IPsec-SA expired before finishing rekey

Experimentator · September 14, 2017, 2:54pm

Hi All,

I’m setting up IPsec connection from my Windows laptop to the Mikrotik router (ROS version 6.40.1) based on IKEv2 and RSA signatures authentication (RoadWarrior setup with Mikrotik acting as a server with a fixed IP, and laptop being ‘on the go’ with random IP addresses). The connection works for 30 minutes, and then it drops. When it happens, I see an “IPsec-SA expired before finishing rekey” message in Mikrotik log.

How do I set it up so that the rekey procedure works and the link doesn’t drop?
I guess I am missing some obvious parameter, but I cannot figure out what it is…
Can someone please advise what to look for?

lordcoke · January 29, 2018, 1:29pm

Had the same issue. It has been solved by setting pfs-group for RW to none under IPsec Proposal menu

Experimentator · August 21, 2018, 1:16pm

Thanks! This seems to have fixed it!

tomaskir · August 21, 2018, 2:01pm

I would suggest creating a ticket with support as well so MKT can check if this is something they can fix.
Simply using PFS for P2 should not break re-keying.

theprojectgroup · September 8, 2018, 10:33am

I have the same issue with IOS and MacOS (current build):

10:04:00 ipsec processing payload: KE (not found) 
10:04:00 ipsec IPsec-SA established: IP_OF_CLIENT[4500]->IP_OF_VPN_Router[4500] spi=0xa37f177 
10:04:00 ipsec IPsec-SA established: IP_OF_VPN_Router[4500]->IP_OF_CLIENT[4500] spi=0xb93a775 
10:04:02 ipsec ike2 request, exchange: INFORMATIONAL:97e IP_OF_A_Different_working_Connection[4500] 
10:04:02 ipsec payload seen: ENC 
10:04:02 ipsec processing payload: ENC 
10:04:02 ipsec respond: info 
10:04:03 ipsec IPsec-SA expired: ESP/Tunnel IP_OF_CLIENT[4500]->IP_OF_VPN_Router[4500] spi=0xca8e3d2 
10:04:03 ipsec adding payload: DELETE 
10:04:03 ipsec IPsec-SA expired: ESP/Tunnel IP_OF_VPN_Router[4500]->IP_OF_CLIENT[4500] spi=0x73be941 
10:04:03 ipsec adding payload: DELETE 
10:04:03 ipsec ike2 reply, exchange: INFORMATIONAL:7 IP_OF_CLIENT[4500] 
10:04:03 ipsec my msg id not matching, ignoring 
10:04:04 ipsec ike2 request, exchange: INFORMATIONAL:97f IP_OF_A_Different_working_Connection[4500] 
10:04:04 ipsec payload seen: ENC 
10:04:04 ipsec processing payload: ENC 
10:04:04 ipsec respond: info 
10:04:06 ipsec ike2 request, exchange: INFORMATIONAL:980 IP_OF_A_Different_working_Connection[4500] 
10:04:06 ipsec payload seen: ENC 
10:04:06 ipsec processing payload: ENC 
10:04:06 ipsec respond: info 
10:04:08 ipsec ike2 request, exchange: INFORMATIONAL:981 IP_OF_A_Different_working_Connection[4500] 
10:04:08 ipsec payload seen: ENC 
10:04:08 ipsec processing payload: ENC 
10:04:08 ipsec respond: info 
10:04:08 ipsec retransmit 
10:04:08 ipsec IPsec-SA expired: ESP/Tunnel IP_OF_CLIENT[4500]->IP_OF_VPN_Router[4500] spi=0xa37f177 
10:04:08 ipsec ike2 expire 0xb93a775 
10:04:08 ipsec queued 
10:04:08 ipsec IPsec-SA expired: ESP/Tunnel IP_OF_VPN_Router[4500]->IP_OF_CLIENT[4500] spi=0xb93a775 
10:04:10 ipsec ike2 request, exchange: INFORMATIONAL:982 IP_OF_A_Different_working_Connection[4500] 
10:04:10 ipsec payload seen: ENC 
10:04:10 ipsec processing payload: ENC 
10:04:10 ipsec respond: info 
10:04:11 ipsec IPsec-SA expired: ESP/Tunnel IP_OF_CLIENT[4500]->IP_OF_VPN_Router[4500] spi=0xa37f177 
10:04:11 ipsec,error IPsec-SA expired before finishing rekey: IP_OF_CLIENT[4500]<->IP_OF_VPN_Router[4500] spi=0xb93a775 
10:04:11 ipsec,info killing ike2 SA: IP_OF_VPN_Router[4500]-IP_OF_CLIENT[4500] spi:e4956eaededf97f6:870f419dd796c477 
10:04:11 ipsec IPsec-SA killing: IP_OF_CLIENT[4500]->IP_OF_VPN_Router[4500] spi=0xa37f177 
10:04:11 ipsec IPsec-SA killing: IP_OF_VPN_Router[4500]->IP_OF_CLIENT[4500] spi=0xb93a775 
10:04:11 ipsec removing generated policy 
10:04:11 ipsec IPsec-SA expired: ESP/Tunnel IP_OF_VPN_Router[4500]->IP_OF_CLIENT[4500] spi=0xb93a775 
10:04:11 ipsec adding payload: DELETE 
10:04:11 ipsec KA remove: IP_OF_VPN_Router[4500]->IP_OF_CLIENT[4500] 
10:04:11 ipsec,info releasing address 10.10.100.82 
10:04:11 ipsec ike2 reply, exchange: INFORMATIONAL:9 IP_OF_CLIENT[4500] 
10:04:11 ipsec SPI f697dfdeae6e95e4 not registred for IP_OF_CLIENT[4500] 
10:04:12 ipsec ike2 request, exchange: INFORMATIONAL:983 IP_OF_A_Different_working_Connection[4500]

/ip ipsec peer print

 5   R ;;; ikev2 clients
       address=0.0.0.0/0 passive=yes auth-method=rsa-signature certificate=TPGGateway254-ovpn generate-policy=port-strict policy-template-group=default exchange-mode=ike2 
       mode-config=ikev2-default send-initial-contact=no my-id=fqdn:sstp.ontpg.com hash-algorithm=sha256 enc-algorithm=aes-256,aes-128 dh-group=modp2048,modp1024 lifetime=1h 
       dpd-interval=2m

/ip ipsec policy print

 T * ;;; default
       group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=l2tp-default template=yes

/ip ipsec mode-config print

Flags: * - default 
 0 * name="request-only" 

 1   name="ikev2-default" system-dns=no static-dns=172.17.1.43,172.17.1.44 address-pool=l2tp-pool-default address-prefix-length=24

/ip ipsec mode-config print

Flags: * - default 
 0 * name="request-only" 
 1   name="ikev2-default" system-dns=no static-dns=172.17.1.43,172.17.1.44 address-pool=l2tp-pool-default address-prefix-length=24

/ip ipsec proposal print

4    name="l2tp-default" auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=0s pfs-group=none