Hello,
I have working ipsec VPN between RB1000 (RouterOS 3.27) and some cisco (don't know type and configuration - I don't configured this side). Everything is working just fine, but sometimes (after some packet loss I think) connection falls and it is impossible from now on to create correct SA. Log says this:
08:54:09 ipsec 11.11.11.11 give up to get IPsec-SA due to time up to wait.
08:54:09 ipsec IPsec-SA expired: ESP/Tunnel 11.11.11.11[0]->22.22.22.22[0] spi=131319079(0x7d3c527)
08:54:12 ipsec initiate new phase 2 negotiation: 22.22.22.22[500]<=>11.11.11.11[500]
08:54:42 ipsec 11.11.11.11 give up to get IPsec-SA due to time up to wait.
08:54:42 ipsec IPsec-SA expired: ESP/Tunnel 11.11.11.11[0]->22.22.22.22[0] spi=143755602(0x8918952)
08:54:43 ipsec initiate new phase 2 negotiation: 22.22.22.22[500]<=>11.11.11.11[500]
08:55:13 ipsec 11.11.11.11 give up to get IPsec-SA due to time up to wait.
etc... (11.11.11.11 is cisco, 22.22.22.22 is RB)
I need to flush SA, disable proposal, peer and policy and enable them again. After these steps, SA is created without no problem.
I don't know what could cause this problem and even how to determine source of it. Could it be bug, misconfiguration, problem on cisco side or something else...
Current configuration includes: NAT, filter, ipsec, arp-proxy for pptp and pptp.
/ip ipsec proposal
set default auth-algorithms=md5 disabled=no enc-algorithms=aes-256 lifetime=20m name=default pfs-group=none
/ip ipsec peer
add address=11.11.11.11/32:500 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 enc-algorithm=aes-256 exchange-mode=\
main generate-policy=no hash-algorithm=sha1 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=hiddenkey send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.10.0/24:any ipsec-protocols=esp level=require priority=1 proposal=default protocol=all sa-dst-address=11.11.11.11 \
sa-src-address=22.22.22.22 src-address=172.17.0.0/24:any tunnel=yes
Thank you very much for any ideas.
-
-
andrewluck
Forum Veteran
- Posts: 700
- Joined:
- Location: Norfolk, UK
Re: ipsec disconnect sometimes
Try enabling Dead Peer Detection.
Andrew
Andrew
Re: ipsec disconnect sometimes
OK. I will try it.
Thank you Andrew.
Thank you Andrew.
Re: ipsec disconnect sometimes
Dear Sirs.,
I am new using Mikrotik and also having the same problem as you explain here. I have to reboot the router everytime this happen. I have configured DPD but the problem persists. Did you resolved in some way ?
Thanks in advancve.
I am new using Mikrotik and also having the same problem as you explain here. I have to reboot the router everytime this happen. I have configured DPD but the problem persists. Did you resolved in some way ?
Thanks in advancve.