Today I spent many hours for this problem.
My ipsec is very unstable.

I have central mikrotik 192.168.40.1 (static ip)
and two sites 192.168.1.0/24 (static ip) and 102.168.30.0/24 (dynamic ip)
192.168.30.0/24 works perfectly
But 192.168.1.0 isn't.
I get ipsec disconnects after it successfully established and gets SAs.

Mikrotik 1 6.73.3 stable

/ip address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 ;;; defconf
192.168.1.73/24 192.168.1.0 bridge
1 192.168.2.254/24 192.168.2.0 ether1

/ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 TX* group=default src-address=::/0 dst-address=::/0 protocol=all
proposal=default template=yes

1 src-address=192.168.1.0/24 src-port=any dst-address=192.168.40.0/24
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=192.168.2.254
sa-dst-address=80.xxx.115.108 proposal=default priority=0

/ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=80.xxx.115.108/32 local-address=0.0.0.0 passive=no port=500
auth-method=pre-shared-key secret="xxxxxx" generate-policy=no
policy-template-group=default exchange-mode=main-l2tp
send-initial-contact=yes nat-traversal=yes hash-algorithm=sha1
enc-algorithm=aes-128,3des dh-group=modp1024 lifetime=1d
dpd-interval=disable-dpd dpd-maximum-failures=1

/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept dst-address=192.168.40.0/24 log=no

1 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1

/ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 192.168.2.73 1
1 ADC 192.168.1.0/24 192.168.1.73 bridge 0
2 ADC 192.168.2.0/24 192.168.2.254 ether1 0

0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; p2p
chain=forward action=drop p2p=all-p2p log=no

2 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp

3 chain=input action=accept protocol=ipsec-esp log=no

4 chain=input action=accept protocol=udp dst-port=500,4500,1701
log=no

5 ;;; defconf: accept established,related
chain=input action=accept connection-state=established,related

6 ;;; defconf: accept established,related
chain=forward action=accept
connection-state=established,related

7 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1

8 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection
connection-state=established,related

9 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid

10 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface=ether1

dec/20 01:20:34 ipsec,debug initiate new phase 1 negotiation: 192.168.2.254[500]<=>80.xxx.115.108[500]
dec/20 01:20:34 ipsec,debug begin Identity Protection mode.
dec/20 01:20:34 ipsec,debug sent phase1 packet 192.168.2.254[500]<=>80.xxx.115.108[500] efb5b13b3a9c152a:0000000000000000
dec/20 01:20:43 ipsec,debug new acquire 192.168.2.254[0]<=>80.xxx.115.108[0]
dec/20 01:20:43 ipsec,debug suitable outbound SP found: 192.168.1.0/24[0] 192.168.40.0/24[0] proto=any dir=out
dec/20 01:20:43 ipsec,debug suitable inbound SP found: 192.168.40.0/24[0] 192.168.1.0/24[0] proto=any dir=in
dec/20 01:20:43 ipsec,debug 80.xxx.115.108 request for establishing IPsec-SA was queued due to no phase1 found.
dec/20 01:20:44 ipsec,debug resent phase1 packet 192.168.2.254[500]<=>80.xxx.115.108[500] efb5b13b3a9c152a:0000000000000000
dec/20 01:20:44 ipsec,debug received Vendor ID: RFC 3947
dec/20 01:20:44 ipsec,debug received Vendor ID: CISCO-UNITY
dec/20 01:20:44 ipsec,debug received Vendor ID: DPD
dec/20 01:20:44 ipsec,debug 80.xxx.115.108 Selected NAT-T version: RFC 3947
dec/20 01:20:44 ipsec,debug 80.xxx.115.108 Hashing 80.xxx.115.108[500] with algo #2
dec/20 01:20:44 ipsec,debug 192.168.2.254 Hashing 192.168.2.254[500] with algo #2
dec/20 01:20:44 ipsec,debug Adding remote and local NAT-D payloads.
dec/20 01:20:44 ipsec,debug sent phase1 packet 192.168.2.254[500]<=>80.xxx.115.108[500] efb5b13b3a9c152a:5a32b3c476d9ac3d
dec/20 01:20:44 ipsec,debug 192.168.2.254 Hashing 192.168.2.254[500] with algo #2
dec/20 01:20:44 ipsec,debug NAT-D payload #0 doesn't match
dec/20 01:20:44 ipsec,debug 80.xxx.115.108 Hashing 80.xxx.115.108[500] with algo #2
dec/20 01:20:44 ipsec,debug NAT-D payload #1 doesn't match
dec/20 01:20:44 ipsec,debug NAT detected: ME PEER
dec/20 01:20:44 ipsec,debug KA list add: 192.168.2.254[4500]->80.xxx.115.108[4500]
dec/20 01:20:44 ipsec,debug sent phase1 packet 192.168.2.254[4500]<=>80.xxx.115.108[4500] efb5b13b3a9c152a:5a32b3c476d9ac3d
dec/20 01:20:44 ipsec,debug ISAKMP-SA established 192.168.2.254[4500]-80.xxx.115.108[4500] spi:efb5b13b3a9c152a:5a32b3c476d9ac3d
dec/20 01:20:45 ipsec,debug initiate new phase 2 negotiation: 192.168.2.254[4500]<=>80.xxx.115.108[4500]
dec/20 01:20:45 ipsec,debug pfkey GETSPI succeeded: ESP/Tunnel 80.xxx.115.108[4500]->192.168.2.254[4500] spi=208801044(0xc720d14)
dec/20 01:20:45 ipsec,debug NAT detected -> UDP encapsulation (ENC_MODE 1->3).
dec/20 01:20:45 ipsec,debug sent phase2 packet 192.168.2.254[4500]<=>80.xxx.115.108[4500] efb5b13b3a9c152a:5a32b3c476d9ac3d:fb383998
dec/20 01:20:45 ipsec,debug Adjusting my encmode UDP-Tunnel->Tunnel
dec/20 01:20:45 ipsec,debug Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
dec/20 01:20:45 ipsec IPsec-SA established: ESP/Tunnel 80.xxx.115.108[4500]->192.168.2.254[4500] spi=208801044(0xc720d14)
dec/20 01:20:45 ipsec IPsec-SA established: ESP/Tunnel 192.168.2.254[4500]->80.xxx.115.108[4500] spi=662371(0xa1b63)
dec/20 01:21:15 ipsec,debug 80.xxx.115.108 DPD: remote (ISAKMP-SA 192.168.2.254[4500]<=>80.xxx.115.108[4500] spi=efb5b13b3a9c152a:5a32b3c476d9ac3d) seems to be dead.
dec/20 01:21:15 ipsec,debug purging ISAKMP-SA 192.168.2.254[4500]<=>80.xxx.115.108[4500] spi=efb5b13b3a9c152a:5a32b3c476d9ac3d.
dec/20 01:21:15 ipsec purged IPsec-SA spi=662371.
dec/20 01:21:15 ipsec purged IPsec-SA spi=208801044.
dec/20 01:21:15 ipsec purged ISAKMP-SA 192.168.2.254[4500]<=>80.xxx.115.108[4500] spi=efb5b13b3a9c152a:5a32b3c476d9ac3d.
dec/20 01:21:15 ipsec,debug pfkey DELETE received: ESP 192.168.2.254[4500]->80.xxx.115.108[4500] spi=662371(0xa1b63)
dec/20 01:21:15 ipsec,debug pfkey DELETE received: ESP 80.xxx.115.108[4500]->192.168.2.254[4500] spi=208801044(0xc720d14)
dec/20 01:21:16 ipsec,debug ISAKMP-SA deleted 192.168.2.254[4500]-80.xxx.115.108[4500] spi:efb5b13b3a9c152a:5a32b3c476d9ac3d rekey:1
dec/20 01:21:16 ipsec,debug KA remove: 192.168.2.254[4500]->80.xxx.115.108[4500]
dec/20 01:21:17 ipsec,debug new acquire 192.168.2.254[0]<=>80.xxx.115.108[0]
dec/20 01:21:17 ipsec,debug suitable outbound SP found: 192.168.1.0/24[0] 192.168.40.0/24[0] proto=any dir=out
dec/20 01:21:17 ipsec,debug suitable inbound SP found: 192.168.40.0/24[0] 192.168.1.0/24[0] proto=any dir=in
dec/20 01:21:17 ipsec,debug IPsec-SA request for 80.xxx.115.108 queued due to no phase1 found.
dec/20 01:21:17 ipsec,debug initiate new phase 1 negotiation: 192.168.2.254[500]<=>80.xxx.115.108[500]
dec/20 01:21:17 ipsec,debug begin Identity Protection mode.
dec/20 01:21:17 ipsec,debug sent phase1 packet 192.168.2.254[500]<=>80.xxx.115.108[500] 46ec621b557aa2da:0000000000000000
dec/20 01:21:27 ipsec,debug resent phase1 packet 192.168.2.254[500]<=>80.xxx.115.108[500] 46ec621b557aa2da:0000000000000000
dec/20 01:21:37 ipsec,debug resent phase1 packet 192.168.2.254[500]<=>80.xxx.115.108[500] 46ec621b557aa2da:0000000000000000
dec/20 01:21:46 system,info,account user dima logged in from 192.168.1.75 via web
dec/20 01:21:46 system,info,account user dima logged in via local
dec/20 01:21:47 ipsec,debug resent phase1 packet 192.168.2.254[500]<=>80.xxx.115.108[500] 46ec621b557aa2da:0000000000000000
dec/20 01:21:48 ipsec,debug 80.xxx.115.108 phase2 negotiation failed due to time up waiting for phase1. ESP 80.xxx.115.108[0]->192.168.2.254[0]
dec/20 01:21:48 ipsec,debug delete phase 2 handler.
dec/20 01:21:50 ipsec,debug new acquire 192.168.2.254[0]<=>80.xxx.115.108[0]
dec/20 01:21:50 ipsec,debug suitable outbound SP found: 192.168.1.0/24[0] 192.168.40.0/24[0] proto=any dir=out
dec/20 01:21:50 ipsec,debug suitable inbound SP found: 192.168.40.0/24[0] 192.168.1.0/24[0] proto=any dir=in
dec/20 01:21:50 ipsec,debug 80.xxx.115.108 request for establishing IPsec-SA was queued due to no phase1 found.

Mikrotik 2 6.37.3 (stable)

/ip address print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK INTERFACE

0 ;;; defconf
192.168.40.1/24 192.168.40.0 bridge
1 192.168.41.254/24 192.168.41.0 ether1

/ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all
proposal=default template=yes

1 D src-address=192.168.40.0/24 src-port=any dst-address=192.168.30.0/24
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=192.168.41.254
sa-dst-address=188.xxx.194.106 priority=2

2 D src-address=192.168.40.0/24 src-port=any dst-address=192.168.1.0/24
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=192.168.41.254
sa-dst-address=188.xxx.169.232 priority=2

/ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=0.0.0.0/0 local-address=0.0.0.0 passive=yes port=500
auth-method=pre-shared-key secret="grskrm126"
generate-policy=port-override policy-template-group=default
exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=yes
hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp1024
lifetime=1d dpd-interval=30s dpd-maximum-failures=1

/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept dst-address=192.168.1.0/24 log=no
log-prefix=""

1 chain=srcnat action=accept dst-address=192.168.30.0/24 log=no
log-prefix=""

2 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1 log=no
log-prefix=""

/ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 192.168.41.1 1
1 ADC 192.168.40.0/24 192.168.40.1 bridge 0
2 ADC 192.168.41.0/24 192.168.41.254 ether1 0
3 X S 192.168.50.0/24 ether1 1


/ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 chain=output action=accept log=no log-prefix=""

2 ;;; allow forward for local adresses
chain=forward action=accept src-address-list=local_adresses log=no
log-prefix=""

3 chain=input action=accept log=no log-prefix=""

4 chain=forward action=accept log=no log-prefix=""

5 ;;; allow local adresses
chain=input action=accept src-address-list=local_adresses log=no
log-prefix=""

6 chain=input action=accept protocol=ipsec-esp log=no log-prefix=""

7 chain=input action=accept protocol=udp dst-port=500 log=no log-prefix=""

8 chain=input action=accept protocol=udp dst-port=4500 log=no log-prefix=">
9 chain=forward action=accept protocol=udp src-port=4500 log=no
log-prefix=""

10 chain=input action=accept protocol=udp src-port=1701 log=no log-prefix=">

11 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""

12 ;;; defconf: accept established,related
chain=input action=accept connection-state=established,related log=no
log-prefix=""

13 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related log=no
log-prefix=""

14 XI ;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1 log=no log-prefix=""

15 XI ;;; defconf: fasttrack
chain=forward action=fasttrack-connection
connection-state=established,related log=no log-prefix=""

16 XI ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""

17 XI ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface=ether1 log=no log-prefix=""

dec/20 01:20:44 ipsec,debug received Vendor ID: RFC 3947
dec/20 01:20:44 ipsec,debug received Vendor ID: draft-ietf-ipsec-nat-t-ike-08

dec/20 01:20:44 ipsec,debug received Vendor ID: draft-ietf-ipsec-nat-t-ike-07

dec/20 01:20:44 ipsec,debug received Vendor ID: draft-ietf-ipsec-nat-t-ike-06

dec/20 01:20:44 ipsec,debug received Vendor ID: draft-ietf-ipsec-nat-t-ike-05

dec/20 01:20:44 ipsec,debug received Vendor ID: draft-ietf-ipsec-nat-t-ike-04

dec/20 01:20:44 ipsec,debug received Vendor ID: draft-ietf-ipsec-nat-t-ike-03

dec/20 01:20:44 ipsec,debug received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

dec/20 01:20:44 ipsec,debug received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

dec/20 01:20:44 ipsec,debug
dec/20 01:20:44 ipsec,debug received Vendor ID: draft-ietf-ipsec-nat-t-ike-01

dec/20 01:20:44 ipsec,debug received Vendor ID: draft-ietf-ipsec-nat-t-ike-00

dec/20 01:20:44 ipsec,debug received Vendor ID: CISCO-UNITY
dec/20 01:20:44 ipsec,debug received Vendor ID: DPD
dec/20 01:20:44 ipsec,debug 188.xxx.169.232 Selected NAT-T version: RFC 3947
dec/20 01:20:44 ipsec,debug sent phase1 packet 192.168.41.254[500]<=>188.162.
169.232[500] efb5b13b3a9c152a:5a32b3c476d9ac3d
dec/20 01:20:44 ipsec,debug 192.168.41.254 Hashing 192.168.41.254[500] with a
lgo #2
dec/20 01:20:44 ipsec,debug NAT-D payload #0 doesn't match
dec/20 01:20:44 ipsec,debug 188.xxx.169.232 Hashing 188.xxx.169.232[500] with
algo #2
dec/20 01:20:44 ipsec,debug NAT-D payload #1 doesn't match
dec/20 01:20:44 ipsec,debug NAT detected: ME PEER
dec/20 01:20:44 ipsec,debug 188.xxx.169.232 Hashing 188.xxx.169.232[500] with
algo #2
dec/20 01:20:44 ipsec,debug 192.168.41.254 Hashing 192.168.41.254[500] with a
lgo #2
dec/20 01:20:44 ipsec,debug Adding remote and local NAT-D payloads.
dec/20 01:20:44 ipsec,debug sent phase1 packet 192.168.41.254[500]<=>188.162.
169.232[500] efb5b13b3a9c152a:5a32b3c476d9ac3d
dec/20 01:20:44 ipsec,debug NAT-T: ports changed to: 188.xxx.169.232[4500]<=>
192.168.41.254[4500]
dec/20 01:20:44 ipsec,debug KA found: 192.168.41.254[4500]->188.xxx.169.232[4
500] (in_use=2)
dec/20 01:20:44 ipsec,debug ISAKMP-SA established 192.168.41.254[4500]-188.16
2.169.232[4500] spi:efb5b13b3a9c152a:5a32b3c476d9ac3d
dec/20 01:20:45 ipsec,debug respond new phase 2 negotiation: 192.168.41.254[4
500]<=>188.xxx.169.232[4500]
dec/20 01:20:45 ipsec,debug Update the generated policy : 192.168.1.0/24[0] 1
92.168.40.0/24[0] proto=any dir=in
dec/20 01:20:45 ipsec,debug Adjusting my encmode UDP-Tunnel->Tunnel
dec/20 01:20:45 ipsec,debug Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)

dec/20 01:20:45 ipsec,debug pfkey GETSPI succeeded: ESP/Tunnel 188.162.169.23
2[4500]->192.168.41.254[4500] spi=662371(0xa1b63)
dec/20 01:20:45 ipsec,debug sent phase2 packet 192.168.41.254[4500]<=>188.162
.169.232[4500] efb5b13b3a9c152a:5a32b3c476d9ac3d:fb383998
dec/20 01:21:15 ipsec,debug 188.xxx.169.232 DPD: remote (ISAKMP-SA 192.168.41
.254[4500]<=>188.xxx.169.232[4500] spi=efb5b13b3a9c152a:5a32b3c476d9ac3d) see
ms to be dead.
dec/20 01:21:15 ipsec,debug purging ISAKMP-SA 192.168.41.254[4500]<=>188.162.
169.232[4500] spi=efb5b13b3a9c152a:5a32b3c476d9ac3d.
dec/20 01:21:15 ipsec,debug keeping IPsec-SA spi=208801044 - found valid ISAK
MP-SA spi=9377272138298b80:675887a9bd417e1e.
dec/20 01:21:15 ipsec,debug keeping IPsec-SA spi=662371 - found valid ISAKMP-
SA spi=9377272138298b80:675887a9bd417e1e.
dec/20 01:21:16 ipsec,debug ISAKMP-SA deleted 192.168.41.254[4500]-188.162.16
9.232[4500] spi:efb5b13b3a9c152a:5a32b3c476d9ac3d rekey:1
dec/20 01:21:16 ipsec,debug KA remove: 192.168.41.254[4500]->188.xxx.169.232[
4500]

Today I setup my 3rd mikrotik 192.168.20.0/24 on other site. It succesfully work with ipsec tunnel 192.168.40.0/24, rdp also works great.
But, on 192.168.1.0/24 ipsec breaks when I connect from any PC to RDP server at 192.168.40.0/24 (but ping work normal, web access to mikrotik 192.168.40.1 works as normal from 192.168.1.0/24)
I change mtu on Mikrotik 1 ether1 (wan) to 1400 and create mangle rule for mss 1360 bytes, but no result, ipsec breaks when I try to connect to rdp server. I cant understand what to do.

in continue of active talks of my problem I want to say that I win in this battle but only in one configuration.
I download recent mikrotik firmware RC and try to use ikev2. Server Nat-T enabled, client Nat-t disable (both devices behind the nat modems) and it works.
Though server side generate many peers in some situation.
I think before that both sides MUST use Nat-T enabled to work together. Any thoughts?
Approve, same config with @main mode don’t works.

I would not even try to have the central server behind NAT… only for the clients.
But apparently with IKEv2 it is all better.

In ikev2 both sides behind static nat only! (others devices works with “dynamic nat - static nat” with main mode l2tp - succesfully)

Router OS set option to NAT-T enabled without any my actions, automatically! Why? Without this option my ipsec/esp works normal. With this option - not. Its nightmare.
p.s. router os 6.38rc52

In v6.38 nat-t is enabled by default because many client devices require it, if NAT-T is not needed for some reason it can be disabled.

lol wat???
facepalm.jpg

About original problem, please generate supout files after tunnel goes down and send then to support.

where do i send supout for support

support@mikrotik.com ?

can mikrotik distributors/certified trainers be trusted, eg one certified distributor is offering to help if i send supout, he seems very helpful

but another one went to help me the other week i noticed had sent me a weird link to a his own version of winbox
because as i extracted his winbox version link he sent i could see had some strange alias folders with his name inside the winbox contents package, and index files resources and some ips
seems to be strange to me here screenshot attached? maybe looks like login information for other users?

i read something somewhere about a 30 day free support with any new system?

anyone see the above post???


@normis i see your folder name in there also?

That is nothing strange, just how Wine works. It is only an alias to a non existing folder.