I am experiencing some change behaviour with an IPsec Lan2Lan tunnel between a Draytek router (remote) and a Mikrotik RB750Gr3 (local), where the tunnel for the second subnet disconnects after approximately 45 seconds.
The local router (Mikrotik) has two subnets (192.168.88.0/24 and 192.168.130.0/24) that should be reachable from the remote site (192.168.1.0/24) running the Draytek router and viceversa. Draytek even has a webpage that describes how to configure both sides.
When configuring IPsec on the Draytek it allows you to specify additional networks that should be reachable through the tunnel (Click ‘More’ in the ‘TCP/IP Network Settings’). It also has an option to ‘Create Phase2 SA for each subnet.(IPsec)’. I have this option enabled, so every subnet gets its own tunnel.
The problem is that both tunnels come up, but after about 45 seconds the second tunnel dies. The log on the RB750 shows this when that happens:
19:53:52 ipsec,debug 85.144.11.145 delete payload for protocol ESP
19:53:52 ipsec purged IPsec-SA proto_id=ESP spi=0x8bd188a
19:53:52 ipsec purged IPsec-SA proto_id=ESP spi=0x77f7788
19:53:52 ipsec,debug an undead schedule has been deleted.
19:53:52 ipsec,debug purged SAs.
When specifying the tunnels as being ‘Always On’ on the Draytek, the second tunnel will reconnect, but it takes a few seconds (and thus interrupts traffic through the tunnel:
[admin@MikroTik] /system logging> /ping src-address=192.168.130.1 192.168.1.1
SEQ HOST SIZE TTL TIME STATUS
0 192.168.1.1 56 255 24ms
1 192.168.1.1 56 255 23ms
2 192.168.1.1 56 255 23ms
3 192.168.1.1 56 255 23ms
4 192.168.1.1 56 255 23ms
5 192.168.1.1 56 255 23ms
6 22 (Invalid argument)
7 192.168.1.1 timeout
8 192.168.1.1 56 255 23ms
9 192.168.1.1 56 255 23ms
10 192.168.1.1 56 255 23ms
sent=11 received=9 packet-loss=18% min-rtt=23ms avg-rtt=23ms max-rtt=24ms
Replacing the Draytek with an RB750Gr3 is not an option as the Draytek comes with the FTTH connection at the remote site.
Does anyone have a clue what could be going wrong here?
Mikrotik IPsec configuration:
Software version ot the RB750Gr3 is 6.39.1
IPsec peer config:
1 ;;; IPsec tunnel
address=WAN_IP_REMOTE/32 auth-method=pre-shared-key secret="verysecret" generate-policy=no
policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no
proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d dpd-interval=30s
dpd-maximum-failures=3
IPsec policy:
1 A ;;; IPsec tunnel
src-address=192.168.88.0/24 src-port=any dst-address=192.168.1.0/24 dst-port=any protocol=all action=encrypt
level=unique ipsec-protocols=esp tunnel=yes sa-src-address=LOCAL_WAN_IP sa-dst-address=REMOTE_WAN_IP
proposal=draytek priority=0 ph2-count=1
2 A ;;; IPsec tunnel
src-address=192.168.130.0/24 src-port=any dst-address=192.168.1.0/24 dst-port=any protocol=all
action=encrypt level=unique ipsec-protocols=esp tunnel=yes sa-src-address=LOCAL_WAN_IP
sa-dst-address=REMOTE_WAN_IP proposal=draytek priority=0 ph2-count=1
Proposal:
1 ;;; IPsec proposal Draytek
name="draytek" auth-algorithms=md5 enc-algorithms=3des lifetime=30m pfs-group=none
