peer sent packet for dead phase2

RouterOS General
1

I’ve made a site 2 site ipsec connection that actually does work, however the log gets filled of these messages, I mean 10 messages avery 4 seconds:

17:14:33 ipsec,error 1.2.3.4 failed to pre-process ph2 packet.
17:14:35 ipsec,error 1.2.3.4 peer sent packet for dead phase2
17:14:37 ipsec,error 1.2.3.4 peer sent packet for dead phase2
17:14:39 ipsec,error 1.2.3.4 peer sent packet for dead phase2
17:14:41 ipsec,error 1.2.3.4 peer sent packet for dead phase2
17:14:43 ipsec,error 1.2.3.4 peer sent packet for dead phase2
17:14:45 ipsec,error 1.2.3.4 peer sent packet for dead phase2
17:14:49 ipsec,error 1.2.3.4 peer sent packet for dead phase2

my configuration is the following:

/ip ipsec profile
add dh-group=modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256,3des name=profile-msc nat-traversal=no
/ip ipsec peer
add address=1.2.3.4/32 name=msc profile=profile-msc
/ip ipsec proposal
add enc-algorithms=aes-256-cbc lifetime=1h name=proposal-msc pfs-group=none
/ip ipsec identity
add peer=msc secret=secret
/ip ipsec policy
add dst-address=10.0.0.0/24 peer=msc proposal=proposal-msc sa-dst-address=1.2.3.4 sa-src-address=0.0.0.0 src-address=192.168.1.0/24 tunnel=yes

routeros version is 6.45.6, the other end is a checkpoint

2

According to the wiki phase 2 should match the following settings:
Ipsec protocol
mode (tunnel or transport)
authentication method
PFS (DH) group
lifetime
https://wiki.mikrotik.com/wiki/Manual:IP/IPsec

Make sure they match on both sides…

3

I’ve already checked my side, I’m waiting for double check the other side.
I’ve noticed I have 358 established connections in active peers, looks like the vpn is connecting multiple times.

4

I’m seeing similar behavior, multiple instances of same remote address under ipsec > remote peers. I get local log messages for “peer sent packet for dead phase2” from this host as well. Running 6.44.5 currently, considering updating to 6.45.6.

5

I’ve solved adding a rule to allow ip-sec (50) protocol input packets from the other end.
The tunnel was working even without this rule, but the other end maybe was dropping the tunnel after a while