IpSec with cisco problem!

Volart · July 23, 2012, 6:07am

Hello.
I have a BIG problem for my organization. We have over 30 routerboards 411U and 750. We are using them on ATM.
All of them connected via GREvsIpSec to cisco router. And a few times a day tunnel with IpSec down. No packets transmit in SA.
Help only “\ip ipsec installed sa flush”. But it’s not good.
Mikrotik with mikrotik work perfect.
What can i do to solve this?

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 disabled=no enc-algorithms=3des lifetime=10m name=default pfs-group=modp1024

/ip ipsec peer
add address=x.x.x.x/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=10s dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main
generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=10m my-id-user-fqdn=“” nat-traversal=no port=500 proposal-check=obey secret=
somepass send-initial-contact=yes

/ip ipsec policy
add action=encrypt disabled=no dst-address=x.x.x.x/32 dst-port=any ipsec-protocols=esp level=require priority=0 proposal=default protocol=ip-encap
sa-dst-address=x.x.x.x sa-src-address=y.y.y.y src-address=y.y.y.y/32 src-port=any tunnel=no

nz_monkey · July 23, 2012, 6:26am

This is fixed in 6.0beta3

Volart · July 23, 2012, 6:42am

Thanks, but last version on mikrotik site is Version 6.0beta2.
Where i can download beta3 for testing?

stmx38 · July 23, 2012, 7:12am

Cisco lan-to-lan IPSEC tunnel

Volart · July 23, 2012, 7:18am

I saw it, but there are no solution.

stmx38 · July 23, 2012, 8:13am

I use huntah script(modified):

:local IPWatchServer 10.0.1.2
:local OutInterface bridge-lan
:if ([/ping interface=$OutInterface $IPWatchServer count=4]<3) do={
  /ip ipsec installed-sa flush sa-type=all
  :log info "IPSEC tunnel with XO is down: Flushing Installed SA !!!"
} else={
  :log info "IPSEC tunnel with XO is OK !"
}

Volart · July 23, 2012, 8:21am

slech:

I use huntah script(modified):

:local IPWatchServer 10.0.1.2
:local OutInterface bridge-lan
:if ([/ping interface=$OutInterface $IPWatchServer count=4]<3) do={
  /ip ipsec installed-sa flush sa-type=all
  :log info "IPSEC tunnel with XO is down: Flushing Installed SA !!!"
} else={
  :log info "IPSEC tunnel with XO is OK !"
}

I used it too, exclude “tunnel isOK” in log. I added delay 30s and write logs on syslog server.
But realy, it’s not solution. Almost when tunnel down state is critical. Sript flush SA for 10-15 times a day.

I have the same routerboards in branches. There are better situation. On ATM there are less traffic. May be this is a problem?

rjickity · July 23, 2012, 8:36am

I use ipsec encryption over ip-ip tunnel from a RB1200 to a 7301. Too many problems with tunnel mode

stmx38 · July 23, 2012, 4:19pm

Volart

But realy, it’s not solution

Completely agree with you, but … this is Mikrotik
I tried to do this via Netwatch, but noticed that I can’t do this because it isn’t possible to indicate out interface.
I made a future request for this:

Hello,

Netwatch does not have interface, but you can add static route to send ping over
different interface.

Perhaps you can change IPsec lifetime timeouts and set it to low values or even
use DPD on both ends, (DPD allows you to remove unused SA, when there is no
connection between two hosts).

Volart · July 24, 2012, 6:41am

Can someone of mikrotik supports answer in this topic? I saw, you watched it:)
I like mikrotik, but it’s a very big problem.