ipsec re-keying drops with windows 10

cchristian · April 5, 2017, 12:32pm

After transferring 175MB of data my laptop tries to rekey but the router drops the connection.
We tried 6.39rc62 but it didn’t fix the problem.

= = = = = = = = = = = = = = = = = = = = = = = = = = =
08:17:17 ipsec ike2 request, exchange: CREATE_CHILD_SA:2 10.0.0.252[4500]
08:17:17 ipsec payload seen: ENC
08:17:17 ipsec processing payload: ENC
08:17:17 ipsec payload seen: NOTIFY
08:17:17 ipsec payload seen: SA
08:17:17 ipsec payload seen: NONCE
08:17:17 ipsec payload seen: TS_I
08:17:17 ipsec payload seen: TS_R
08:17:17 ipsec create child: respond
08:17:17 ipsec processing payload: NONCE
08:17:17 ipsec processing payloads: NOTIFY
08:17:17 ipsec notify: REKEY_SA
08:17:17 ipsec rekeying child SA 0xd9918aaa
08:17:17 ipsec peer wants tunnel mode
08:17:17 ipsec processing payload: TS_R
08:17:17 ipsec 0.0.0.0/0
08:17:17 ipsec [::/0]
08:17:17 ipsec multiple selectors present
08:17:17 ipsec reply notify: INVALID_SYNTAX
08:17:17 ipsec adding payload: NOTIFY
08:17:17 ipsec notify: INVALID_SYNTAX
08:17:17 ipsec,info killing ike2 SA: 10.0.0.1[4500]-10.0.0.252[4500] spi:27057e3f7465aa18:8dc9f37faf4f10dd
08:17:17 ipsec IPsec-SA killing: 10.0.0.252[4500]<->10.0.0.1[4500] spi=0xe9910c9
08:17:17 ipsec IPsec-SA killing: 10.0.0.1[4500]<->10.0.0.252[4500] spi=0xd9918aaa
08:17:17 ipsec removing generated policy
08:17:17 ipsec adding payload: DELETE
08:17:17 ipsec,info releasing address 10.1.1.247
08:17:17 ipsec ike2 reply, exchange: INFORMATIONAL:1 10.0.0.252[4500]
08:17:17 ipsec SPI 27057e3f7465aa18 not registred for 10.0.0.252[4500]
= = = = = = = = = = = = = = = = = = = = = = = = = = =

mrz · April 5, 2017, 12:41pm

Enable ipsec debug logs and generate supout file right after the failure and send to support.

raterch · April 5, 2017, 3:17pm

I’m actually having this same problem on the latest stable release. I’m using the built-in windows 10 client, ikev2, with split tunneling turned off, and the mikrotik end doesn’t seem to like the syntax of the create child sa request from windows. Can anyone on the mikrotik support team duplicate the error?

andriys · April 5, 2017, 3:46pm

The latest stable release as of now (6.37.5) does not support IKEv2. Please be more specific about what RouterOS version you are using.

Write to support@ and send them supout file from your device so they can see your exact configuration.

raterch · April 5, 2017, 3:56pm

Website right now shows 6.37.5 as “bugfix only” with 6.38.5 being “current”. Is that wrong?

andriys · April 5, 2017, 4:16pm

That’s correct. That bugfix channel is what most people consider “stable” (the branch that no longer receives new features, only bugfixes).
“Current” may still receive new features, which also means new bugs.

cchristian · April 12, 2017, 1:30pm

Now that we’ve resolved what the word “stable” means
You should try the next RC. The one that came out yesterday didn’t fix it but support sent me a new build this morning that works great!

mrz · April 12, 2017, 1:51pm

rc69 have the fix. It should be released already.

cchristian · April 12, 2017, 1:56pm

Yup. There it is!

athormann · May 8, 2018, 1:53pm

with v6.42.1 and Windows VPN (10.0.16299.371) i still have this Problem.

Greets