Cisco lan-to-lan IPSEC tunnel

makkan · November 22, 2011, 1:25pm

Hi!

I am having some issues with my VPN-tunnel and I have been searching the forum without finding anything usable.

The tunnel works perfectly but 2-3, maybe 4-5 times a day sometimes, the tunnel is disconnected and it’s not re-established until i have ran “/ip ipsec installed-sa flush sa-type=all”.

I’ve tried everything (as far as I know), both configurations are identical, they use the same NTP-servers for time, upgraded to version 5.7 etc etc.

Does anybody have an idea of what might cause this?

I do know that Mikrotik follows the RFC for IPSEC whilst Cisco doesn’t and that this might be the issue. But is there any work-around?

I’m currently testing to schedule “/ip ipsec installed-sa flush sa-type=all” for every hour but it doesn’t feel like the “correct” solution. Feels like a bad work around.

Appreciate any help!

Marcus

makkan · November 23, 2011, 6:25pm

Yesterday I checked the box “Generate Policy” and after that it was almost up for 24 hours!

Unfortunately the vpn died at 17:18 today and got back online at 17:30 when my scheduled flush ran.
Nothing in the logs as far as I can see, attached.

Jaaazman · January 10, 2012, 12:41pm

Hello!
does anybody have any idea of the issue?
We have the same problem, (RB1200, ROS 5.7) , ipsec RB1200 ↔ Cisco PIX 525

IPSEC periodically stops working without any reasons
sometimes it comes up after iniatiing the connection from mikrotik
if it doesn’t help, we use /ip ipsec installed-sa flush sa-type=all

makkan · January 13, 2012, 3:46pm

Hi,

To be concise - there is no good solution for this. Cisco does not follow the RFC for IPSEC and Mikrotik does. Therefore the Mikrotik will want to create a new SA everytime that the VPN lifetime is reached.
The Cisco doesn’t care about that and keeps using the old one - hence new tunnel cannot be established.

The only solution I have found is to schedule “/ip ipsec installed-sa flush sa-type=all” once every hour on the Mikrotik. The one packet is lost every hour so I wouldn’t say that this is a good solution - its just a walkaround.

Until Cisco decide to follow the RFC or Mikrotik creates a “Cisco-support” - the VPN wont work good no matter what settings you change.

Jaaazman · January 16, 2012, 5:59am

makkan, thank you for your answer!
following your idea, if to configure IPsec between two mikrotik routers, it should work fine

besides, what exact RFC have you meant?
http://en.wikipedia.org/wiki/IPsec

makkan · January 16, 2012, 10:28am

Hi,

Yes - IPSec between two Mikrotiks should work without any issues but I’ve never tried it.

I’m not 100% sure about which RFC - but thats what I have been told by some highly decorated Mikrotik technicians

Jaaazman · January 17, 2012, 9:06am

it is strange that Cisco doesn’t follow the RFC, which was created by themselves.

maybe, there can be another explanation?

If “cisco - mikrotik” IPsec is a real problem, why there is no official information about it?
Cisco is extremely popular equipment

otgooneo · January 23, 2012, 12:59pm

We provide solution that transfers all traffic through IPSEC tunnel. We use RouterBoard with Linksys RV042 and RV082. Same problem occurs on every installations. So I always configure schedule to flush ipsec. There is no way to fix it using lifetime or dead-peer-detection. I believe MT-to-MT works without disconnection. But RouterOS doesn`t support IPSec tunnel with dst-address=0.0.0.0/0. If create tunnel with destination network 0.0.0.0/0, can not access to the ROS itself. The MT Support said that ROS encrypts all packets even destined to itself and sourced by direct connected IP subnet.

makkan · February 1, 2012, 3:21pm

Yes - thats indeed very strange!
I have been working with Cisco to Cisco VPNs without any problems for a long time and with Cisco to MT VPN for the past 6 months and I’ve tried everything I can come up with but there simply is no solution, or I just don’t know how to do it.

The Mikrotik developers say that there is no problems with Cisco to MT VPNs but that you might need to use DPD (Dead peer detection) on both ends. However, I never had any luck with that and a lot of other people havent’ had any luck either.

My suggestion to the MT developers would be to make an official statement that Mikrotik is not compatible with VPN to Cisco devices.

otys · February 1, 2012, 4:51pm

Hi,

I have seen the same problem. The only thing I found, Mikrotik doesnt send any ipsec traffic to peer after some time - even if the valid SA is present at the Mikrotik side.

This situation happens more frequently at the idle tunnels and very busy tunnels run almost without any problems. So you need to pass some data often (dpd doesnt help, this is ike mechanism).

Dan

makkan · February 1, 2012, 5:41pm

Thanks for sharing Dan!

I actually saw the same thing just some hours ago. Tunnel were running fine for 20min with constant Ping via tunnel but as soon as i terminated the ping it went down.

Seems like a workable solution is to keep a constant icmp ping going.

otgooneo · February 2, 2012, 6:50pm

Hi MT guys, please take attention at this post. If we are right please do official announcement that IPSec doesnt support Cisco-with-MT solution and also doesnt support MT-with-MT using destination=0.0.0.0/0.

matvej · February 3, 2012, 11:32am

I have the same problem.

huntah · February 3, 2012, 6:55pm

HI,

Since I had similar problem I’ve made a script for workaround..
It is working ok.. Sometimes it doesnt help and in those cases (maybe once per month or two) I have to change excription from MD5 to sha1 on proposal.
Then flush all and voila its working

So if anybody else needs a script here it is:

Ipsec-Tunnel-Down
:local mailAddresses ("joe@keks.edu");
:local IPWatchServer 172.30.120.10
:local sysName [/system identity get name];
:if ([/ping src-address=172.30.110.1 $IPWatchServer count=10]<5) do={
  /ip ipsec installed-sa flush sa-type=all
  /tool e-mail send from="$sysName@keks.edu" server="172.30.110.10" body="VoIP IPSec Tunnel on $sysName is down" subject="IPSEC down" to=$mailAddres>
  :log info "IPSEC down: Flushing Installed SA!"
} else={
  :log info "IPSEC Tunnel OK"
}

I run this script once every minute…

kjagus · February 7, 2012, 2:44am

have you try to set “level=use” instead of “level=require” or “level=unique” in a ipsec policy?

makkan · February 7, 2012, 8:09am

Yep - that did no difference for me.

miahac · March 21, 2012, 2:38pm

Chiming in with the same problem.

aluminumpork · March 21, 2012, 3:25pm

Same issue here with RouterOS 5.2 connecting to a VPN 3000 series concentrator. We also have noticed that you are unable to enter a CIDR notation IP subnet in the src-address field when creating a policy. You must enter from the terminal.

makkan · March 22, 2012, 10:11am

Hi again,

Our only solution is that we must setup a Mikrotik VPN concentrator along with our network. There simply is no other solution.

Mikrotik - please make an official statement that your routers are not compatible with Cisco VPN’s.

Marcus

aluminumpork · March 23, 2012, 3:28pm

Well, we just updated our RB1200 that was having this issue to 5.14 (from 5.2) and we noted a couple interesting things:

#1 - The problem appears to have gone away.
#2 - No dynamic IPsec policies are generated when you create a policy specifying a src-address subnet (e.g. 10.150.24.245/29). We only see the one policy we’ve created.

The rest of our Tiks have been working properly for many months. These all have a couple of things in common. Firstly, they all have a single src-address. Secondly, they are all on 5.0 or older.