Mikrotik and QNO IPSec VPN is unstable

staticjess · June 24, 2012, 12:17am

Hi Everyone,
I’ve been testing Mikrotik RB1100AH and QNO8034 Router for a while now. I have been able to connect 1-2 tunnels but it seems that my 10 tunnels cannot connect well.

Problems Encountered:

Unstable Connection. I can only connect maximum of 3-4 tunnels.
Every time I restart my router another set of Branch Routers can connect. (Ex. Routers 1,2 and 3 can connect. After I restart 4,5 & 6 can connect)
I have tested my QNO Router with other brands like linksys and juniper and it works well. I need mikrotik for this instance since I want to activate other router functions for my branches.

Here is my scenario:

This is a sample but I want to connect 10 VPN Tunnels connecting to one site.
Main Router: Mikrotik RB-1100AH
Client Routers: QNO-8034

QNO Config:

Mikrotik Config:

IPSec Config

IP Firewall NAT Config

I need assistance in configuring a stable VPN connection. My Internet is ok, the other configuration is just masquerade for the internet. This seems to be a simple config but I wonder why its so unstable. Has anyone had any VPN connection that are successful even using other brands and Mikrotik on more than 5-10 Tunnels wherein nothing changes when you restart.

I need your assistance Mikrotik geniuses ^_^. Thanks

psamsig · June 24, 2012, 11:36am

100+ tunnels should be no problem on that box. I have experience with QNO, but here is what I would play around with in your situation.

You have different phase 2 timeouts (3600 seconds is not 30 minutes)

Don’t set ‘Send initial Contact’ (I only set it in the ‘client’ end)
Don’t set ‘NAT Traversal’ (unless you really need it, and it is not on i the QNO configuration)

If none of this helps, then try turn off PFS (in both ends), I have previoulsly seen that mess up things in mixed enviroments.

staticjess · June 25, 2012, 1:26pm

I have played around some of the options you have suggested. Thanks for replying. The NAT Traversal I’ve tried removing and enabling, as well as the PFS but I haven’t tried the “Send Initial Contact” I’ll try it again next time my network is available. I want to replace my existing device with Mikrotik but I’m testing it first. I’ll update you with the results. Thanks

staticjess · July 7, 2012, 4:52pm

psamsig,
You’re right the phase 2 should be 1 hour, changed that already. Set the “Send Initial Contact” on the client side only and disabled all my NAT traversals and PFS. Still I could only connect to 3 or 4 tunnels. My other 6 tunnels will go up after each restart. I don’t understand why its like this since I followed the instructions by the book. I hope someone out there can help. Thanks