Flapping IPSEC VPN Between Mikrotik and VyOS

Hello,

I’ve had a flapping IPSE Ctunnel for a while now. I cannot find out what the problem is. I can’t see in logs on either side that VPN has stopped/started. Other side seem to get unreachable for a good 5-10 minutes and then back up again on its own.
I am not 100% sure it is a VPN problem though. I can only notice it because I am SNMP polling devices over the IPSEC tunnel. All devices on the other side of the tunnel goes down simultaneously. Although at the same time, I am polling both routers on SNMP but not over any IPSEC tunnel.


Here’s the config:

set vpn ipsec esp-group ESP-1 compression ‘disable’
set vpn ipsec esp-group ESP-1 lifetime ‘86400’
set vpn ipsec esp-group ESP-1 mode ‘tunnel’
set vpn ipsec esp-group ESP-1 pfs ‘dh-group2’
set vpn ipsec esp-group ESP-1 proposal 1 encryption ‘aes256’
set vpn ipsec esp-group ESP-1 proposal 1 hash ‘sha1’

set vpn ipsec ike-group IKE-1 ikev2-reauth ‘no’
set vpn ipsec ike-group IKE-1 key-exchange ‘ikev1’
set vpn ipsec ike-group IKE-1 lifetime ‘86400’
set vpn ipsec ike-group IKE-1 proposal 1 dh-group ‘2’
set vpn ipsec ike-group IKE-1 proposal 1 encryption ‘aes256’
set vpn ipsec ike-group IKE-1 proposal 1 hash ‘sha1’

set vpn ipsec site-to-site peer 88.88.88.88 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 88.88.88.88 authentication pre-shared-secret ‘topsecret’
set vpn ipsec site-to-site peer 88.88.88.88 connection-type ‘initiate’
set vpn ipsec site-to-site peer 88.88.88.88 default-esp-group ‘ESP-1’
set vpn ipsec site-to-site peer 88.88.88.88 ike-group ‘IKE-1’
set vpn ipsec site-to-site peer 88.88.88.88 ikev2-reauth ‘inherit’
set vpn ipsec site-to-site peer 88.88.88.88 local-address ‘88.77.88.77’
set vpn ipsec site-to-site peer 88.88.88.88 tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer 88.88.88.88 tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer 88.88.88.88 tunnel 1 local prefix ‘12.23.34.0/28’
set vpn ipsec site-to-site peer 88.88.88.88 tunnel 1 remote prefix ‘172.16.214.0/24’
/ip ipsec proposal print detail
name=“default” auth-algorithms=sha1 enc-algorithms=aes-256-cbc lifetime=1d pfs-group=modp1024

/ip ipsec peer print detail
address=88.77.88.77/32 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key secret=“topsecret” generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes
nat-traversal=no proposal-check=claim hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5

/ip ipsec policy print detail
src-address=172.16.214.0/24 src-port=any dst-address=12.23.34.0/28 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=88.88.88.88 sa-dst-address=88.77.88.77
proposal=default priority=0
The only difference I can see is in IKE encryption. VyOS can only set aes256, while mikrotik can set aes256 cbc, gcm or ctr. VyOS seem to default to aes256 with CBC anyways. Not sure that is the issue though, the tunnel goes up when started manually.

Just to be safe since you’ve obfuscated the IPs. The SA src or dst is not included in either range to be tunneled correct? That would explain why it goes down as soon as it comes up. Alternatively you may have a layer 1 (physical) issue at one of the sites. Have you ruled that out? Possibly w/a sustained ping or an IP SLA monitor from a Cisco device?

Hello thanks for answer. It doesnt go down as soon as it comes up. It goes down every second or third day or so. Then comes up some moments later by itself.

And as I said, I am able to reach both routers via SNMP at the same time, but not over IPSEC, so that rules out layer1 issues, imo.

Just as a test, I would increase or decrease your lifetime settings. See if the interval of “outages” changes.

I have a router which connects via IPSec to an unknown vendor IPSec router with lifetime of 8 hours. That one drops a few ICMP packets approximately every 8 hours. My monitoring is a scheduled script on the MikroTik which sends 10 pings at the top of each minute and tells me how many were lost via e-mail, if, and only if, any pings were lost. Not having access to both ends. I haven’t dug into it.