IPsec Disconnects

spotts78 · November 11, 2014, 11:49pm

I’ve got a RB2011UiAS running 6.19 code with L2TP/IPsec VPN access. Clients(OS X) can connect fine, but active VPN sessions disconnect after 45-60 minutes. The only error I’m seeing before the connections die is. “ipsec,error failed to begin ipsec sa negotiation”

/ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 T * group=group1 src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes 

/ip ipsec peer print  
Flags: X - disabled, D - dynamic 
 0    address=0.0.0.0/0 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key secret="password"
      generate-policy=port-override exchange-mode=main-l2tp send-initial-contact=no nat-traversal=yes hash-algorithm=sha1
      enc-algorithm=3des dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5 

/ip ipsec proposal print
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=1d pfs-group=modp1024

spotts78 · November 12, 2014, 1:42pm

I turned up logging and was able to capture this when my session abruptly ended after 48+/- minutes:

08:36:09 ipsec IPsec-SA expired: ESP/Transport 1.1.1.1[0]->2.2.2.2[0] spi=15416181(0xeb3b75) 
08:36:09 ipsec IPsec-SA expired: ESP/Transport 2.2.2.2[0]->1.1.1.1[0] spi=95088246(0x5aaee76) 
08:36:14 ipsec respond new phase 1 negotiation: 2.2.2.2[4500]<=>1.1.1.1[4500] 
08:36:14 ipsec begin Identity Protection mode. 
08:36:20 ipsec purged IPsec-SA spi=241275041. 
08:36:20 ipsec purged IPsec-SA spi=2634697. 
08:36:20 ipsec purged IPsec-SA spi=95088246. 
08:36:20 ipsec purged IPsec-SA spi=15416181. 
08:36:20 ipsec purged ISAKMP-SA spi=100183371c6c25fd:5674fea6fab0184c. 
08:36:41 ipsec,error failed to begin ipsec sa negotiation. 
08:36:46 l2tp,ppp,info <l2tp-username>: terminating... - peer is not responding 
08:36:46 l2tp,ppp,info <l2tp-username>: terminating... - peer is not responding 
08:36:46 l2tp,ppp,info,account username logged out, 2916 43229 53439 423 246 
08:36:46 l2tp,ppp,info,account username logged out, 2916 43229 53439 423 246 
08:36:46 l2tp,ppp,info <l2tp-username>: disconnected 
08:36:46 l2tp,ppp,info <l2tp-username>: disconnected

spotts78 · November 13, 2014, 1:09pm

I’ve done some more testing with this and the issue seems to be isolated to OS X and ROS code newer than 6.10

There’s been an issue with OS X since 2011 that Apple has not addressed.
https://discussions.apple.com/thread/3275811?start=0&tstart=0
http://simon.heimlicher.com/articles/2011/03/17/cisco-vpn-10.6.0-3
I’ve tried the racoon workaround described in the articles with no success.

Windows 7 will stay connected solid with 5.x and 6.x ROS code, no problems. OS X works great up until ROS 6.11 then I’ve started experiencing the 48 minute timeout/disconnect.

What changed with IPsec between ROS 6.10 and 6.11?

lambert · November 14, 2014, 2:46am

I have the same problem. I’m just posting a me too here so you know you’re not alone.

http://forum.mikrotik.com/t/ipsec-l2tp-connection-dropping-every-48-minutes/80283/1