Frequent ICMP losses through IPsec tunnel

Fab_X · June 2, 2026, 12:21pm

Setup:

MikroTik (RouterOS 7.22) ↔ FortiGate 200F (FortiOS 7.2.13)
IKEv2, certificate-based authentication
AES-256-GCM, ECP521 (DH group 21), SHA-512
Phase 2 lifetime: 24 hours

IPsec configuration MikroTik:

/ip ipsec profile print detail
Flags: * - DEFAULT

1   name="Remote_Firewall" hash-algorithm=sha512 prf-algorithm=sha512 enc-algorithm=aes-256 dh-group=ecp521 lifetime=1d proposal-check=strict nat-traversal=yes ppk=no dpd-interval=10s dpd-maximum-failures=5

/ip ipsec proposal print detail
Flags: X - DISABLED; * - DEFAULT

1    name="Remote_Firewall" auth-algorithms="" enc-algorithms=aes-256-gcm lifetime=1d pfs-group=ecp521

IPsec configuration FortiGate

Phase 1:
edit "X_tun"
set type ddns
set interface "x3"
set ike-version 2
set authmethod signature
set net-device disable
set proposal aes256-sha512
set dhgrp 21
set remotegw-ddns "REMOVED_AUTHOR"
set certificate "ipsec_cert"
set peer "ipsec"
next

Phase 2:

edit "X_tun2"
set phase1name "X_tun"
set proposal aes256gcm
set dhgrp 21
set auto-negotiate enable
set keylifeseconds 86400
set src-subnet X.X.0.0 255.255.0.0
set dst-subnet X.X.0.0 255.255.0.0

--> The ICMP outage lasts approximately 2 minutes.

Has anyone seen RouterOS drop input-chain ICMP transiently during IKEv2 Phase 2 rekey, specifically with ECP521/DH21?

Avalanche · June 2, 2026, 12:40pm

Our IPSEC connections are a lot more stable than they were with our Lancom setup. Also, they are established very quickly. I would not expect to see a 2min outage.

/ip/ipsec/profile/print  where name=ipsec
Flags: * - DEFAULT 
 1   name="ipsec" hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=ecp256 lifetime=1d proposal-check=obey nat-traversal=yes ppk=no dpd-interval=8s dpd-maximum-failures=4