IPSEC to Pronto Cloud (Australian ERP Platform)

murrayis · January 12, 2026, 1:17am

Hi all,

We have a number of clients who over the past couple of years have experienced hourly/daily/weekly stale IPSEC tunnels to their ERP provider Pronto Cloud

We’ve tried both hardware accelerated and non-accelerated models along with both version 6 and version 7 yet the customers experience stale sessions which need to be disabled / cleared / enabled again to get data flowing again.

We have raised the issue dozens of times with Pronto Cloud and to date we’ve been unable to find a solution aside from setting up a NetWatch script that runs every second and if it seens a drop in successful ICMP it then disables/clears/enabled the tunnels usually before the end users notice the impact.

We cannot keep this as the norm and need a solution.

We’ve gone as far as Pronto Cloud sending us their Cisco ASA configuration to compare.

What are we doing wrong? The clients are all over Australia and spread across carious ISPs with the only common grounds being Mikrotik onsite + Pronto Cloud.

Mikrotik Config:

/ip ipsec profile
add dh-group=modp1536 dpd-interval=30s dpd-maximum-failures=3 enc-algorithm=aes-256 lifetime=8h name=ProntoCloud_Phase1 nat-traversal=no
add dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-256,aes-128 hash-algorithm=sha256 name=ikev2 prf-algorithm=sha256 proposal-check=claim

/ip ipsec peer
add address=203.214.X.X/32 name=ProntoCloud profile=ProntoCloud_Phase1

/ip ipsec proposal
add enc-algorithms=aes-256-cbc lifetime=1h name=ProntoCloud_Phase2 pfs-group=modp1536
add enc-algorithms=aes-256-cbc lifetime=1h name=ProntoCloud_#2_Phase2 pfs-group=modp1536

/ip ipsec identity
add generate-policy=port-strict peer=ProntoCloud

/ip ipsec policy
add comment="IPSEC Connection for Internal Bridge-LAN Connections" dst-address=100.65.58.192/27 level=unique peer=ProntoCloud proposal=ProntoCloud_Phase2 src-address=192.168.0.0/23 tunnel=yes
add comment="IPSEC Connection for L2TP VPN Connections" dst-address=100.65.58.192/27 level=unique peer=ProntoCloud proposal=ProntoCloud_#2_Phase2 src-address=192.168.99.0/24 tunnel=yes

What are we doing wrong?

abbio90 · January 25, 2026, 9:47am

Have you checked that the Lifetimes correspond with those of Cisco for phase 1 and phase ?