I have a strange case which I thought I managed to resolve but I was wrong when again a working ipsec tunnel stopped working properly without any log information , anything.
The problem is that clients behind MikroTik (VPN users) and other hosts in the same subnet where MikroTik is are losing connectivity with Servers on the other side of the tunnel (Google Cloud Platform). On CHR there is no evidence that something is wrong. I had issues with DPD on MikroTik that’s why I’ve disabled that on MikroTik side after that I don’t see any problems in Logs on both side. But once for a while in week there is a breakdown and suddenly, with no reason ping stops working , tunnel is working but all hosts are losing their connectivity.
From a server in network 10.128.0.0/10 to a server in the network 10.0.0.0/9
from Mikrotika CHR in that network 10.0.0.0/9 = to => 10.128.0.0/10
ping 10.156.0.10 src-address=10.5.0.120
SEQ HOST SIZE TTL TIME STATUS
0 10.156.0.10 timeout
1 10.156.0.10 timeout
Solution for that is to disable required entries in /ip ipsec policy to those networks and enabled them again to establish proper connection (picture below)
BGP peer are although still in established state:
IP route says:
I don’t know what’s happening and why it is happening.
RouterOS was 6.43.4 was because I’ve upgraded it Today to 6.43.14
Which Server? Google Cloud provide IaaS this a VPN service and it works normally. But it freeze sometimes and pings stops working at all. Now I have the same problem. I don’t know what is happening.
I found in loogs from GCP VPN service that there is a N(TEMP_FAIL)
When he establishe connection again after rekeying. I see someone has the same problem with Mikrotik connected to stronsgwan on Linux https://wiki.strongswan.org/issues/2646
Emil from MikroTik support is investigating this issue with me. But said also that , although, test release has this fix
*) ike2 - fixed phase 1 rekeying (introduced in v6.45);
So it looks that Mikrotik has issues with rekeying.
Oh it’s in stable now version. Hm So I need to wait for long-term to receive that update. But I’m not sure if that will resolve the problem
No problem isn’t resolve. still the same issue occur
After almost a year of digging ale looking for information. GCP Support helped. Mikrotik Support analyzed information from GCP Support and gave me also information which didn’t satisfied me but there is nothing I can do right now so. More information here: http://forum.mikrotik.com/t/vpn-with-gcp/140112/8
