Community discussions

MikroTik App
 
vrubert
just joined
Topic Author
Posts: 2
Joined: Fri May 08, 2015 8:42 pm

IPSec tunnel between RouterOS and Amazon AWS VPC

Fri May 08, 2015 9:27 pm

Hi, we've been trying to stablish an IPSec tunnel between our institution (with Mikrotik hardware) and Amazon AWS IPsec implementation with no success. The problem is a little weird so I will try to describe it.

Amazon AWS provides us a generic configuration documentation so we can configure the router in our side. The IPSec tunnel gets stablished correctly, it works for some minutes but it suddenly gets disconnected (the installed SA's dissappear). It reconnects after a new negotiation, but this behaviour makes the tunnel unsuable (4 minutes perfect, 20 seconds stuck).

We're using this configuration in our side (removed the private part of the configuration, ip's and secret key):
/ip ipsec peer add address=xx.xx.xx.xx/32 dpd-interval=10s dpd-maximum-failures=3 enc-algorithm=aes-128 lifetime=8m local-address=xx.xx.xx.xx nat-traversal=no secret=xxxxxx

/ip ipsec policy add dst-address=xx.xx.xx.xx/16 sa-dst-address=xx.xx.xx.xx sa-src-address=xx.xx.xx.xx src-address=xx.xx.xx.xx/32 tunnel=yes
Everything gets negotiated perfectly, but after this few minutes the installed keys dissapera.

Does anyone has any experience connecting Mikrotik HW with AWS VPN which can provide us any suggestion about the problem?
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: IPSec tunnel between RouterOS and Amazon AWS VPC

Tue May 12, 2015 11:48 pm

enable logging on Ipsec and look the logs generated when disconnected, also try a packet capture to know whats exactly happening.

AWS do not generate logs about it??
 
vrubert
just joined
Topic Author
Posts: 2
Joined: Fri May 08, 2015 8:42 pm

Re: IPSec tunnel between RouterOS and Amazon AWS VPC

Wed May 13, 2015 11:48 am

We activated all kind of ipsec log, and there was no evidence of error. The only we can see is that the installed-sa's, which have enough lifetime remaining, suddenly dissapear and the negotiation starts again.

We don't have access to the AWS tunnel log, this is a self-administered service with no configuration/log to the client, and the official technical support of AWS give us a few advices in our end side (with no result), but they can't provide us more information because this is a global configuration and they don't have authorization to login and test into our tunnel. :(

Now we are going to stablish the tunnel with the AWS official supported Hardware, but it's a really shame that Mikrotik/RouterOS was not supported.

Who is online

Users browsing this forum: GoogleOther [Bot], Kanzler and 89 guests