ipsec installed-sa

darifaj · December 3, 2010, 2:36pm

Hello,

I’ve noticed that the ‘addtime’ parameter extracted from the command ip->ipsec->installed-sa print is one hour behind. The routeros version is 4.13 and system clock is is synchronized via NTP.

[admin@MikroTik] /ip ipsec> installed-sa print

5 E spi=xxxx src-address=x.x.x.x dst-address=x.x.x.x auth-algorithm=sha1 enc-algorithm=3des replay=4 state=mature
auth-key=“xxxxx” enc-key=“xxxx” addtime=dec/03/2010 14:29:49
add-lifetime=48m/1h usetime=dec/03/2010 14:29:52 use-lifetime=0s/0s current-bytes=2483 lifebytes=0/0

Any idea on this behaviour ?

fewi · December 3, 2010, 2:50pm

Raise a bug with support@mikrotik.com.

huntah · December 3, 2010, 2:54pm

HI, Are you in central Europe? CET TIMEZone?

I have noticed the same but I have accounted it as ok as it is GMT time and It doesn’t interfier with IPSEC stability..

darifaj · December 3, 2010, 3:31pm

Yes I’m in CET time zone, I will report this to MT, there are just too many inconsistencies noticed until now while using MT for 1 week.

I’ve also noted that when I make a change of a peer configuration in ip->ipsec->peers all the active established connection with all peers are restarted. Have you noticed this ?

huntah · December 3, 2010, 6:36pm

Yes all tunnels fall and you have to flush-sa.

I also had problem with Cisco and SHA1 ended up using md5 for proposal and peer.
The problem was that when using SHA1 the ISAKMP-SA expired and did not reestablih…