IKEv2: IOS (10.2) and MacOSX (10.12.1) disconnect after 480 Sec

terrancesiu · Wed Dec 21, 2016 3:49 am

I try to setup an IKEv2-VPN for all platforms (Windows, Mac, IOS). Everything works fine so far. The only issue i have is IOS (10.2) and MacOSX (10.12) (native clients) disconnect after 480 sec (8Min). Does anyone have similar issues or an idea why this happens?

Regards,

version:
RouterOS 6.38rc51

log:

09:36:19 ipsec KA: 175.10.54.123[4500]->111.47.210.5[59322] 
09:36:19 ipsec,debug 1 times of 1 bytes message will be sent to 111.47.210.5[59322] 
09:36:19 ipsec,debug,packet ff 
09:26:39 ipsec,debug 1 times of 1 bytes message will be sent to 111.47.210.5[45185] 
09:36:20 ipsec,debug ===== received 412 bytes from 111.47.210.5[62075] to 175.10.54.123[4500] 
09:36:20 ipsec,debug,packet e307c821 d33280a6 1ab93422 80f87c43 2e202408 00000002 0000019c 21000180 
09:36:20 ipsec,debug,packet 1675daef 5d7f71c4 0a347bde 08fb2f9d 2c6b37ab 1932ab6b 44425d03 7b83a41d 
09:36:20 ipsec,debug,packet 9c8ca52f 99694917 57404164 68ed5a32 2f42ec7a 858b4861 b678828f 0d947f87 
09:36:20 ipsec,debug,packet b94315d9 eff82eab 32159653 eff25e6d cb5a8174 1041abfb 7e9ed54f 53e3fd29 
09:36:20 ipsec,debug,packet b4b391cc 25386082 364d9e9b 526c45d7 22012d7f cb37255d 5952b8d8 7bfa1bb2 
09:36:20 ipsec,debug,packet d43bf5f4 62a3c373 0e241a22 a593e4f3 d485fd53 93ab0540 95322d22 ea9d2518 
09:36:20 ipsec,debug,packet 4225467a a824bd68 daa2ed47 64db8303 b89b8c6b 8323ecfd a7c6e120 fea28872 
09:36:20 ipsec,debug,packet 74e8256d eaaac724 22782847 3cdf9b04 b0417366 281948d3 7ebda184 5f8c15b0 
09:36:20 ipsec,debug,packet 838f52b8 f81bdbd0 66b1ff48 f6f88ad4 22ea9f79 74fb954b 3538e85a 28e728a8 
09:36:20 ipsec,debug,packet 72f7d948 3224f759 6d0247d1 5a54c151 736a40cd 25baba0a 0092f20d 9c765900 
09:36:20 ipsec,debug,packet 78e556cb cf68e3dc 38edc87d fbe42884 a54ce8ae 1f69a6c4 9ccf3512 b87d28c4 
09:36:20 ipsec,debug,packet 4f197e66 d6fe5991 c005e944 d08900ee e7f12f8f 551534ba 17996c7c f877aa40 
09:36:20 ipsec,debug,packet 07882fb4 c19ce378 aeb62e54 a677cd7e 0ef10fa0 9e088479 fafee246 
09:36:20 ipsec ike2 request exchange: CREATE_CHILD_SA id: 2 
09:36:20 ipsec peer confirmed 
09:36:20 ipsec peer ports changed: 59322 -> 62075 
09:36:20 ipsec KA remove: 175.10.54.123[4500]->111.47.210.5[59322] 
09:36:20 ipsec,debug KA tree dump: 175.10.54.123[4500]->111.47.210.5[59322] (in_use=1) 
09:36:20 ipsec,debug KA tree dump: 175.10.54.123[4500]->111.47.210.5[59322] (in_use=1) 
09:36:20 ipsec,debug KA removing this one... 
09:36:20 ipsec KA list add: 175.10.54.123[4500]->111.47.210.5[62075] 
09:36:20 ipsec payload seen: ENC 
09:36:20 ipsec processing payload: ENC 
09:36:20 ipsec,debug => iv (size 0x10) 
09:36:20 ipsec,debug 1675daef 5d7f71c4 0a347bde 08fb2f9d 
09:36:20 ipsec decrypted 
09:36:20 ipsec,debug,packet => decrypted packet (size 0x154) 
09:36:20 ipsec,debug,packet 28000038 00000034 01010804 53a8ab7b c0d52839 0300000c 0100000c 800e0080 
09:36:20 ipsec,debug,packet 03000008 02000002 03000008 03000002 00000008 04000002 22000014 2acfaa3a 
09:36:20 ipsec,debug,packet dac51526 403b8fa9 0785b305 00000108 00020000 eb00d211 c9ba860b 031fff54 
09:36:20 ipsec,debug,packet 9f0fd7be bbbbfb4e 19130d2c 6e566959 9330dab2 0b39a276 6014d9dc 3b2489d3 
09:36:20 ipsec,debug,packet 73e6b272 ec0a496a 82d140af ad5dc93d 0a8e249e db246188 58ede072 7ae1d858 
09:36:20 ipsec,debug,packet 93f16cbe d13bfccc 262cb246 675f0b8c 937ccac1 7de0415e 084e4655 0c610e36 
09:36:20 ipsec,debug,packet 0c1ed427 d7da7904 cde77411 17b12de7 46ab9eb2 1859c323 2d39d56c 10789374 
09:36:20 ipsec,debug,packet 0be746aa e70bb552 f8297d02 c530876e 654ad4ef f253087b 739aa47d 68a161a5 
09:36:20 ipsec,debug,packet 
09:36:20 ipsec,debug,packet 878833a4 b50d8124 dbd72262 9016d39b 8e17cf66 6165013f d21ee9e6 3422948a 
09:36:20 ipsec,debug,packet 621a68d0 e98d2db9 a34491a8 3047e1f7 05e6ca55 d62519ee 668fd1ae 5a08a553 
09:36:20 ipsec,debug,packet 8599b1be f121e669 65171b39 4708727e b19c3889 
09:36:20 ipsec payload seen: SA 
09:36:20 ipsec payload seen: NONCE 
09:36:20 ipsec payload seen: KE 
09:36:20 ipsec request while waiting for dpd 
09:36:20 ipsec create child: respond 
09:36:20 ipsec processing payload: NONCE 
09:36:20 ipsec processing payloads: NOTIFY 
09:36:20 ipsec none payloads found! 
09:36:20 ipsec,error payload missing: TS_I 
09:36:20 ipsec reply notify: INVALID_SYNTAX 
09:36:20 ipsec adding payload: NOTIFY 
09:36:20 ipsec   notify: INVALID_SYNTAX 
09:36:20 ipsec,debug,packet => outgoing plain packet (size 0x24) 
09:36:20 ipsec,debug,packet e307c821 d33280a6 1ab93422 80f87c43 29202420 00000002 00000024 00000008 
09:36:20 ipsec,debug,packet 00000007 
09:36:20 ipsec adding payload: ENC 
09:36:20 ipsec,debug => (size 0xd0) 
09:36:20 ipsec,debug 290000d0 a677cd7e 0ef10fa0 9e088479 fafee246 ee286eea 2a8395e0 16fe501a 
09:36:20 ipsec,debug 339e32bc c3fe86c3 dbf1cc74 2a8020f2 6b606bc7 5b580c36 cb573541 c245c148 
09:36:20 ipsec,debug 8c22a0aa 1e1cd3e4 7939e9f9 fdbc18e1 d30fd036 492b1d0c f6e83700 c34d8634 
09:36:20 ipsec,debug b4afd759 bf262ddb 613c05b4 ef9d7db9 041e7f0a 40963e4c 92cdc63f 80ac5a70 
09:36:20 ipsec,debug edce4c9a 80d27f07 db75d2f0 98386412 29bba7b0 45d32cef 3fdcb945 5c62160d 
09:36:20 ipsec,debug 3aef4989 c930c0ef 3e35e82f 98fc877c efea3733 43fdfa52 531d3351 0755430c 
09:36:20 ipsec,debug 7f4e0549 01f80500 0008ffff ffff0600 
09:36:20 ipsec,debug ===== sending 236 bytes from 175.10.54.123[4500] to 111.47.210.5[62075] 
09:36:20 ipsec,debug 1 times of 240 bytes message will be sent to 111.47.210.5[62075] 
09:36:20 ipsec,debug,packet e307c821 d33280a6 1ab93422 80f87c43 2e202420 00000002 000000ec 290000d0 
09:36:20 ipsec,debug,packet a677cd7e 0ef10fa0 9e088479 fafee246 ee286eea 2a8395e0 16fe501a 339e32bc 
09:36:20 ipsec,debug,packet c3fe86c3 dbf1cc74 2a8020f2 6b606bc7 5b580c36 cb573541 c245c148 8c22a0aa 
09:36:20 ipsec,debug,packet 1e1cd3e4 7939e9f9 fdbc18e1 d30fd036 492b1d0c f6e83700 c34d8634 b4afd759 
09:36:20 ipsec,debug,packet bf262ddb 613c05b4 ef9d7db9 041e7f0a 40963e4c 92cdc63f 80ac5a70 edce4c9a 
09:36:20 ipsec,debug,packet 80d27f07 db75d2f0 98386412 29bba7b0 45d32cef 3fdcb945 5c62160d 3aef4989 
09:36:20 ipsec,debug,packet c930c0ef 3e35e82f 98fc877c efea3733 43fdfa52 531d3351 0755430c 7f4e0549 
09:36:20 ipsec,debug,packet f093404e 1951158c 973d9cfb 
09:36:20 ipsec,info killing ike2 SA: 175.10.54.123[4500]-111.47.210.5[62075] spi:1ab9342280f87c43:e307c821d33280a6 
09:36:20 ipsec IPsec-SA killing: 111.47.210.5[62075]<->175.10.54.123[4500] spi=0xdabfb52 
09:36:20 ipsec IPsec-SA killing: 175.10.54.123[4500]<->111.47.210.5[62075] spi=0x186b856 
09:36:20 ipsec removing generated policy 
09:36:20 ipsec adding payload: DELETE 
09:36:20 ipsec,debug => (size 0x8) 
09:36:20 ipsec,debug 00000008 01000000 
09:36:20 ipsec,debug,packet => outgoing plain packet (size 0x24) 
09:36:20 ipsec,debug,packet e307c821 d33280a6 1ab93422 80f87c43 2a202500 00000001 00000024 00000008 
09:36:20 ipsec,debug,packet 01000000 
09:36:20 ipsec adding payload: ENC 
09:36:20 ipsec,debug => (size 0xd0) 
09:36:20 ipsec,debug 2a0000d0 a677cd7e 0ef10fa0 9e088479 fafee246 8e10bcfc 24f703bc 17faddd9 
09:36:20 ipsec,debug 8f1318ea 65a2fa98 607e36ab 60bb6586 fc3b61b4 0aa14b59 fadc2465 2172a65c 
09:36:20 ipsec,debug 171be3ef a2f69203 0af1e340 af6cb21d e10aa29d f3daf513 f43e7c53 c636e292 
09:36:20 ipsec,debug f4193f01 b0ee7def 27198297 5b056f19 3bf93020 f36d2f45 ce22df40 666f4ca2 
09:36:20 ipsec,debug 8758f4e8 229528b8 d3fff424 3de5f749 28336a68 fdc2df23 93dfeadb 5f94f31a 
09:36:20 ipsec,debug 0fc1dcc4 42fd941c 64e09d27 801905f2 9c0654f2 679c1082 1cca1278 95ff1586 
09:36:20 ipsec,debug fcb8272a 01f80500 0008ffff ffff0600 
09:36:20 ipsec,debug ===== sending 236 bytes from 175.10.54.123[4500] to 111.47.210.5[62075] 
09:36:20 ipsec,debug 1 times of 240 bytes message will be sent to 111.47.210.5[62075] 
09:36:20 ipsec,debug,packet e307c821 d33280a6 1ab93422 80f87c43 2e202500 00000001 000000ec 2a0000d0 
09:36:20 ipsec,debug,packet a677cd7e 0ef10fa0 9e088479 fafee246 8e10bcfc 24f703bc 17faddd9 8f1318ea 
09:36:20 ipsec,debug,packet 65a2fa98 607e36ab 60bb6586 fc3b61b4 0aa14b59 fadc2465 2172a65c 171be3ef 
09:36:20 ipsec,debug,packet a2f69203 0af1e340 af6cb21d e10aa29d f3daf513 f43e7c53 c636e292 f4193f01 
09:36:20 ipsec,debug,packet b0ee7def 27198297 5b056f19 3bf93020 f36d2f45 ce22df40 666f4ca2 8758f4e8 
09:36:20 ipsec,debug,packet 229528b8 d3fff424 3de5f749 28336a68 fdc2df23 93dfeadb 5f94f31a 0fc1dcc4 
09:36:20 ipsec,debug,packet 42fd941c 64e09d27 801905f2 9c0654f2 679c1082 1cca1278 95ff1586 fcb8272a 
09:36:20 ipsec,debug,packet ef09d2df ca22a9d7 69992585 
09:36:20 ipsec KA remove: 175.10.54.123[4500]->111.47.210.5[62075] 
09:36:20 ipsec,debug KA tree dump: 175.10.54.123[4500]->111.47.210.5[62075] (in_use=1) 
09:36:20 ipsec,debug KA tree dump: 175.10.54.123[4500]->111.47.210.5[62075] (in_use=1) 
09:36:20 ipsec,debug KA removing this one... 
09:36:20 ipsec,info releasing address 172.31.1.248 
09:36:20 ipsec,debug ===== received 76 bytes from 111.47.210.5[62075] to 175.10.54.123[4500] 
09:36:20 ipsec,debug,packet e307c821 d33280a6 1ab93422 80f87c43 2e202528 00000001 0000004c 00000030 
09:36:20 ipsec,debug,packet 7f01135f 93450de0 755d0f43 401f787c 76ea257f 688f417b 5258993f e8e87d67 
09:36:20 ipsec,debug,packet 647f90d3 c9ef0a65 dead3fb1 
09:36:20 ipsec ike2 answer exchange: INFORMATIONAL id: 1 
09:36:20 ipsec spi not registred 
09:36:20 ipsec,debug ===== received 76 bytes from 111.47.210.5[62075] to 175.10.54.123[4500] 
09:36:20 ipsec,debug,packet e307c821 d33280a6 1ab93422 80f87c43 2e202508 00000003 0000004c 2a000030 
09:36:20 ipsec,debug,packet 76562f3e dd9c45e6 edd608de ff3012ea f2d68bec 3913b4d4 677b090d 038c8aa7 
09:36:20 ipsec,debug,packet 6625b1f0 817c0063 e8bdbb80 
09:36:20 ipsec ike2 request exchange: INFORMATIONAL id: 3 
09:36:20 ipsec spi not registred

config:

[admin@MikroTik] /ip pool> export 
# dec/21/2016 09:32:17 by RouterOS 6.38rc51
/ip pool
add name=dhcp ranges=172.31.0.1-172.31.0.239
add name=pool1 ranges=172.31.1.1-172.31.1.253
[admin@MikroTik] /ip pool> /ip ipsec 
[admin@MikroTik] /ip ipsec> export 
# dec/21/2016 09:32:17 by RouterOS 6.38rc51
/ip ipsec mode-config
add address-pool=pool1 address-prefix-length=32 name=cfg1 split-include=172.31.0.0/24
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc
/ip ipsec peer
add auth-method=rsa-signature certificate=fullchain.pem_0 enc-algorithm=aes-256,aes-128 exchange-mode=ike2 generate-policy=\
    port-strict mode-config=cfg1 passive=yes
/ip ipsec policy
set 0 dst-address=172.31.1.0/24 src-address=0.0.0.0/0
add dst-address=0.0.0.0/0 src-address=172.31.1.0/24 template=yes
[admin@MikroTik] /ip ipsec> /ip address export 
# dec/21/2016 09:33:56 by RouterOS 6.38rc51
/ip address
add address=172.31.0.254/24 interface=bridge1 network=172.31.0.0
add address=172.31.1.254/24 interface=bridge1 network=172.31.1.0

trunet · Thu Dec 29, 2016 3:46 pm

See reply on http://forum.mikrotik.com/viewtopic.php ... 00#p575002

It's a bug, they will fix in one of the next RC releases.

terrancesiu · Tue Jan 10, 2017 3:55 am

Has been resolved, ios / macos all use aes-256 and sha256, dhgroup choice 14
. Fully configurable in 6.38 current

/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=fullchain.pem_0 dh-group=modp2048 enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=\
    port-strict hash-algorithm=sha256 mode-config=cfg1 passive=yes
/ip ipsec policy
set 0 dst-address=172.30.0.0/15 src-address=0.0.0.0/0
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=none
/ip ipsec mode-config
add address-pool=pool1 address-prefix-length=32 name=cfg1 split-include=172.30.0.0/15 system-dns=no
/ip address
add address=172.31.1.254/24 interface=ether3 network=172.31.1.0
/ip pool
add name=pool1 ranges=172.31.1.1-172.31.1.253
/ip firewall nat
add action=accept chain=srcnat dst-address=172.31.1.0/24 src-address=172.31.0.0/24
add action=accept chain=srcnat dst-address=172.31.0.0/24 src-address=172.31.1.0/24
add action=src-nat chain=srcnat out-interface=pppoe-out1 src-address=172.31.0.0/24 to-addresses=pppoe-out1 address
add action=src-nat chain=srcnat out-interface=pppoe-out2 src-address=172.31.0.0/24 to-addresses=pppoe-out1 address

IKEv2: IOS (10.2) and MacOSX (10.12.1) disconnect after 480 Sec

IKEv2: IOS (10.2) and MacOSX (10.12.1) disconnect after 480 Sec

Re: IKEv2: IOS (10.2) and MacOSX (10.12.1) disconnect after 480 Sec

Re: IKEv2: IOS (10.2) and MacOSX (10.12.1) disconnect after 480 Sec

Who is online