IPSec tunnel between RouterOS and Amazon AWS VPC

RouterOS General
1

Hi, we’ve been trying to stablish an IPSec tunnel between our institution (with Mikrotik hardware) and Amazon AWS IPsec implementation with no success. The problem is a little weird so I will try to describe it.

Amazon AWS provides us a generic configuration documentation so we can configure the router in our side. The IPSec tunnel gets stablished correctly, it works for some minutes but it suddenly gets disconnected (the installed SA’s dissappear). It reconnects after a new negotiation, but this behaviour makes the tunnel unsuable (4 minutes perfect, 20 seconds stuck).

We’re using this configuration in our side (removed the private part of the configuration, ip’s and secret key):

/ip ipsec peer add address=xx.xx.xx.xx/32 dpd-interval=10s dpd-maximum-failures=3 enc-algorithm=aes-128 lifetime=8m local-address=xx.xx.xx.xx nat-traversal=no secret=xxxxxx

/ip ipsec policy add dst-address=xx.xx.xx.xx/16 sa-dst-address=xx.xx.xx.xx sa-src-address=xx.xx.xx.xx src-address=xx.xx.xx.xx/32 tunnel=yes

Everything gets negotiated perfectly, but after this few minutes the installed keys dissapera.

Does anyone has any experience connecting Mikrotik HW with AWS VPN which can provide us any suggestion about the problem?

IPSEC VPN to Amazon AWS VPC (for EC2)
Amazon VPC - IPSec VPN Connection with Mikrotik CHR RouterOS.
2

enable logging on Ipsec and look the logs generated when disconnected, also try a packet capture to know whats exactly happening.

AWS do not generate logs about it??

3

We activated all kind of ipsec log, and there was no evidence of error. The only we can see is that the installed-sa’s, which have enough lifetime remaining, suddenly dissapear and the negotiation starts again.

We don’t have access to the AWS tunnel log, this is a self-administered service with no configuration/log to the client, and the official technical support of AWS give us a few advices in our end side (with no result), but they can’t provide us more information because this is a global configuration and they don’t have authorization to login and test into our tunnel. :frowning:

Now we are going to stablish the tunnel with the AWS official supported Hardware, but it’s a really shame that Mikrotik/RouterOS was not supported.