Mikrotik 750G to 750G IPsec, tunnels do not stay active

TSS · October 8, 2010, 7:41pm

I have been trying to figure out why even when there is no
traffic on the tunnel, why when I go to generate traffic on it
the tunnel (ping from router or inside equipment) I see the SA
bytes increase for only one direction, no reply. I have to generate
traffic on the other side back to get the tunnel to come up.

Here is my ipsec config, I do have the NAT rule already defined
in the correct position before masqurade.

Thanks for any info, if you need more details or config post, I can
get them for you no problem.

Main Side (This is a 450g in office for testing this):

oct/08/2010 14:33:14 by RouterOS 4.5

software id = AZAI-47PY

/ip ipsec proposal
set default auth-algorithms=md5,sha1 comment="" disabled=no enc-algorithms=3des lifetime=1h name=default
pfs-group=modp1024
add auth-algorithms=md5,sha1 comment="" disabled=no enc-algorithms=3des lifetime=30m name=proposal1 pfs-group=
modp1024
/ip ipsec peer
add address=1.1.1.226/32:500 auth-method=pre-shared-key comment="" dh-group=modp1024 disabled=no
dpd-interval=15s dpd-maximum-failures=100 enc-algorithm=3des exchange-mode=main generate-policy=no
hash-algorithm=md5 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=1234
send-initial-contact=yes
/ip ipsec policy
add action=encrypt comment="" disabled=no dst-address=192.168.88.0/24:any ipsec-protocols=esp level=require
priority=0 proposal=default protocol=all sa-dst-address=1.1.1.226 sa-src-address=1.1.1.22
src-address=192.168.58.0/24:any tunnel=yes

Remote (750g):

oct/08/2010 14:38:07 by RouterOS 4.10

software id = I4LX-PBE9

/ip ipsec proposal
set default auth-algorithms=sha1 comment="" disabled=no enc-algorithms=3des
lifetime=30m name=default pfs-group=modp1024
/ip ipsec peer
add address=1.1.1.22/32:500 auth-method=pre-shared-key comment=""
dh-group=modp1024 disabled=no dpd-interval=15s dpd-maximum-failures=100
enc-algorithm=3des exchange-mode=main generate-policy=yes hash-algorithm=
md5 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=
1234 send-initial-contact=yes
/ip ipsec policy
add action=encrypt comment="" disabled=no dst-address=192.168.58.0/24:any
ipsec-protocols=esp level=require priority=1 proposal=default protocol=
all sa-dst-address=1.1.1.22 sa-src-address=1.1.1.226 src-address=
192.168.88.0/24:any tunnel=yes

mrz · October 11, 2010, 6:48am

Are you pinging from the router or from the device on the subnet that is in ipsec’s policy configuration?

TSS · October 11, 2010, 1:01pm

I have tried from both the router, as well as from the device.

In both situations I can see 1/2 of the pipe with data activity, but
only on the locale router, not the remote.

Once I login to the remote router and ping from it, then I get
activity.

ditonet · October 11, 2010, 3:06pm

Hi,

In firewall filter rules allow UDP on port 500 and protocol 50 (ipsec-esp).

Regards, Grzegorz.

Swordforthelord · October 12, 2010, 2:23pm

Maybe it’s an SA issue. What happens if (when the tunnel is down) you flush the SA’s from both sides and then ping from only one to the other?

TSS · October 12, 2010, 3:46pm

Thanks: ditonet
This was the issue that I was dealing with. So far so good. I’ll keep an eye on it.

TSS · October 12, 2010, 5:56pm

I attempted that, but it would not rebuild with only one side
generating traffic to the other side.

FrancoisC · February 20, 2014, 8:09pm

Hello

I had exactly the same problem and I’ve been struggling the whole day to find the solution. Dzięki Grzegorz

May I suggest to the Mikrotik team to add a word about that in the tutorial here :

http://wiki.mikrotik.com/wiki/Manual:IP/IPsec

It might help other people like me who can’t do much more that blindly follow tutorial instructions

Francois