ipsec + ipip unstable

kas1m · May 31, 2020, 7:59am

Hi all, routeros obsessed friends!
My setup is: rb4011 + hap ac^2.
ipsec configs on both sides:
https://pastiebin.com/5ed36162e0d1c

Something is going wrong and rb4011(initiator) always have two couples of installed SAs for each connection:
https://imgur.com/a/GvuYMRQ
Hap ac^2 have only one couple for this connection.

sindy · May 31, 2020, 2:37pm

Set the proper peer value for all /ip ipsec policy rows and try again. I suspect that the 4011 is trying to set up an SA for the policy which has no peer specified with the currently active peer (which rejects it).

What means “unstable”? The second pair of SAs disappears and re-appears, or the IPIP tunnel really drops packets occasionally?

And you don’t need to use external sites - you can attach a picture as an attachment to the post, and you can post code between [code] and [/code] tags directly in the body of the post.

kas1m · June 2, 2020, 3:18pm

Sorry that it take so long to answer, haven’t got chance.

I did setup a proper peer settings to one of the policies, where it wasn’t set. It seems that some of the previous versions of ROS(where I’ve actually did all configuration for IPSEC) has different set of fields in this particular setting.
What I mean by unstable IPSEC connection, that evety once in a while I just stops receiving traffic from the other side even before IPIP tunnel collapses, I’m trying to figure out why it’s happening and my best guess was that something is going on when sites exchanges IKE2 keys. Now I’m using really bad workaround: /tool netwatch every 5seconds, if down:

:local PingResult
:local PingSumm
:set PingSumm 0
:set PingResult [ping <SECOND HOST ON THE OTHER SIDE> count=3 interval=100ms]
:put $PingResult
:set PingSumm ($PingSumm + $PingResult)
:put $PingSumm
:set PingResult [ping <THIRD HOST ON THE OTHER SIDE> count=3 interval=100ms]
:put $PingResult
:set PingSumm ($PingSumm + $PingResult)
:put $PingSumm
:set PingResult [ping <FOURTH HOST ON THE OTHER SIDE> count=3 interval=100ms]
:put $PingResult
:set PingSumm ($PingSumm + $PingResult)
:put $PingSumm
:if ($PingSumm = 0) do={ 
/ip ipsec policy  disable [find peer=peer2]
:delay 1ms
/ip ipsec policy  enable [find peer=peer2]
}

So it basically ensures that it wasn’t just an ordinary packet drop for some unrelated reasone, it checks if you lost whole other network and resets ipsec connection. IPIP tunnel not collapsing, but any sensitive connections like winbox drops instantly, ofcourse.
Now I got a packet sniffer running and another netwatch sctipt to disable it when I lost connection between sites. And start a remote log with debug topic, to see if I’ll get something useful from it.

If you have ANY advice, please write it here, I’m really struggling to get it working alright.

sindy · June 2, 2020, 5:32pm

My advice is to do the following at both ends:

/system logging add topics=ipsec,!packet
disable the identity items
run /log print follow-only file=ipsec-log-siteX where topics~“ipsec”
enable the identities
wait until the issue happens
stop the /log print …
download the files and start reading them

As some other IPsec sessions are in use, the log will be quite verbose.

kas1m · June 11, 2020, 1:07pm

So after all it seems that i got it to work more stable, the problem is somewhere in SA exchanging mechanism, i think, so i’ve just increased SAs lifetime to 12 hours instead of 30 minutes, also to complete my workaround, i’ve applied netwatch script(comment=“ipsec_check” ← !!!, every second ,interval 50ms), on down:
:if ([ping <IPIP-tunnel_remote_site_ip> count=3 interval=50ms] = 0) do={
/ip ipsec active-peers remove [find where remote-address=“”]
:delay 30s
}
/tool netwatch disable [find where comment=“ipsec_check”]
:delay 1s
/tool netwatch enable [find where comment=“ipsec_check”]

This one restarts ipsec connection, removing SAs wery quickly.