Occassionally IPsec VPNs begin dropping packets. I’ve seen this from the instance I’ve used RouterOS 2.9.4 to 2.9.29. For whatever reason the VPNs just stop working. I’ve seen this using many different configurations such as.
RouterOS to RouterOS (RBs and Disc on Chip)
RouterOS to OpenSWAN and FreeSWAN
RouterOS to racoon (Linux kernel 2.6 built in)
RouterOS to Juniper/Netscreen 5 (XP and GT)
Attempts to re-initiallise the tunnels from the remote ends (the non RouterOS ends) also fail. I tried from the NON-routerOS ends because there was no way to force the RouterOS ends to re-initialise a VPN. Disabling them and or peers and or proposals was useless.
The tunnels only re-initialise successfully when the RouterOS system is rebooted.
I have tried removing connections from connection tracking as well as disabling interfaces and re-enabling to break connections. Nothing happened.
try an /ip ipsec installed-sa flush on both ends and see if they come back up … known issue that the installed SAs dont flush out… not sure if its a bug or supposed to be that way.
Well from Winbox they are never any active SAs. I’ve never looked from the command line. Next time I will check the SAs from the shell and I’ll try the command and see what happens and post the results.
Thanks
But still it is a problem as it requires manual intervention adding a degree of unreliability to WAN links.
Although it just crossed my mind that since scripting is supported I may be able to use netwatch to monitor any of the IPSec VPN tunnels and run the command on tunnel failure.