IPSec SA and dying status

olegsher · October 13, 2014, 5:04am

Hi there!

I have two Mikrotiks and IPIP tunnel between.
IPIP tunnel secured with IPSec in transport mode. It’s working but on one side SA always has “dying” state.

Is it normal?
Thank you!

On lef side
RouterOS 6.20 RB2011UAS-2HnD
/ip ipsec installed-sa print
Flags: A - AH, E - ESP
0 E spi=0x1C0748D src-address=79.xx.xx.138 dst-address=46.xx.xx.93 state=dying auth-algorithm=sha1 enc-algorithm=aes-cbc auth-key=“d341897b10bc1baa1c5742fa94d7eeb62eb0f440”
enc-key=“5ae2bbd3949f5be5832e31ba7224325e” addtime=oct/13/2014 08:25:32 expires-in=1h30m6s add-lifetime=1h36m/2h current-bytes=443117070 replay=4

1 E spi=0xDF70357 src-address=46.xx.xx.93 dst-address=79.xx.xx.138 state=dying auth-algorithm=sha1 enc-algorithm=aes-cbc auth-key=“a80500e61e0782b6a4cf01529a74fe1f86caaf84”
enc-key=“f8140d1b9d675ba88b4b38129f03ecda” addtime=oct/13/2014 08:25:32 expires-in=1h30m6s add-lifetime=1h36m/2h current-bytes=5085153 replay=4

On right side
RouterOS 6.20 RB1100AH
/ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs
0 E spi=0x1C0748D src-address=79.xx.xx.138 dst-address=46.xx.xx.93 auth-algorithm=sha1 enc-algorithm=aes-cbc replay=4 state=mature auth-key=“d341897b10bc1baa1c5742fa94d7eeb62eb0f440”
enc-key=“5ae2bbd3949f5be5832e31ba7224325e” addtime=oct/13/2014 08:25:32 expires-in=1h29m27s add-lifetime=1h36m/2h current-bytes=443706614

1 E spi=0xDF70357 src-address=46.xx.xx.93 dst-address=79.xx.xx.138 auth-algorithm=sha1 enc-algorithm=aes-cbc replay=4 state=mature auth-key=“a80500e61e0782b6a4cf01529a74fe1f86caaf84”
enc-key=“f8140d1b9d675ba88b4b38129f03ecda” addtime=oct/13/2014 08:25:32 expires-in=1h29m27s add-lifetime=1h36m/2h current-bytes=5094095

cdiedrich · October 13, 2014, 6:54am

We have the very same phenomenon over here.
The peers are Cisco ASA 5502 and Cisco 878.
It seems that (at least here) only SAs with auth-algo = sha1 are affected. SAs with md5 show up as mature.
-Chris

olegsher · October 13, 2014, 7:40am

Hi Chris!

Thank you, I tried but without any result.

I have changed auth- and enc-algorithms, switched tunnel=yes/no without any result. IPSec is working but one side SA is “dying” always.
It seems like specific problem only with mipsbe version of RouterOS 6.20.

msaxl · November 20, 2014, 3:09pm

Same problem with 6.22

only dying SAs, never seen a mature on. other side is a sonicwall, my side a rb450g (mipsbe)

When I tried downgrading to 6.19, the whole ipsec thing did not work (ip ipsec remote-peers hang until I press ctrl-c, so downgrade is broken here)

After resetting and another try with 6.19 I get a different errors (only up to message-1-sent)

I know that IPSec is something difficult to implement, but having strongswan on a dedicated box is much more stable than a mikrotik implementation where someone has to pray on every update