IPSec Keepalive

dancms · December 16, 2013, 9:43pm

Is there a keepalive function for IPSec policies?

I have a tunnel setup, after lifetime if there is no traffic the tunnel drops until a connection is attempted to an IP on the other peer.

I need to make the tunnel persistant even when no traffic is present.

Any input appreciated.

efaden · December 16, 2013, 11:14pm

You could setup a ping.. Or use ipip or something.

Sent from my SCH-I545 using Tapatalk

dancms · December 18, 2013, 10:05pm

I tested ping keepalive and it works.

However, if I reboot mikrotik on one side of the tunnel (site A) to simulate a failure this is the behavior -

While site A is down, site B removes active SA per deed peer detection. When site A comes back onlne, and once keepalive ping triggers on site B, tunnel comes back up on site B, but site A never comes up.

If tunnel is established and site B is rebooted, site A removes SA per deed peer detection, once site B comes back online and keepalive ping triggers, tunnel comes up on both sides.

I have tried all combinations of ‘send-initial-contact’ (disabled on one side and not the other and vise-versa, and enabled / disabled on both at the same time) and behavior doesnt change.

SITE A
address=y.y.y.y/32 passive=no port=500 auth-method=pre-shared-key secret=“secret” generate-policy=no exchange-mode=main send-initial-contact=no nat-traversal=no proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=8h lifebytes=0 dpd-interval=30s dpd-maximum-failures=1

src-address=src_ip src-port=any dst-address=dst_ip dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=x.x.x.x sa-dst-address=y.y.y.y proposal=default priority=0

SITE B
address=x.x.x.x/32 passive=no port=500 auth-method=pre-shared-key secret=“secret” generate-policy=no exchange-mode=main send-initial-contact=no nat-traversal=no proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=8h lifebytes=0 dpd-interval=30s dpd-maximum-failures=1

src-address=src_ip src-port=any dst-address=dst_ip dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=y.y.y.y sa-dst-address=x.x.x.x proposal=default priority=0

NAT is not in use on either site.

Any ideas why this is happening?

dancms · December 19, 2013, 3:25pm

I was able to work around this with a monitor script that flushes SA when detected down.

Another thing im noticing is im getting duplicate installed-sa for the same peer on both ends, tunnel never drops.

What is causing the duplicates? Is this normal behavior?

Thanks -