L2TP/IPSec failover issue

lwhittall · March 28, 2017, 7:08pm

I’m using NetWatch to change the connect-to IP on a l2tp-client using IPsec so that I can re-establish my VPN to HQ when the l2tp-server’s primary ISP fails. My problem is there’s something in the IPsec side of things that needs reset, I believe, because the VPN never comes back up. I can reboot the Mikrotik client and it comes up right away. I tried to do a /ip ipsec installed-sa flush, but that doesn’t seem to help. Any ideas? Thanks in advance.

Details:
Both ends are RB450s.
Server config just in case:
/interface l2tp-server server
set authentication=mschap2 enabled=yes ipsec-secret= max-mru=1440 max-mtu=1440 mrru=1500 use-ipsec=yes
/ip ipsec peer
add enc-algorithm=aes-256 exchange-mode=main-l2tp generate-policy=port-override local-address=0.0.0.0 secret=

Client config:
/interface l2tp-client
add allow=mschap2 connect-to= disabled=no ipsec-secret= max-mru=1440 max-mtu=1440 mrru=1500 name=l2tp-out1 password=* use-ipsec=yes user=
/tool netwatch
add comment=“Change VPN connect-to host to backup when primary is down.” down-script=
“/interface l2tp-client disable 0
/interface l2tp-client set 0 connect-to=”"
/ip ipsec installed-sa flush
/interface l2tp-client enable 0"
host= up-script=
“/interface l2tp-client disable 0
/interface l2tp-client set 0 connect-to=”"
/ip ipsec installed-sa flush
/interface l2tp-client enable 0"

Discmandj · March 28, 2017, 7:12pm

Hi you can put in Changing ip Script a new line to restart your Router After ip changed, Problem is that IPSec create a Dynamic Peer and this Peer have a Time out Session will expire After the times you configured

Gesendet von iPhone mit Tapatalk

lwhittall · March 28, 2017, 8:44pm

I was hoping to avoid having to just reboot the router, but if that’s what’s recommended, I’ll just have to do it. Thank you!

Discmandj · March 30, 2017, 5:11pm

Hi , to avoid Router restart you can use dyndns to connect your vpn over Domain and Not ip so when ip changed the Domain ip will changed and von still connected .

Gesendet von iPhone mit Tapatalk

Discmandj · March 30, 2017, 5:11pm

And vpn still connected **

Gesendet von iPhone mit Tapatalk

idlemind · March 30, 2017, 7:59pm

Have you thought of keeping an active tunnel to both IPs and solving the path issue with routing? Maybe GRE w/IPSec?

Seems a lot more straight forward than relying on a tooling process and scripting.