About ipsec site to site vpn,need help

koinak · November 4, 2013, 6:43am

Hi,all.i use MikroTik RouterOS(v2.9.26) router made a sitetosite vpn to CISCO Router.Testing the IPsec tunnel is work.But when run after 24hr,the vpn will auto break off and need reboot the MikroTik router the vpn can re-connection.How to fix this issue?Thx.

TheOtherNeo · November 4, 2013, 8:18am

I’m having the same issue at the moment between a V5.3 and V6.3 firmware RouterBoard. The link is established, it sends data to the remote unit, but it isn’t receiving anything back. I have also rebooted both units but still it persists.

As a note, the V6 unit is on an ISP assigned dynamic PPPoE address and the V5 unit on a static IP.

leonset · November 4, 2013, 12:20pm

Why are you using such an old version? (v2.9.26)

koinak · November 4, 2013, 3:52pm

Is very strange,these is the router log when the IPsec tunnel is working after 12hours,some one can fix this issue?Thx a lot~
19:05:20 ipsec,ike,info received ISAKMP packet from 209.xxx.xxx.xxx:500, phase
2, Quick
19:05:20 ipsec,ike,info received ISAKMP packet from 209.xxx.xxx.xxx:500, phase
2, Quick
19:05:20 ipsec,ike,info received ISAKMP packet from 209.xxx.xxx.xxx:500, phase
2, Quick
19:06:04 ipsec,ike,info phase 1 expired (remote unknown)
19:06:04 ipsec,ike,info phase 1 expired (local 202.xxx.xxx.xxx:500) (remote
209.xxx.xxx.xxx:500)
19:06:05 ipsec,ike,info phase 1 deleted (local 202.xxx.xxx.xxx:500) (remote
209.xxx.xxx.xxx:500)
19:06:07 ipsec,ike,info received ISAKMP packet from 209.xxx.xxx.xxx:500, phase
2, Informational
19:06:07 ipsec,ike,info unexpected Informational exchange (remote unknown)
.
.
.

koinak · November 4, 2013, 3:57pm

Because the 2.9 is very stable and working fine,so i don’t upgrade to new version.You means upgrade to new version can fix this issue?

koinak · November 5, 2013, 2:37am

Yeah,is very strange,the iIPsec tunnel show is established ,buy the log show a error:

ip ipsec policy> print stats
Flags: X - disabled, D - dynamic, I - invalid
0 src-address=192.168.184.0/24:any dst-address=192.168.220.0/24:any
protocol=all ph2-state=established in-accepted=0 in-dropped=0
out-accepted=0 out-dropped=1 encrypted=6 not-encrypted=0 decrypted=6
not-decrypted=0

1 src-address=192.168.184.0/24:any dst-address=192.168.112.0/24:any
protocol=all ph2-state=established in-accepted=0 in-dropped=0
out-accepted=0 out-dropped=0 encrypted=4 not-encrypted=0 decrypted=4
not-decrypted=0

2 src-address=192.168.184.0/24:any dst-address=192.168.104.0/24:any
protocol=all ph2-state=established in-accepted=0 in-dropped=0
out-accepted=0 out-dropped=0 encrypted=6 not-encrypted=0 decrypted=4
not-decrypted=0

router log:
10:33:20 ipsec,ike,info received ISAKMP packet from 209.xxx.xxx.xxx:500, phase
2, Quick
10:33:20 ipsec,ike,info responding phase 2 (src 202.xxx.xxx.xxx) (dst
209.XXX.XXX.XXX)
10:33:20 ipsec,ike,info no policy found (remote unknown)
10:33:20 ipsec,ike,info no proposal found (remote unknown)
10:33:20 ipsec,ike,info failed to pre-process packet (remote unknow