I have established the IPSec Site to Site from my home to Office. It is succeeded to established the connection. However, the connection is unstable which keep to drop the connection.
I have another Site to Site to my customer and customer side is using Draytek, which is working well.
Kindly assist.
Even if someone is willing help you there are not too many information provided.
Kind of: “If I use my friend’s trailer branded XYZ with car branded WSXEDC it is working well but if I use trailer branded ZYX then it has problems from time to time. Help me please”.
No configuration, no models, no precise problem description … seems that crystall ball is needed.
On mikrotik side, an IPsec connection may be mistakenly reported as up for a second whilst it actually did not succeed, so when you say “keeps dropping”, what exactly does it mean? Drops every few seconds, or every 25 minutes? Does it recover on its own or you have to disable and re-enable it?
Besides answering those questions, the best would be to do the following steps on the Mikrotik:
Thanks, Sindy
My Fortigate is using IKE2, so I can’t find peer ID and any option about this.
# jan/ 3/2025 22:48:28 by RouterOS 7.8
# software id = HE5N-242Y
#
22:48:58 ipsec sending dpd packet
22:48:58 ipsec <- ike2 request, exchange: INFORMATIONAL:177 office-ip-address[500] 3e30b8b834fad5b9:d4b0d55999bab819
22:48:58 ipsec,debug ===== sending 128 bytes from {my-ip-address}[500] to office-ip-address[500]
22:48:58 ipsec,debug 1 times of 128 bytes message will be sent to office-ip-address[500]
22:48:58 ipsec,debug ===== received 80 bytes from office-ip-address[500] to my-ip-address[500]
22:48:58 ipsec -> ike2 reply, exchange: INFORMATIONAL:177 office-ip-address[500] 3e30b8b834fad5b9:d4b0d55999bab819
22:48:58 ipsec payload seen: ENC (52 bytes)
22:48:58 ipsec processing payload: ENC
22:48:58 ipsec,debug => iv (size 0x10)
22:48:58 ipsec,debug 1ef1fc87 9d7087f2 e31a9132 f02d5754
22:48:58 ipsec,debug decrypted packet
22:48:58 ipsec respond: info
22:48:58 ipsec,debug reply ignored
22:49:24 ipsec adding payload: DELETE
22:49:24 ipsec,debug => (size 0xc)
22:49:24 ipsec,debug 0000000c 03040001 08c98147
22:49:24 ipsec <- ike2 request, exchange: INFORMATIONAL:178 office-ip-address[500] 3e30b8b834fad5b9:d4b0d55999bab819
22:49:24 ipsec,debug ===== sending 304 bytes from my-ip-address[500] to office-ip-address[500]
22:49:24 ipsec,debug 1 times of 304 bytes message will be sent to office-ip-address[500]
22:49:24 ipsec IPsec-SA killing: office-ip-address[500]->my-ip-address[500] spi=0x8c98147
22:49:24 ipsec IPsec-SA killing: my-ip-address[500]->office-ip-address[500] spi=0x5943a6e9
22:49:24 ipsec policy update killed some SAs
22:49:24 ipsec,debug ===== received 80 bytes from office-ip-address[500] to my-ip-address[500]
22:49:24 ipsec -> ike2 reply, exchange: INFORMATIONAL:178 office-ip-address[500] 3e30b8b834fad5b9:d4b0d55999bab819
22:49:24 ipsec payload seen: ENC (52 bytes)
22:49:24 ipsec processing payload: ENC
22:49:24 ipsec,debug => iv (size 0x10)
22:49:24 ipsec,debug 775e7b0d 9607e100 1961eff2 f2a17b63
22:49:24 ipsec,debug decrypted packet
22:49:24 ipsec payload seen: DELETE (12 bytes)
22:49:24 ipsec respond: info
22:49:24 ipsec processing payloads: NOTIFY (none found)
22:49:24 ipsec got reply
22:49:24 ipsec,debug ===== received 400 bytes from office-ip-address[500] to my-ip-address[500]
22:49:24 ipsec -> ike2 request, exchange: CREATE_CHILD_SA:1 office-ip-address[500] 3e30b8b834fad5b9:d4b0d55999bab819
22:49:24 ipsec payload seen: ENC (372 bytes)
22:49:24 ipsec processing payload: ENC
22:49:24 ipsec,debug => iv (size 0x10)
22:49:24 ipsec,debug 29cdf5cd bd49a396 fecc3b4d 9b778d29
22:49:24 ipsec,debug decrypted packet
22:49:24 ipsec payload seen: SA (52 bytes)
22:49:24 ipsec payload seen: NONCE (20 bytes)
22:49:24 ipsec payload seen: KE (200 bytes)
22:49:24 ipsec payload seen: TS_I (24 bytes)
22:49:24 ipsec payload seen: TS_R (24 bytes)
22:49:24 ipsec create child: respond
22:49:24 ipsec processing payloads: NOTIFY (none found)
22:49:24 ipsec processing payloads: NOTIFY (none found)
22:49:24 ipsec peer wants tunnel mode
22:49:24 ipsec processing payload: CONFIG (not found)
22:49:24 ipsec processing payload: SA
22:49:24 ipsec IKE Protocol: ESP
22:49:24 ipsec proposal #1
22:49:24 ipsec enc: aes256-cbc
22:49:24 ipsec auth: sha256
22:49:24 ipsec dh: modp1536
22:49:24 ipsec processing payload: TS_I
22:49:24 ipsec 192.168.0.0/24
22:49:24 ipsec processing payload: TS_R
22:49:24 ipsec 172.16.0.0/23
22:49:24 ipsec candidate selectors: 172.16.0.0/23 <=> 192.168.0.0/24
22:49:24 ipsec searching for policy for selector: 172.16.0.0/23 <=> 192.168.0.0/24
22:49:24 ipsec policy not found
22:49:24 ipsec,error no policy found/generated
22:49:24 ipsec adding notify: TS_UNACCEPTABLE
22:49:24 ipsec,debug => (size 0x8)
22:49:24 ipsec,debug 00000008 00000026
22:49:24 ipsec <- ike2 reply, exchange: CREATE_CHILD_SA:1 office-ip-address[500] 3e30b8b834fad5b9:d4b0d55999bab819
22:49:24 ipsec,debug ===== sending 288 bytes from my-ip-address[500] to office-ip-address[500]
22:49:24 ipsec,debug 1 times of 288 bytes message will be sent to office-ip-address[500]
22:49:27 ipsec policy installed for connected peer, creating child SA
22:49:27 ipsec init child for policy: 172.16.0.0/23 <=> 192.168.0.0/24
22:49:27 ipsec init child continue
22:49:27 ipsec offering proto: 3
22:49:27 ipsec proposal #1
22:49:27 ipsec enc: aes256-cbc
22:49:27 ipsec auth: sha256
22:49:27 ipsec dh: modp1536
22:49:27 ipsec adding payload: NONCE
22:49:27 ipsec,debug => (size 0x1c)
22:49:27 ipsec,debug 0000001c 61f8f59f 3e5caf56 989d50e4 2e9f1129 b029b992 86f67260
22:49:27 ipsec adding payload: KE
22:49:27 ipsec,debug => (size 0xc8)
22:49:27 ipsec,debug 000000c8 00050000 2518d0bb 7bc993fe 4e9dcb24 91fdbd57 2624d62e 517d132e
22:49:27 ipsec,debug e3cd9d90 de0b9d45 85da8588 5e1c6607 8651772f 751ebc98 2a741cc4 bae11e67
22:49:27 ipsec,debug 30f6ba25 17ec9384 c9a2f21a 2b605c89 2a2a7726 68b322da c734a66c 5caad0c3
22:49:27 ipsec,debug 9c49e142 c4630848 b81ea1b1 af358499 017a3476 93d49bba 4d356894 fc012975
22:49:27 ipsec,debug e1d6c8b0 1ef1ee81 0a65fb90 e49503a0 615c9fd5 ec84b936 3d7c6fb0 d4c746ea
22:49:27 ipsec,debug c19ef0c6 ed639181 1c1fcdda 2335882a 5c457992 966714a8 28797ea2 03f5ac42
22:49:27 ipsec,debug 37fa916d 5b55073b
22:49:27 ipsec adding payload: SA
22:49:27 ipsec,debug => (size 0x34)
22:49:27 ipsec,debug 00000034 00000030 01030404 03de6708 0300000c 0100000c 800e0100 03000008
22:49:27 ipsec,debug 0300000c 03000008 04000005 00000008 05000000
22:49:27 ipsec initiator selector: 172.16.0.0/23
22:49:27 ipsec adding payload: TS_I
22:49:27 ipsec,debug => (size 0x18)
22:49:27 ipsec,debug 00000018 01000000 07000010 0000ffff ac100000 ac1001ff
22:49:27 ipsec responder selector: 192.168.0.0/24
22:49:27 ipsec adding payload: TS_R
22:49:27 ipsec,debug => (size 0x18)
22:49:27 ipsec,debug 00000018 01000000 07000010 0000ffff c0a80000 c0a800ff
22:49:27 ipsec <- ike2 request, exchange: CREATE_CHILD_SA:179 office-ip-address[500] 3e30b8b834fad5b9:d4b0d55999bab819
22:49:27 ipsec,debug ===== sending 512 bytes from my-ip-address[500] to office-ip-address[500]
22:49:27 ipsec,debug 1 times of 512 bytes message will be sent to office-ip-address[500]
22:49:27 ipsec,debug ===== received 400 bytes from office-ip-address[500] to my-ip-address[500]
22:49:27 ipsec -> ike2 reply, exchange: CREATE_CHILD_SA:179 office-ip-address[500] 3e30b8b834fad5b9:d4b0d55999bab819
22:49:27 ipsec payload seen: ENC (372 bytes)
22:49:27 ipsec processing payload: ENC
22:49:27 ipsec,debug => iv (size 0x10)
22:49:27 ipsec,debug addec523 497906a4 cc3a89b6 4fef79a3
22:49:27 ipsec,debug decrypted packet
22:49:27 ipsec payload seen: SA (52 bytes)
22:49:27 ipsec payload seen: NONCE (20 bytes)
22:49:27 ipsec payload seen: KE (200 bytes)
22:49:27 ipsec payload seen: TS_I (24 bytes)
22:49:27 ipsec payload seen: TS_R (24 bytes)
22:49:27 ipsec create child: initiator finish
22:49:27 ipsec processing payloads: NOTIFY (none found)
22:49:27 ipsec peer selected tunnel mode
22:49:27 ipsec processing payload: SA
22:49:27 ipsec IKE Protocol: ESP
22:49:27 ipsec proposal #1
22:49:27 ipsec enc: aes256-cbc
22:49:27 ipsec auth: sha256
22:49:27 ipsec dh: modp1536
22:49:27 ipsec matched proposal:
22:49:27 ipsec proposal #1
22:49:27 ipsec enc: aes256-cbc
22:49:27 ipsec auth: sha256
22:49:27 ipsec dh: modp1536
22:49:27 ipsec processing payload: TS_I
22:49:27 ipsec 172.16.0.0/23
22:49:27 ipsec processing payload: TS_R
22:49:27 ipsec 192.168.0.0/24
22:49:27 ipsec my vs peer's selectors:
22:49:27 ipsec 172.16.0.0/23 vs 172.16.0.0/23
22:49:27 ipsec 192.168.0.0/24 vs 192.168.0.0/24
22:49:27 ipsec processing payload: NONCE
22:49:27 ipsec processing payload: KE
22:49:27 ipsec,debug => shared secret (size 0xc0)
22:49:27 ipsec,debug de5318fb aaaa81da bee003da 8c07f861 4f7d49d7 3b3150ba 1956b3dc c6106ea2
22:49:27 ipsec,debug 3118ce87 67bf9185 ea81d7c1 0b98601e cd7eccb7 7f19863f 27521cbb b22dd00b
22:49:27 ipsec,debug 18fe9eae 49433688 f5edbe8e b0e6e470 270f248b c02d1bc3 6303ef7c 92ba9760
22:49:27 ipsec,debug 3f101f12 1dcd664b 777e1029 6266252d feb19db5 dab6b5e9 3892112f 0baeb1b1
22:49:27 ipsec,debug fda1a23d f5a8642a b492d27d c605916f b5fe8b46 ef582d1e dc4e7be7 3469d6b9
22:49:27 ipsec,debug 4747d6be 56f90c0f b78716f7 4403cc30 a3ede056 9bf4a1d0 e4019f5d 7808e6f8
22:49:27 ipsec,debug => child keymat (size 0x80)
22:49:27 ipsec,debug f1ae1bbd 6bc3fb66 6d453440 5174b650 f6d296db d0b2438d cc3c75a2 dea09b8e
22:49:27 ipsec,debug 91346136 a712ad45 62c3bddc 7a55fe4e 7cbd8510 2841a6b2 8d095f7a 67de1b37
22:49:27 ipsec,debug a2001072 433efde0 4a78203d ccae6bae 6141c8af 7a33a3fa d0e3c3d3 ebd29d36
22:49:27 ipsec,debug 0b245599 c084f514 92a2a5ac bcea1582 ae845108 fcedb37f b884fac8 3cafee71
22:49:27 ipsec IPsec-SA established: office-ip-address[500]->my-ip-address[500] spi=0x3de6708
22:49:27 ipsec IPsec-SA established: my-ip-address[500]->office-ip-address[500] spi=0x5943a6eb
22:49:53 ipsec sending dpd packet
22:49:53 ipsec <- ike2 request, exchange: INFORMATIONAL:130 customer-ip-address[500] ae0256aafe52a6fa:298a76acceaa2b48
22:49:53 ipsec,debug ===== sending 160 bytes from my-ip-address[500] to customer-ip-address[500]
22:49:53 ipsec,debug 1 times of 160 bytes message will be sent to customer-ip-address[500]
22:49:53 ipsec,debug ===== received 80 bytes from customer-ip-address[500] to my-ip-address[500]
22:49:53 ipsec -> ike2 reply, exchange: INFORMATIONAL:130 customer-ip-address[500] ae0256aafe52a6fa:298a76acceaa2b48
22:49:53 ipsec payload seen: ENC (52 bytes)
22:49:53 ipsec processing payload: ENC
22:49:53 ipsec,debug => iv (size 0x10)
22:49:53 ipsec,debug 58ac0054 a8fc50a4 f84ca0f4 489cf044
22:49:53 ipsec,debug decrypted packet
22:49:53 ipsec respond: info
22:49:53 ipsec,debug reply ignored
And I attached the log here. Thanks!
@Leoleokid
No configuration, no models, too little information
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)
There is a row in the /ip ipsec peer table on your Mikrotik that represents the Fortigate. That’s the “peer” I wanted you to disable first and re-enable after starting mirroring the log into the ipsec-start file. The goal is to see the process of establishing the IPsec connection and the “spontaneous drop” you mention in the log.
In the log you have sent, I can see you have disabled and then re-enabled the policy, but it did not run for long enough to show the spontaneous drop.
You also haven’t answered the questions from my previous post.