IPsec Life time problem

Hi

Ip sec tunnel is configured on mikrotik v4.10 rb 411 and on Cisco ASR 1006 .
Cisco ASR 1006 works as Ipsec concentrator for over 100 ip sec tunnels at this moment.
some ipsec is between asr and cisco 3945 and it is working perfectly.
other is between asr and mikrotik and there is problem.
ip sec between mikrotik and asr is working but something is wrong in life time .
After few hours ip sec tunnel is down if no traffic.
After that it is impossible to contact the other side over the tunnel, but i must to login to router and to ping
to raise the tunnel and then doing everything correctly
i try to set life time option to diffrent values but it is same .
There is no problem like that between two cisco routers.
Config included:

/ip ipsec proposal
set default auth-algorithms=sha1 comment=“” disabled=no enc-algorithms=3des lifetime=0s name=default pfs-group=none
/ip ipsec peer
add address=x.x.x.x/32:500 auth-method=pre-shared-key comment=“” dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main generate-policy=
no hash-algorithm=sha1 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=claim secret=xxxx send-initial-contact=yes
/ip ipsec policy
add action=encrypt comment=“” disabled=no dst-address=x.x.x.x/22:any ipsec-protocols=esp level=require priority=0 proposal=default protocol=all sa-dst-address=x.x.x.x sa-src-address=x.x.x.x
src-address=x.x.x.x:any tunnel=yes

on cisco:

ip access-list extended VPN_110_1
permit ip x.x.x.x 0.0.3.255 x.x.x.x 0.0.3.255

crypto map VPN_PP 390 ipsec-isakmp
description VPN_110_1
set peer x.x.x.x ( mikrotik address )
set transform-set VPN_PP
match address VPN_110_1

crypto isakmp key xxxxx address x.x.x.x

crypto ipsec transform-set VPN_PP esp-3des esp-sha-hmac

Thanks

just having the same problem. could you solve this?

Have you enabled debug on the Cisco and MikroTik side to determine why the VPN is being torn down. Would be helpful to have that info so you can either adjust the config or open a ticket with MikroTik

I think it is just a bug. I have the same problem with IPsec MikroTik ↔ Cisco, and I remember having it long time
ago on a standard Linux system ↔ Cisco. There it was solved sometime by some new release of racoon or the
kernel, and on MikroTik it still exists despite repeated changelog notices about fixing IPsec things.

I have similar issue too.

The proposal lifetime is 1 hour. After 1 hour the Cisco sends an IKE Delete payload along with SPI to delete. Mikrotik removes the connection from Remote Peers but does not remove the installed SAs. My work around was a script that runs every 3 seconds, if the remote peer is gone, then the script flushes the installed SAs. Users didn’t complain about a down tunnel anymore.

It seems like Mikrotik receives the Delete payload command and doesn’t delete the SAs.

If you can repeat the same problem with latest v6.35rc version then enable ipsec debug logs and generate supout file right after delete message is received but MT is not removing SAs. Send that supout file to support.

Has something been done to fix this or is this just a standard “first try newest version and then we’ll look” reply?
I can help to test this but I won’t move to RC just to satisfy a standard problem solving flowchart.

Whats the version of Router OS your using ?

6.32.2

Would you try 6.29.1, no any issues on IPsec lifetime there so far.

I have switched to 6.35RC for another reason, and I don’t see this problem anymore, but I have made other changes
as well so it might be a coincidence.
(instead of a direct IPsec tunnel with policies that match the local and remote network, I now use an L2TP/IPsec
tunnel with BGP routing of the subnets over that tunnel. should not be different in this respect, but you never know)