I’m using RouterOS 6.48.6 CHR as L2tp/ipsec vpn server and a Apple ios device(ios 15.1) as vpn client.
The client is disconnecting around 1 hour ( most of the time, but not always ), and I see a strange phenomena:
After the VPN is connected, 2 new SAs is listed in “ip ipsec installed-sa”, life time is 00:48:00/01:00:00, and will expire in 1 hour. And then, 48 minutes later, 2 new SAs will be created and a log will be throw out, saying “ISAKMP-SA dying”.
At this moment, there will be 4 SAs exist at the same time, 2 of them will expire in 12 minutes and other 2 will expire in 60 minutes, all new traffic will run through new SAs, everythings looks fine.
But 12 minutes later, when the 2 old SAs are expire, a log came out and said “ISAKMP-SA deleted”, and then, all 4 SAs are removed and the VPN connection is interrupted.
How can I prevent that 2 new SAs from being deleted when they are not yet expire?
After digging a little more, I found that when the log “ISAKMP-SA dying” appears, the peer state in “/ip ipsec active-peers” is “expired”, and when 1 hour is reached, the peer will be deleted.
So, why the peer is keep in “expired” even new SAs are installed?
I believe I experience a similar problem on 6.49.2
After 48 minutes I see in RouterOS’s logs the “ISAKMP-SA dying” message for the connected peer (same SPI). Within a second I see in Wireshark that my iOS device tries to re-key Phase 1 (?). Although I see in the logs the “ISAKMP-SA established”, no new SAs are actually added to my /ip ipsec insalled-sa.
Then RouterOS requests re-authorization, but iOS ignores the request and proceeds with Phase 2 re-keying. iOS makes a total of 10 attempts over 30 seconds, to which RouterOS does not respond. Then I see two DPD exchanges. Finally, 1 minute later (~53 min since start), iOS sends the Delete and VPN connection is interrupted.
Hello,
Currently, I have several x86/CHR VPS running L2TP/IKEv2 both 6 latest and 7 latest stable:-S.
RSA/PSK and EAP. I don’t have this problem. Clients mostly use iOS and Windows devices.
There are some hints that I can share with you it may help you discover the issue.
Common Name, Subject Alt name, Peers Identities, Proposal Lifetime/PFS Group, Profile Lifetime/NAT Traversal. Preferred Algorithm & Encryption mismatch, Firewall/NAT low possibility.
config export & logging can also help.
Is it L2TP/IPsec, IPsec (Cisco IPsec, IKEv1) or IKEv2?
I use Cisco IPsec with PSK and xAuth, so certificate-related issues simply out of the question
I have no control over DPD / Lifetimes on iOS (devices are not MDM), but I can see that communicated timeout (in Wireshark) is 3600s, which I matched on RouterOS for both Phase 1 (via profile) and Phase 2 (via proposal)
NAT-T (RFC 3947) is enabled and successfully communicated between RouterOS and iOS, at least no errors appear in RouterOS’s logs and in Wireshark
Firewall is configured to accept udp 500,4500 and protocols 50, 51 in the input chain. Although counters for protocols 50 and 51 stay at 0 throughout the session
Identity is configured to dynamically add a firewall raw record to notrack and, subsequently, accept via the “accept established,related,notrack” firewall rule in the forward chain
There are no errors in RouterOS’s logs (ipsec, !packet), Wireshark doesn’t show any suspicious back’n’forth either.
It’s just like this: on soft limit (48 min) RouterOS purges current SAs, iOS sends its Phase 1 proposal, RouterOS ignores it (i.e. it does not reply with the selected transform set) but logs “ISAKMP-SA established” (without adding SAs to installed-sa). Instead RouterOS request authentication, as if Phase 1 completed. iOS ignores it and keeps repeating its Phase 1 proposal 9 more times to no avail. In the meantime DPDs are exchanged according to the configured intervals (10min default on iOS, 2min default on RouterOS). Then iOS sends delete, apparently giving up completing Phase 1.
Who is wrong here? I’m not versed in IPsec, but I think it’s RouterOS, since it completely ignores iOS attempts to establish Phase 1.
it’s IKE PSK.
My port 50 only hits when the client is an MT.
L2TP port is 1701 UDP altho I think you certainly have that too just forgot to mention it. As you already connected to the VPN.
iOS def phase 2 lifetime is 30min.
my server config
Proposal lifetime 30min
profile lifetime 1d
PDP interval 120s
Did not mention 1701 since I do not use L2TP (no PPP interface is created): “pure” IKEv1 IPsec. On iOS VPN is configured via IPsec, not L2TP/IPsec.
iOS def phase 2 lifetime is 30min.
Are your devices MDM / provisioned via Apple Configurator? Mine aren’t and the lifetime I see (both in proposals via Wireshark and RouterOS’s ipsec logs) is 3600s during both phases.
With respect to the note about DPD and Phase 1 re-keying. I have tried disabling it but I have not seen any difference in Wireshark. Perhaps this setting is only when RouterOS is a client?
With respect to IKE Traffic note. I believe iOS does not use the IPsec tunnel when it sends its Phase 1 proposal after 48 minutes, but IIRS it includes SPIs. Don’t know whether RouterOS interprets this traffic as local.
With respect to the time sensitivity note: doesn’t seem to be a problem, arrival time of the packets is very precise per my observations.
I see, Well my config is L2TP/IPsec as the topic :d
Are your devices MDM / provisioned via Apple Configurator?
No, They are not. and the lifetime is 30min for me, Cisco is 8H P1/P2
If you using a bare IKE then there is no client its a peer and it should apply I guess :d
