I’m having an issue between 2 sites both using Mikrotik Routers. The problem is that the IPSec tunnel will only initiate from one side. Once the tunnel is up, traffic will flow in both directions but if the tunnel is down and I try to initiate the tunnel from the other side, it will not come up.
Configuration:
Site A (Can Initiate)
Local Range: 192.168.0.0/16 (I know this isn’t proper and is planned on being changed)
Policy: Action-encrypt, Level-require, Protocols-esp
Peer: Exchange mode-main, send initial contact-checked, proposal check-obey
Site B (Can’t Initiate)
Local Range: 172.16.1.0/16
Policy: Action-encrypt, Level-require, Protocols-esp
Peer: Exchange mode-main, send initial contact-checked, proposal check-obey
Both sides are configured with sha, aes-128, mod1024, lifetime 08:00:00, DPD-20, Max Failures-2.
From what i’ve been able to find, the issue may be due to the size of the networks and that as Site A is smaller it is more trusted and therefore allowed to initiate. If this is the case, is there a way to set the tunnel to ignore this and build anyway?
Thanks All for your input.
Hi I have same problem. I followed this procedure: http://wiki.mikrotik.com/wiki/Manual:IP/IPsec
I have 2x RB750G. RouterOS v 5.4
my config is following:
NODE A
/ip ipsec peer print detail
0 address=AAA.AAA.AAA.AAA/32 port=500 auth-method=pre-shared-key secret="IPSEC"
generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no
my-id-user-fqdn="" proposal-check=obey hash-algorithm=md5 enc-algorithm=3des
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5
/ip ipsec policy print detail
0 src-address=10.0.0.0/24 src-port=any dst-address=192.168.10.0/24 dst-port=any protocol=all
action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=BBB.BBB.BBB.BBB
sa-dst-address=AAA.AAA.AAA.AAA proposal=default priority=0
/ip firewall nat print detail
0 ;;; IPSec noNAT
chain=srcnat action=accept src-address=10.0.0.0/24 dst-address=192.168.10.0/24
1 ;;; Masquarade
chain=srcnat action=masquerade src-address=10.0.0.0/24
NODE B
/ip ipsec peer print detail
0 address=BBB.BBB.BBB.BBB/32 port=500 auth-method=pre-shared-key secret="IPSEC"
generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no
my-id-user-fqdn="" proposal-check=obey hash-algorithm=md5 enc-algorithm=3des
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=5
/ip ipsec policy print detail
0 src-address=192.168.10.0/24 src-port=any dst-address=10.0.0.0/24 dst-port=any protocol=all
action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=AAA.AAA.AAA.AAA
sa-dst-address=BBB.BBB.BBB.BBB proposal=default priority=0
/ip firewall nat print
0 ;;; dont masquarade IPSec traffic
chain=srcnat action=accept src-address=192.168.10.0/24 dst-address=10.0.0.0/24
1 ;;; masquarade
chain=srcnat action=masquerade src-address=192.168.10.0/24
FIREWALL
/ip firewall filter print chain=input
0 ;;; allow input ping
chain=input action=accept protocol=icmp
1 ;;; accept established connections
chain=input action=accept connection-state=established in-interface=pppoe-out1
2 ;;; allow related connections
chain=input action=accept connection-state=related in-interface=pppoe-out1
4 ;;; IPsec
chain=input action=accept protocol=ipsec-esp
5 chain=input action=accept protocol=ipsec-ah
6 ;;; drop
chain=input action=drop in-interface=pppoe-out1
additional info:
Tunnel was established approx. 60 minutes after flush all SA.
why is initiator only Node? Node B is passive and in its debug log is no activity? No faults, no rejects… empty 
any idea?
I have the same issue - it will only reestablish one way - has anyone been able to solve it?
Thanks,