term 2020-Apr-30 (5 years ago)
  • improved system stability when handling fragmented packets;
6.46.5 Stable 2020-Apr-07 (5 years ago)
  • improved system stability when handling fragmented packets;
6.45.8 Long-term 2020-Jan-23 (6 years ago)
  • improved system stability when processing decrypted packet on unregistered interface;
6.46.1 Stable 2019-Dec-13 (6 years ago)
  • improved system stability when processing decrypted packet on unregistered interface;
6.46 Stable 2019-Dec-02 (6 years ago)
  • added "error" topic for identity check failure logging messages;
  • fixed DNS resolving when domain has only AAAA entries;
  • fixed policy "sa-src-address" detection from "local-address" (introduced in v6.45);
6.44.6 Long-term 2019-Oct-24 (6 years ago)
  • allow inline "passphrase" parameter when importing keys;
  • fixed minor spelling mistakes in logs;
6.45.5 Stable 2019-Aug-26 (6 years ago)
  • allow inline "passphrase" parameter when importing keys;
  • fixed "eap-radius" authentication method (introduced in v6.45);
  • fixed minor spelling mistakes in logs;
6.45.2 Stable 2019-Jul-17 (6 years ago)
  • added "connection-mark" parameter for mode-config initiator;
  • allow peer argument only for "encrypt" policies (introduced in v6.45);
  • fixed peer configuration migration from versions older than v6.43 (introduced in v6.45);
  • improved stability for peer initialization (introduced in v6.45);
  • show warning for policies with "unknown" peer;
6.45.1 Stable 2019-Jun-27 (6 years ago)
  • added dynamic comment field for "active-peers" menu inherited from identity;
  • added "ph2-total" counter to "active-peers" menu;
  • added support for RADIUS accounting for "eap-radius" and "pre-shared-key-xauth" authentication methods;
  • added traffic statistics to "active-peers" menu;
  • disallow setting "src-address" and "dst-address" for transport mode policies;
  • do not allow adding identity to a dynamic peer;
  • fixed policies becoming invalid after changing priority;
  • general improvements in policy handling;
  • properly drop already established tunnel when address change detected;
  • renamed "remote-peers" to "active-peers";
  • renamed "rsa-signature" authentication method to "digital-signature";
  • replaced policy SA address parameters with peer setting;
  • use tunnel name for dynamic IPsec peer name;
6.44.3 Stable 2019-Apr-23 (6 years ago)
  • fixed freshly created identity not taken in action (introduced in v6.44);
  • fixed possible configuration corruption after import (introduced in v6.44);
6.44.1 Stable 2019-Mar-13 (6 years ago)
  • allow identities with empty XAuth login and password if RADIUS is enabled (introduced in v6.44);
  • fixed dynamic L2TP peer and identity configuration missing after reboot (introduced in v6.44);
  • use "remote-id=ignore" for dynamic L2TP configuration (introduced in v6.44);
6.43.13 Long-term 2019-Mar-13 (6 years ago)
  • fixed all policies not getting installed after startup (introduced in v6.43.8);
  • fixed stability issues after changing peer configuration (introduced in v6.43);
6.44 Stable 2019-Feb-25 (6 years ago)
  • added account log message when user is successfully authenticated;
  • added basic pre-shared-key strength checks;
  • added new "remote-id" peer matcher;
  • allow to specify single address instead of IP pool under "mode-config";
  • fixed active connection killing when changing peer configuration;
  • fixed all policies not getting installed after startup (introduced in v6.43.8);
  • fixed stability issues after changing peer configuration (introduced in v6.43);
  • hide empty prefixes on "peer" menu;
  • improved invalid policy handling when a valid policy is uninstalled;
  • made dynamic "src-nat" rule more specific;
  • made peers autosort themselves based on reachability status;
  • moved "profile" menu outside "peer" menu;
  • properly detect AES-NI extension as hardware AEAD;
  • removed limitation that allowed only single "auth-method" with the same "exchange-mode" as responder;
  • require write policy for key generation;
6.42.12 Long-term 2019-Feb-12 (6 years ago)
  • accept only valid path for "export-pub-key" parameter in "key" menu;
6.43.11 Stable 2019-Feb-04 (6 years ago)
  • accept only valid path for "export-pub-key" parameter in "key" menu;
6.43.7 Stable 2018-Nov-30 (7 years ago)
  • fixed hw-aead (H) flag presence under Installed SAs on startup;
  • improved stability when uninstalling multiple SAs at once;
  • properly handle peer profiles on downgrade;
  • properly update warnings under peer menu;
6.42.10 Long-term 2018-Nov-14 (7 years ago)
  • fixed hw-aead (H) flag presence under Installed SAs on startup;
  • improved stability when uninstalling multiple SAs at once;
  • properly update warnings under peer menu;
6.43.4 Stable 2018-Oct-17 (7 years ago)
  • allow multiple peers to the same address with different local-address (introduced in v6.43);
6.42.9 Long-term 2018-Sep-27 (7 years ago)
  • improved invalid policy handling when a valid policy is uninstalled;
  • improved stability when using IPsec with disabled route cache;
6.43 Stable 2018-Sep-06 (7 years ago)
  • added "responder" parameter for "mode-config" to allow multiple initiator configurations;
  • added "src-address-list" parameter for "mode-config" that generates dynamic "src-nat" rule;
  • added warning messages for incorrect peer configuration;
  • do not allow removal of "proposal" and "mode-config" entries that are in use;
  • fixed AES-192-CTR fallback to software AEAD on ARM devices with wireless and RB3011UiAS-RM;
  • fixed AES-CTR and AES-GCM key size proposing as initiator;
  • fixed "static-dns" value storing;
  • improved invalid policy handling when a valid policy is uninstalled;
  • improved reliability on generated policy addition when IKEv1 or IKEv2 used;
  • improved stability when using IPsec with disabled route cache;
  • install all DNS server addresses provided by "mode-config" server;
  • separate phase1 proposal configuration from peer menu;
  • use monotonic timer for SA lifetime check;
6.40.9 Long-term 2018-Aug-20 (7 years ago)
  • fixed policies becoming invalid if added after a disabled policy;
6.42.7 Stable 2018-Aug-17 (7 years ago)
  • fixed "sa-src-address" deduction from "src-address" in tunnel mode;
  • improved invalid policy handling when a valid policy is uninstalled;
6.42.4 Stable 2018-Jun-15 (7 years ago)
  • improved reliability on IPsec hardware encryption for RB1100Dx4;
6.42.2 Stable 2018-May-17 (7 years ago)
  • fixed policies becoming invalid if added after a disabled policy;
  • improved reliability on IPsec hardware encryption for ARM devices except RB1100Dx4;
6.42 Stable 2018-Apr-13 (7 years ago)
  • fixed AES-CTR and AES-GCM support on RB1200;
  • improved single tunnel hardware acceleration performance on MMIPS devices;
  • properly detect interface for "mode-config" client IP address assignment;
6.40.6 Long-term 2018-Feb-20 (7 years ago)
  • fixed incorrect esp proposal key size usage;
  • properly update IPsec secret for IPIP/EoIP/GRE dynamic peer;
6.41.1 Stable 2018-Jan-30 (8 years ago)
  • properly update IPsec secret for IPIP/EoIP/GRE dynamic peer;
6.41 Stable 2017-Dec-22 (8 years ago)
  • added DH groups 19, 20 and 21 support for phase1 and phase2;
  • allow to specify "remote-peer" address as DNS name;
  • fixed incorrect esp proposal key size usage;
  • fixed policy enable/disable;
  • improved hardware accelerated IPSec performance on 750Gr3;
  • improved reliability on certificate usage;
  • renamed "firewall" argument to "notrack-chain" in peer configuration;
  • skip invalid policies for phase2;
6.40.5 Stable 2017-Oct-31 (8 years ago)
  • fixed lost value for "remote-certificate" parameter after disable/enable;
6.39.3 Long-term 2017-Oct-12 (8 years ago)
  • do not deduct "dst-address" from "sa-dst-address" for "/0" policies;
6.40.4 Stable 2017-Oct-02 (8 years ago)
  • kill PH1 on "mode-config" address failure;
6.38.7 Long-term 2017-Jun-20 (8 years ago)
  • do not deduct policy src/dst address for tunnel policies;
  • fixed generated policy priority;
  • fixed peer "my-id" address reset;
6.39.2 Stable 2017-Jun-01 (8 years ago)
  • fixed generated policy priority;
  • fixed peer "my-id" address reset;
  • renamed "remote-dynamic-address" to "dynamic-address";
6.39 Stable 2017-Apr-27 (8 years ago)
  • added "last-seen" parameter to active connection list;
  • allow mixing aead algorithms in proposal;
  • better responder flag calculator for console;
  • disallow AH+ESP combined policies ;
  • do not loose "use-ipsec=yes" parameter after downgrade;
  • enable aes-ni on i386 and x64 for cbc, ctr and gcm modes;
  • fixed "/ip ipsec policy group export verbose";
  • fixed "mode-cfg" verbose export;
  • fixed SA authentication flag;
  • renamed "hw-authenc" flag to "hw-aead";
  • show hardware accelerated authenticated SAs;
  • updated tilera classifier for UDP encapsulated ESP;
6.38.4 Stable 2017-Mar-08 (8 years ago)
  • deducted policy SA src/dst address from src/dst address;
  • do not require "sa-dst-address" if "action=none" or "action=discard";
  • fixed SA address check in policy lookup;
  • hide SA address for transport policies;
  • keep policy in kernel even with bad proposal;
  • kill ph2 on policy removal;
  • updated/fixed Radius attributes;
6.38.1 Stable 2017-Jan-13 (9 years ago)
  • added ability to kill particular remote-peer;
  • fixed flush speed and SAs on startup;
  • fixed peer port export;
  • port is used only for initiators;
6.37.4 Long-term 2017-Jan-13 (9 years ago)
  • fixed kernel failure on tile with sha256 when hardware encryption is not being used;
6.38 Stable 2016-Dec-30 (9 years ago)
  • added ability to specify static IP address at "send-dns" option;
  • added ph2 accounting for each policy "/ip ipsec policy ph2-count";
  • allow to specify explicit split dns address;
  • changed logging topic from error to debug when empty pfkey messages are received;
  • do not auto-negotiate more SAs than needed;
  • ensure generated policy refers to valid proposal;
  • fixed camellia crypto algorithm module loading;
  • fixed IPv6 remote prefix;
  • fixed kernel failure on tile with sha256 when hardware encryption is not being used;
  • fixed peer configuration my-id IPv4 address endianness;
  • fixed ph2 auto-negotiation by checking policies in correct order;
  • load ipv6 related modules only when ipv6 package is enabled;
  • make generated policies always as unique;
  • non passive peers will also establish SAs from policy without waiting for the first packet;
  • optimized logging under ipsec topic;
  • show active flag when policy has active SA;
  • show SA "enc-key-size";
  • split "mode-config" and "send-dns" arguments;
6.37.2 Stable 2016-Nov-08 (9 years ago)
  • changed logging topic from error to debug for ph2 transform mismatch messages;
6.37 Stable 2016-Sep-23 (9 years ago)
  • fixed crash with enabled fragmentation;
  • fixed dynamic policy not deleted on disconnect for nat-t peers;
  • fixed fragmentation use negotiation;
  • fixed kernel crash when sha512 was used;
6.36.3 Stable 2016-Sep-05 (9 years ago)
  • don't log authtype mismatch as critical;
  • fixed xauth parameter printing in terminal;
6.36 Stable 2016-Jul-20 (9 years ago)
  • add dead ph2 detection exception for windows msgid noncompliance with rfc;
  • added dead ph2 reply detection;
  • don't register temporary ph2 on dead list;
  • fix initiator modecfg dynamic dns;
  • fixed AH with SHA2;
  • fixed checks before accessing ph1 nat options;
  • fixed mode-config export;
  • fixed route cache overflow when using ipsec with route cache disabled;
  • fixed windows msgid check on x86 devices;
  • show remote peer address in error messages when possible;
  • store udp encapsulation type in proposal;
6.35.4 Stable 2016-Jun-09 (9 years ago)
  • fixed mode-config export;
  • fixed route cache overflow when using ipsec with route cache disabled;
6.34.5 Long-term 2016-May-27 (9 years ago)
  • better flush on proposal change;
  • fixed crash on policy update;
6.35 Stable 2016-Apr-14 (9 years ago)
  • always re-key ph1 because it was possible that ph1 without DPD would expire;
  • better flush on proposal change;
  • fixed crash on policy update;
  • fixed fast ph2 SA addition;
  • fixed larval SA refresh for display;
  • fixed multiple consecutive dynamic policy flush;
6.34.4 Stable 2016-Mar-24 (9 years ago)
  • take into account ip protocol in kernel policy matcher;
6.34.2 Stable 2016-Feb-18 (9 years ago)
  • fix console peer aes enc algorithm display;
6.32.4 Long-term 2016-Feb-09 (9 years ago)
  • fixed kernel failure after underlying tunnel has been disabled/enabled;
6.34 Stable 2016-Jan-29 (10 years ago)
  • improved TCP performance on CCRs;
  • allow my-id address specification in main mode;
  • prioritize proposals;
  • support multiple DH groups for phase 1;
  • fix phase2 hmac-sha-256-128 truncation len from 96 to 128
  • make sure that dynamic policy always has dynamic flag;
  • fixed active SAs flushing;
6.33 Stable 2015-Nov-06 (10 years ago)
  • force flow cache validation once in 1h;
  • fix set on multiple policies which could result in adding non existent dynamic policies to the list;
  • fix transport mode ph2 ID ports when policy selects specific ip protocol on initiator;
  • use local-address for phase 1 matching and initiation;
  • fix replay window, was accidentally disabled since version 6.30;
6.32.2 Stable 2015-Sep-17 (10 years ago)
  • fixed kernel failure when packets were not ordered on first call;
  • fix sockaddr buf size on id generation for ipv6 address;
6.32 Stable 2015-Aug-31 (10 years ago)
  • added compatibility option skip-peer-id-check;
  • fix potential memory leak;
  • use local-address for phase 1 matching and initiation;
  • fix transport mode ph2 ID ports when policy selects specific ip protocol on initiator;
6.30.2 Long-term 2015-Jul-22 (10 years ago)
  • fixed crash in when gcm encryption was used
6.30.1 Long-term 2015-Jul-14 (10 years ago)
  • disallow changing dynamic peer;
6.30 Stable 2015-Jul-08 (10 years ago)
  • fail ph2 negitioation when initiator proposed key length
  • increase replay window to 128;
6.29 Stable 2015-May-27 (10 years ago)
  • allow to specify custom IP address for my_id parameter;
6.27 Stable 2015-Feb-11 (10 years ago)
  • fixed crash that happened in specific situation;
6.21 Stable 2014-Oct-30 (11 years ago)
  • fix downgrade problem to v5;
  • disallow template-policy-group=none in peer config and set it to 'default';
6.20 Stable 2014-Oct-01 (11 years ago)
  • support fqdn as my id;
  • allow binding modeconf address to username;
6.19 Stable 2014-Aug-26 (11 years ago)
  • when peer config is changed kill only relevant SAs;
6.18 Stable 2014-Aug-01 (11 years ago)
  • fix addition of default policy template;
6.16 Stable 2014-Jul-17 (11 years ago)
  • fix AH proposal and problem when sometimes policy was not generated;
  • allow multiple encryption algorithms per peer;
6.12 Stable 2014-Apr-14 (11 years ago)
  • support IPv4 over IPv6 and vice versa;
6.11 Stable 2014-Mar-20 (11 years ago)
  • fix aes-cbc hardware acceleration on CCR with key sizes 192 and 256;
6.7 Stable 2013-Nov-29 (12 years ago)
  • added aes-gcm icv16 encryption mode;
  • added aes-ctr encryption mode;
  • added sha256 and sha512 support;
  • proposal defaults changed to aes-128 and sha1 for both phase1 and phase2;
  • fix policy bypass on IPv6 gre, ipip, eoip tunnels when policy
6.5 Stable 2013-Oct-16 (12 years ago)
  • fix peer mathing with non byte aligned masks;
6.2 Stable 2013-Aug-02 (12 years ago)
  • fixed peer address matching;
  • fix phase1 autonegotiation on little endian platforms;
6.1 Stable 2013-Jun-12 (12 years ago)
  • for peers with full IP address specified system will
6.0 Stable 2013-May-17 (12 years ago)
  • added /peer passive option which will prevent starting ISAKMP negotiation
  • added pre-shared-key-xauth and rsa-signature-hybrid
5.8 Stable 2011-Nov-01 (14 years ago)
  • support authorization with raw RSA keys;
5.7 Stable 2011-Sep-14 (14 years ago)
  • new exchange mode (main-l2tp) for l2tp tunnel users to allow
  • fixed problem of RB1200 rebooting when large amount of UDP traffic is