IPSEC IKEv2 issues after long time without troubles

markwien · February 17, 2020, 9:24am

Hi out there…

I am facing a issue with my IPSEC gateway since this weekend. Users reported slow speed in transfer rates. The user are connected as a client via a EdgerouterX and other clients using a linux box with strongswan.

The service was running without headage for around 800 days…

Here my config:

 /ip ipsec export hide-sensitive 
# feb/17/2020 10:08:20 by RouterOS 6.45.7
# software id = UUP5-VXEJ
#
# model = RouterBOARD 750G r3
# serial number = XXXXXXXXXXX
/ip ipsec mode-config
add address-pool=rw-pool name=vpn-ikev2 split-include=172.16.16.0/24 static-dns=172.16.16.20 system-dns=no
add address-pool=rw-pool address-prefix-length=32 name=test1 split-include=172.16.16.0/24
add name=IPSECKunden split-include=172.16.16.0/24
/ip ipsec policy group
add name=rw-policies
add name=test1
add name=IPSECKunden
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des name=disbled proposal-check=strict
add enc-algorithm=aes-256,aes-128 name=profile_1 proposal-check=strict
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=profileRadiologist proposal-check=strict
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=ipsecKunden nat-traversal=no proposal-check=strict
/ip ipsec peer
add address=XXX.XXX.XXX.1/32 exchange-mode=ike2 local-address=92.XX.XX.45 name=ipsecKunden profile=ipsecKunden
add exchange-mode=ike2 local-address=92.XX.XX.59 name=peer1 passive=yes profile=profile_1 send-initial-contact=no
add exchange-mode=ike2 local-address=92.XX.XX.44 name=peer3 passive=yes profile=profileRadiologist
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-128-cbc pfs-group=none
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=rw-proposal pfs-group=none
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=Radiologe pfs-group=none
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=IPSECKunden pfs-group=none
/ip ipsec identity
add auth-method=eap-radius certificate=mednetgate generate-policy=port-override mode-config=vpn-ikev2 peer=peer1 policy-template-group=rw-policies
add auth-method=digital-signature certificate=mednetgate generate-policy=port-strict mode-config=test1 peer=peer3 policy-template-group=test1 remote-id=ignore
# Wrong mode-config
add generate-policy=port-strict mode-config=IPSECKunden peer=ipsecKunden policy-template-group=IPSECKunden remote-id=ignore
/ip ipsec policy
set 0 comment="muss disabled sein da default config"
add dst-address=10.11.11.0/24 group=rw-policies proposal=rw-proposal src-address=0.0.0.0/0 template=yes
add dst-address=10.11.11.0/24 group=IPSECKunden proposal=rw-proposal src-address=0.0.0.0/0 template=yes
add dst-address=10.11.11.0/24 group=test1 proposal=rw-proposal src-address=0.0.0.0/0 template=yes
add dst-address=172.16.16.0/24 group=rw-policies proposal=rw-proposal src-address=0.0.0.0/0 template=yes
add comment="IPSEC Kunden " dst-address=172.16.16.0/24 group=IPSECKunden proposal=IPSECKunden src-address=0.0.0.0/0 template=yes
add dst-address=172.16.16.0/24 group=test1 proposal=Radiologe src-address=0.0.0.0/0 template=yes
add dst-address=192.168.3.0/24 group=test1 proposal=Radiologe src-address=0.0.0.0/0 template=yes
add comment="Proposal IPSEC Kunden" dst-address=192.168.4.0/24 group=IPSECKunden proposal=IPSECKunden src-address=0.0.0.0/0 template=yes

/ip ipsec policy export hide-sensitive 
# feb/17/2020 10:11:33 by RouterOS 6.45.7
# software id = UUP5-VXEJ
#
# model = RouterBOARD 750G r3
# serial number = XXXXXXXXXXX
/ip ipsec policy group
add name=rw-policies
add name=test1
add name=IPSECKunden
/ip ipsec policy
set 0 comment="muss disabled sein da default config"
add dst-address=10.11.11.0/24 group=rw-policies proposal=rw-proposal src-address=0.0.0.0/0 template=yes
add dst-address=10.11.11.0/24 group=IPSECKunden proposal=rw-proposal src-address=0.0.0.0/0 template=yes
add dst-address=10.11.11.0/24 group=test1 proposal=rw-proposal src-address=0.0.0.0/0 template=yes
add dst-address=172.16.16.0/24 group=rw-policies proposal=rw-proposal src-address=0.0.0.0/0 template=yes
add comment="IPSEC Kunden " dst-address=172.16.16.0/24 group=IPSECKunden proposal=IPSECKunden src-address=0.0.0.0/0 template=yes
add dst-address=172.16.16.0/24 group=test1 proposal=Radiologe src-address=0.0.0.0/0 template=yes
add dst-address=192.168.3.0/24 group=test1 proposal=Radiologe src-address=0.0.0.0/0 template=yes
add comment="Proposal IPSEC Kunden" dst-address=192.168.4.0/24 group=IPSECKunden proposal=IPSECKunden src-address=0.0.0.0/0 template=yes

/ip ipsec installed-sa


 /ip ipsec installed-sa print 
Flags: H - hw-aead, A - AH, E - ESP 
 0 HE spi=0x6B4462E src-address=XXX.XXX.XXX.1 dst-address=92.XX.XX.45 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=256 auth-key="423463cb205de1121f266fe58c931e42578e2f3295b68c229f59d263b926a8a0" 
      enc-key="522eca07dce06ccb29e9c55e5132b76736f9d530d0084e40fa86360d54b3dc8f" addtime=feb/17/2020 10:08:11 expires-in=25m54s add-lifetime=24m12s/30m15s current-bytes=8587 current-packets=99 replay=128 

 1 HE spi=0xB3A2D4B2 src-address=92.XX.XX.45 dst-address=XXX.XXX.XXX.1 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=256 auth-key="c4069b8ef97ef87e7fe25a604116cc0400079c0c731d6c3b18e41b03cb2a84b3" 
      enc-key="19bcf17f3543bd3cfa011cb1df5d3f108bbb8233942b0f9e4c4bc296b1868a70" addtime=feb/17/2020 10:08:11 expires-in=25m54s add-lifetime=24m12s/30m15s current-bytes=9796 current-packets=95 replay=128 

 2 HE spi=0x3B41346 src-address=XXX.XXX.XXX.200:64916 dst-address=92.XX.XX.59:4500 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=256 auth-key="ef61bc3fcb6a25e6b8a58432cda3a870167a695d1b0444e50e9deb9b5938e89a" 
      enc-key="f813ffcd2b048124d3935376ade524eb57b844865bbef2f42f7536cbbd066809" addtime=feb/17/2020 10:08:26 expires-in=26m15s add-lifetime=24m16s/30m21s current-bytes=8597 current-packets=99 replay=128 

 3 HE spi=0xC3989E7E src-address=92.XX.XX.59:4500 dst-address=XXX.XXX.XXX.200:64916 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=256 auth-key="66afcd7daaa62c60645f93ee30b9b57dbadc1b705f096f20ff28f0d20fd536e1" 
      enc-key="bc51e740e5e37e10f5912070fcbee47dd0af2e929369400f3e37daf5a809b12e" addtime=feb/17/2020 10:08:26 expires-in=26m15s add-lifetime=24m16s/30m21s current-bytes=9800 current-packets=95 replay=128 

 4 HE spi=0x6F53DC5 src-address=XXX.XXX.XXX.126:64916 dst-address=92.XX.XX.59:4500 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=256 auth-key="55c2cfb978aebb6a27fc43cad3a5c051bb334c47084945beeaa936a395101bf3" 
      enc-key="df51d653e9fb06817f594657d1b97b546153e7eaee8dfbb46018631ac310167e" addtime=feb/17/2020 10:08:29 expires-in=26m26s add-lifetime=24m23s/30m29s current-bytes=8195 current-packets=94 replay=128 

 5 HE spi=0xCCC859F3 src-address=92.XX.XX.59:4500 dst-address=XXX.XXX.XXX.126:64916 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=256 auth-key="04b5b663464181d4361d3320a1a703e56202bf633d14bb98270a7228e76ec15a" 
      enc-key="65b1c2eb7b7e8d95ee6552529488250c914b048b7e58dd2e2baf79a937763511" addtime=feb/17/2020 10:08:29 expires-in=26m26s add-lifetime=24m23s/30m29s current-bytes=9302 current-packets=90 replay=128 

 6 HE spi=0x5141976 src-address=XXX.XXX.XXX.38:53932 dst-address=92.XX.XX.59:4500 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=256 auth-key="766b98ecfb9992c495a0583774ff08587d6c9f72d550042f78b9de83f0c9d937" 
      enc-key="8136be60d3b2e49fc82794abc5a945a72f4cfa462230232c431b5458d4032a70" addtime=feb/17/2020 10:08:30 expires-in=26m10s add-lifetime=24m9s/30m12s current-bytes=8253 current-packets=95 replay=128 

 7 HE spi=0xC93C582B src-address=92.XX.XX.59:4500 dst-address=XXX.XXX.XXX.38:53932 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=256 auth-key="e1f30268aab15141787b389534171aebe5cb66e87460ece4fb5ef22d6ebb8ca0" 
      enc-key="ac359ac4b551e4880cc6d350e5a3beff8dd210894b5121b1c3162465dddbfeec" addtime=feb/17/2020 10:08:30 expires-in=26m10s add-lifetime=24m9s/30m12s current-bytes=9172 current-packets=91 replay=128 

 8 HE spi=0x1C3D0AA src-address=XXX.XXX.XXX.100:36102 dst-address=92.XX.XX.59:4500 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=256 auth-key="35355b912ceae413a330cc793c4e1dcbcf1823b1165a4bdc8bf5a27e6aae4659" 
      enc-key="696c1ddcf69c7f4d85095efdf6cbe38b7092447406672c5c3945f627a1f05abd" addtime=feb/17/2020 10:08:31 expires-in=26m15s add-lifetime=24m12s/30m16s current-bytes=8190 current-packets=94 replay=128 

 9 HE spi=0xC5110F0E src-address=92.XX.XX.59:4500 dst-address=XXX.XXX.XXX.100:36102 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=256 auth-key="5e5ef99ca06eb47df112a9569045067641bf5d89fe2108a44a8a3519bf53bb72" 
      enc-key="986fe36c3970ca6ef33360b020d7647e9c0cbf776d59606cdd91599849e429f0" addtime=feb/17/2020 10:08:31 expires-in=26m15s add-lifetime=24m12s/30m16s current-bytes=9298 current-packets=90 replay=128 

10 HE spi=0xDDCDBA4 src-address=92.XX.XX.80 dst-address=92.XX.XX.44 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=256 auth-key="abcede22b9d9334abb8cc793d48ee5b99245a16b2aa7aa4895fdf8efb2a1e202" 
      enc-key="4f7c52229c671f82bf943b30b034e50c028145f34e7bd772c391a796fefdd7b6" add-lifetime=24m23s/30m29s replay=128 

11 HE spi=0xAE4FC67 src-address=92.XX.XX.44 dst-address=92.XX.XX.80 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=256 auth-key="9dde33ac170a044c7394479446ced8a390540637e7151a82e734a98d722c8c3f" 
      enc-key="6047dfd06d5f228f60b92caad0ef4d7f24e528dc33e1862959d3106eafcda0d0" add-lifetime=24m23s/30m29s replay=128 

12 HE spi=0x8F5FBC2 src-address=XXX.XXX.XXX.61:64916 dst-address=92.XX.XX.59:4500 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=256 auth-key="4cd1fd3cdaaa98cdb52442c19834f84c4da0160065263eaae62d9e7b57a92c0e" 
      enc-key="a89cef23ce136711d45d90bb9b2f2f44121942b35e06b897e0153c44b79a5693" addtime=feb/17/2020 10:08:38 expires-in=26m27s add-lifetime=24m16s/30m21s current-bytes=8190 current-packets=94 replay=128

I was not able to find some error… on weekend user complained that VPN doesnt work. I was able to connect via winbox. I saw CPU load 28 % and was not able to see any IPSEC Peers online.
I send reboot - after reboot ipsec peers came online again.
Now its happening from time to time that all peers disapper and come beack online again.

the only read thing i found in logfile is " no policy found/generated" i never saw this befor - i am sure i havent changed any configuration.

Please if someone out there please help me …

thank you !