IPSec VPN Stops Working - Ready To Send

Hi Everyone,

I’m a Mikrotik newb and inherited this configuration so please bear that in mind when tearing me a new one.

Not sure if anyone has ever come across this, but I have an Site to Site IPSec VPN issue that recently started causing me headaches. This must have started after a recent update, but prior to that the VPN was rock solid and I never had to touch it. I’m talking years of trouble free performance.

What happens is that the VPN stops working and checking the status of the VPN is says ready to send. I can try and restart it, but nothing works. The only way to get the VPN to come back up is to reboot the router. Then it’s stable for a few days and then it happens again.

I deleted the whole setup at both ends and recreated it, but still no joy.

Here is the script for the remote site:

/ip ipsec profile
add dh-group=modp1024 name=HeadOffice nat-traversal=no
/ip ipsec peer
add address=xx.xx.xx.xx/32 comment=HeadOffice local-address=xx.xx.xx.xx name=
HeadOffice profile=HeadOffice
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,3des
/ip ipsec identity
add peer=peer2 secret=MyPassword
add comment=HeadOffice peer=HeadOffice secret=MyPassword
/ip ipsec policy
add comment=HeadOffice dst-address=10.0.0.0/24 sa-dst-address=xx.xx.xx.xx
sa-src-address=xx.xx.xx.xx src-address=10.0.2.0/24 tunnel=yes

Here is the script for the Head Office site which is essentially the reverse of the previous one:

/ip ipsec profile
add dh-group=modp1024 name=RemoteSite nat-traversal=no
/ip ipsec peer
add address=xx.xx.xx.xx/32 comment=RemoteSite local-address=xx.xx.xx.xx name=
RemoteSite profile=RemoteSite
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,3des
/ip ipsec identity
add peer=RemoteSite secret=MyPassword
/ip ipsec policy
add comment=RemoteSite dst-address=10.0.2.0/24 sa-dst-address=xx.xx.xx.xx
sa-src-address=xx.xx.xx.xx src-address=10.0.0.0/24 tunnel=yes

Any ideas where to look?

Thanks

Duke

Same here. Just upgraded routeros to the new 6.44 firmware and got the same “ready to send” status for the one of my L2TP/IPSec connections. This connection based on Ubuntu Strongswan+xl2tpd service. All other Routers that work on old 6.43.12 firmware connecting to this L2TP-server without problems. I think this is a bug in new firmware.
After I’ve downgraded to 6.43.12 - all works fine as always.

For the L2TP server problem I found that simply disabling and re-enabling it resolved the problem.

/interface l2tp-server server set enabled=no
/interface l2tp-server server set enabled=yes

Create Netwatch and ping other side gateway IP or any other LoopBack-IP which never changes.
If you get a time out (HOST DOWN section): run what Sarel0092 suggested. This should refresh IPSEC VPN.
Main Problem is that if your MikroTik isn’t very expensive it will take like 10-20 seconds to create new IPsec VPN connection for ping to work. Keep that in mind and adjust Netwatch Interval.

Thanks Audrey. I’ve just downgraded mine and will see if that stabilises the connection. Thank you for the suggestion.

Duke

Just an update for anyone else experiencing this issue.

Since downgrading the RouterOS to 6.42.12 the Site to Site VPN has been stable.

Thank you to Audrey for the suggestion. There must be a bug in the IPSec setup for the 6.44 RouterOS.

Same here. For more than 2 years.
RouterOS 6.48.4 and earlier.
CCR1009-8G-1S-1S+

We have seen this today on one of our CCR2004 L2TP + IPSEC, there’s no workaround on this other than restarting the whole device which is very annoying we don’t know what the condition needs to reproduce the issue, but other installation is working fine for months without the issue with the same configuration

We are ros v7.11.2