IPSec Site to Site stopped working

dadoCA · December 27, 2023, 6:40pm

Hello there,

having some issues with site to site VPN, IPSec with preshared key.

The setup was working for three years, with almost no issues. At 29.12 suddenly it stopped, the VPN tunnel does not come up at all.

There is one main HQ 750GR3 router, and three routers also 750GR3, which are connecting to HQ.

Routers are not behind NAT.

For Peer Addresses I am using MT Cloud DDNS name on all routers.

The tunnel get established as soon as I use public IP addresses in the IPSec Peer config, but it is not working with MT Cloud name anymore.

Tried restarting all MT routers and ISP modems, NTP time zone and clock are in sync over all routers. Tried changing DNS servers in MT routers, tried with 8.8.8.8, 4.4.4.4, default ISP DNS servers and so on.

I am able to ping all MT routers by its Cloud DDNS name and I am getting ping reply from the correct public IP addeess.

dadoCA · December 27, 2023, 7:33pm

Thanks for your fast response. I get this results:

1.
C:\Users\Dado>tracert ns1.kissthenet.net

Tracing route to ns1.kissthenet.net [159.148.147.201]
over a maximum of 30 hops:

1 22 ms 24 ms * 192.168.32.1
2 31 ms 13 ms 21 ms bras-mostar-2-hx.tel.net.ba [85.94.144.50]
3 13 ms 28 ms 13 ms 85.94.145.97
4 14 ms 18 ms 15 ms brdrmo-mo2.tel.net.ba [85.94.144.181]
5 26 ms 21 ms 19 ms gos11-gos12.net.t-com.hr [195.29.246.145]
6 25 ms 22 ms 23 ms hst11-gst24-3.ip.t-com.hr [195.29.241.81]
7 52 ms 45 ms 35 ms hdr11-hst11.ip.t-com.hr [195.29.144.53]
8 28 ms 24 ms 20 ms gte01-hdr11-2.ip.t-com.hr [195.29.240.94]
9 21 ms 25 ms 22 ms zgb-b2-link.ip.twelve99.net [62.115.183.214]
10 36 ms 36 ms 37 ms win-bb2-link.ip.twelve99.net [62.115.122.176]
11 52 ms 39 ms 39 ms ffm-bb2-link.ip.twelve99.net [62.115.138.22]
12 74 ms 65 ms 64 ms s-bb2-link.ip.twelve99.net [62.115.138.104]
13 71 ms 71 ms 71 ms riga-b3-link.ip.twelve99.net [62.115.139.199]
14 78 ms 70 ms 72 ms siatet-ic-332270.ip.twelve99-cust.net [213.248.84.33]
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.

Trace complete.
2.
C:\Users\Dado>tracert ns2.kissthenet.net

Tracing route to ns2.kissthenet.net [159.148.172.251]
over a maximum of 30 hops:

1 20 ms 15 ms 11 ms 192.168.32.1
2 12 ms 23 ms 16 ms bras-mostar-2-hx.tel.net.ba [85.94.144.50]
3 11 ms 12 ms 12 ms 85.94.145.97
4 15 ms 26 ms 17 ms brdrmo-mo2.tel.net.ba [85.94.144.181]
5 31 ms 51 ms 26 ms gos11-gos12.net.t-com.hr [195.29.246.145]
6 20 ms 20 ms 18 ms hst12-gst24-3.ip.t-com.hr [195.29.241.113]
7 21 ms 27 ms 22 ms htr11-hst12.ip.t-com.hr [195.29.3.69]
8 31 ms 30 ms 24 ms gte01-htr11-3.ip.t-com.hr [195.29.241.142]
9 24 ms 21 ms 23 ms zgb-b2-link.ip.twelve99.net [62.115.183.214]
10 27 ms 32 ms 285 ms bpt-b4-link.ip.twelve99.net [62.115.122.174]
11 * 34 ms 30 ms win-bb1-link.ip.twelve99.net [62.115.137.224]
12 38 ms 40 ms 52 ms ffm-bb1-link.ip.twelve99.net [62.115.137.202]
13 72 ms 64 ms 81 ms s-bb1-link.ip.twelve99.net [62.115.143.28]
14 75 ms 73 ms 70 ms riga-b3-link.ip.twelve99.net [62.115.139.197]
15 78 ms 73 ms 74 ms siatet-ic-332270.ip.twelve99-cust.net [213.248.84.33]
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 75 ms 72 ms 69 ms cloud2.mikrotik.com [159.148.172.251]

But should the newer firmware conntact cloud and cloud2.mikrotik.com?? I get reply from those when pinging.

I am running MT 7.11.2 firmware.

Thanks

dadoCA · December 27, 2023, 8:06pm

Yes, I can, this is the output for one of the remote sites:

I do get correct public IP addresses, so the DDNS names are resolving corectly.

I really dont know why it stopped working. It works just fine when adding those public addresses in peer config

[admin@xxxxxxxxxxxxxx] > ping cloud2.mikrotik.com
SEQ HOST SIZE TTL TIME STATUS
0 159.148.172.251 56 48 66ms483us
1 159.148.172.251 56 48 66ms5us
2 159.148.172.251 56 48 65ms942us
3 159.148.172.251 56 48 65ms933us
4 159.148.172.251 56 48 66ms284us
5 159.148.172.251 56 48 66ms525us
6 159.148.172.251 56 48 66ms128us
7 159.148.172.251 56 48 66ms473us
8 159.148.172.251 56 48 65ms989us
sent=9 received=9 packet-loss=0% min-rtt=65ms933us avg-rtt=66ms195us
max-rtt=66ms525us

[admin@xxxxxxxxxxxx] > ip cloud print
ddns-enabled: yes
ddns-update-interval: none
update-time: no
public-address: 95.156.xx.xx
dns-name: xxxxxxxxx.sn.mynetname.net
status: updated

dadoCA · December 27, 2023, 8:57pm

It is allraedy enabled, here is what i found out, when I try to ping the routers by its MT DDNS names, from within mikrotik terminals I do not get a reply!!! But pinging all others domains works well.

[admin@xxxxxxxxxx] > ping google.com
SEQ HOST SIZE TTL TIME STATUS
0 142.251.208.142 56 116 15ms942us
1 142.251.208.142 56 116 15ms759us
2 142.251.208.142 56 116 15ms735us
3 142.251.208.142 56 116 15ms802us
4 142.251.208.142 56 116 15ms675us
5 142.251.208.142 56 116 15ms678us
sent=6 received=6 packet-loss=0% min-rtt=15ms675us avg-rtt=15ms765us max-rtt=15ms942us

[admin@xxxxxxx] > ping cloud2.mikrotik.com
SEQ HOST SIZE TTL TIME STATUS
0 159.148.172.251 56 49 55ms310us
1 159.148.172.251 56 49 55ms292us
2 159.148.172.251 56 49 55ms327us
3 159.148.172.251 56 49 55ms171us
4 159.148.172.251 56 49 55ms168us
sent=5 received=5 packet-loss=0% min-rtt=55ms168us avg-rtt=55ms253us max-rtt=55ms327us

[admin@xxxxxx] > ping xxxxxxxxx.sn.mynetname.net
invalid value for argument address:
invalid value of mac-address, mac address required
invalid value for argument ipv6-address
while resolving ip-address: could not get answer from dns server

This are my dns settings

dns print
servers: 8.8.8.8,8.8.4.4
dynamic-servers:
use-doh-server:
verify-doh-cert: no
doh-max-server-connections: 5
doh-max-concurrent-queries: 50
doh-timeout: 5s
allow-remote-requests: yes
max-udp-packet-size: 4096
query-server-timeout: 2s
query-total-timeout: 10s
max-concurrent-queries: 100
max-concurrent-tcp-sessions: 20
cache-size: 2048KiB
cache-max-ttl: 1w
address-list-extra-time: 0s
cache-used: 107KiB

gabacho4 · December 27, 2023, 11:51pm

I got burned by the magic of MT’s DDNS outages a couple times. Now I run a script on my router that updates a DNS record in Cloudflare and I’ve had 0 issues since. I love MT just not their DDNS service.

gabacho4 · December 28, 2023, 12:53am

It’s paid but stupid cheap to register a domain for x years and then ddns away. Worth it to me. And you can create subdomains if you have multiple sites you employ this with… Each with their own dynamically updated DNS record. I’m using it with two sites.

dadoCA · December 28, 2023, 7:39pm

I got it working with free DDNS service called duckdns.org. There are also automaticly generated scripts for IP updates for all kind of operating systems and devices, including Mikrotik.

It is definitly an Mikrotik DDNS issue. Will stop using it.

dadoCA · December 28, 2023, 7:50pm

~~[quote=wfburton post_id=1044928 time=1703792430 user_id=215408]~~
Thanks for the info!
[/quote]

Thank you, for helping me.