Good Day,
We seem to be having a problem with some ipsec tunnels on several devices in the field.
They all terminate their IPSEC tunnel to a Cyberoam device.
The setup is pretty straight forward, lan connection with sine static wan ip.
IPSEC in tunnel mode.
We configure the VPN and it comes up, no problems. Then after a couple of days we will get an alert saying the VPN is down. Trying to establish it from either side doesn’t work.
Log on router “Phase 1 negotiation failed due to time up”
And checking phase 1, it is not established.
At this point you can pretty much do whatever you want, and it won’t re-establish. However as soon as you do a reboot on the Router, it comes up all by itself, right away.
Once it is up, you can kill it and it will re-establish. It will work perfectly again for a couple of days and then the same thing occurs.
I have completely removed all filter rules, except for blocking incoming UDP 53 on the wan connection, with no joy.
The problem is not with the IPIP tunnel, which has no encryption, it is with the peer Y.Y.Y.Y/32
Interested to see if it is just us having this problem, or other people also.
# oct/03/2017 08:12:16 by RouterOS 6.40.3
# software id = UW5U-CAV7
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = someserial
/interface bridge
add fast-forward=no name=LoopBack
add fast-forward=no name=lan-bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether2 ] name=ether2-lan
set [ find default-name=ether3 ] name=ether3-wifi-uplink
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes default-route-distance=1 disabled=no interface=ether1-wan keepalive-timeout=60 max-mru=1480 max-mtu=1480 mrru=\
1600 name=pppoe-out1 password=PPPOE-USER use-peer-dns=yes user=PPPOE-PASS
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface ipip
add allow-fast-path=no !keepalive local-address=X.X.X.X name=NMKY-OORA remote-address=W.W.W.W
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc lifetime=1h
/ip pool
add name=lan-pool ranges=192.168.11.10-192.168.11.254
/ip dhcp-server
add address-pool=lan-pool authoritative=after-2sec-delay disabled=no interface=lan-bridge name=server1
/routing ospf instance
set [ find default=yes ] router-id=10.0.0.2
/interface bridge port
add bridge=lan-bridge interface=ether2-lan
/ip address
add address=192.168.11.1/24 interface=lan-bridge network=192.168.11.0
add address=192.168.13.2/24 interface=ether3-wifi-uplink network=192.168.13.0
add address=10.10.10.2/30 interface=NMKY-OORA network=10.10.10.0
add address=10.0.0.2 interface=LoopBack network=10.0.0.2
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=192.168.11.226 mac-address=08:00:37:E4:5C:27 server=server1
add address=192.168.11.225 mac-address=08:00:37:F2:7D:68 server=server1
add address=192.168.11.214 mac-address=1C:7D:22:07:74:E2 server=server1
add address=192.168.11.192 client-id=1:0:23:18:fb:5c:5b mac-address=00:23:18:FB:5C:5B server=server1
add address=192.168.11.25 client-id=1:74:27:ea:52:88:b mac-address=74:27:EA:52:88:0B server=server1
/ip dhcp-server network
add address=192.168.11.0/24 dns-server=192.168.11.1 domain=sh.local gateway=192.168.11.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.35.10
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=pppoe-out1 protocol=udp
/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.35.10 dst-port=3389 protocol=tcp to-addresses=somewanip
add action=accept chain=srcnat dst-address=192.168.35.0/24 src-address=192.168.11.0/24
add action=masquerade chain=srcnat out-interface=pppoe-out1
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec peer
add address=Y.Y.Y.Y/32 dh-group=modp1024 dpd-interval=disable-dpd enc-algorithm=aes-128 lifetime=1h my-id=address:X.X.X.X \
nat-traversal=no secret=somesecret
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.35.0/24 sa-dst-address=Y.Y.Y.Y sa-src-address=X.X.X.X src-address=192.168.11.0/24 tunnel=yes
/ip route
add distance=1 dst-address=192.168.35.0/24 gateway=lan-bridge pref-src=192.168.11.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing ospf interface
add cost=5 interface=ether3-wifi-uplink network-type=broadcast
/routing ospf network
add area=backbone network=192.168.11.0/24
add area=backbone network=192.168.13.0/24
add area=backbone network=10.10.10.0/30
/system clock
set time-zone-autodetect=no time-zone-name=Australia/Brisbane
/system identity
set name=NORTHMKY
/system leds
set 1 interface=wlan2
/system ntp client
set enabled=yes primary-ntp=130.95.13.1 secondary-ntp=129.250.35.250