In a highly simplified form, the network diagram looks like this:
All routers have their own local networks. “Main” routers have 3 Internet connections. All routers build 2 VPN connections for redundancy. The third Internet connections of the “main” routers perform separate functions and are not used in this scheme.
CCR1016-12G are used as “main” routers.
4011, hAP ac2, hAP ac3 are used as “client” routers.
All routers have the following settings:
/ip ipsec profile set [ find default=yes ] enc-algorithm=aes-256,aes-128 lifetime=1h
/ip ipsec proposal set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-128-cbc,aes-128-ctr lifetime=1h
New keys are exchanged periodically. Sometimes this does not happen the first time and the following errors appear in the logs:
phase1 negotiation failed due to time up ...
Question: perhaps it is necessary to somehow change the time parameters? Or something else?