Problem with falling IPSec VPN connection between MikroTik and Cisco

RouterOS General
1

Hi,

I have already lost a few weeks searching for solutions, but I can not find any. I hope that somebody can help me. Before I used an old router to connect to Cisco router. Everything worked perfectly until one day the old router decided not to work anymore and I had to replace it and chose Mikrotik.

I now am able to establish IPSec connection between Mikrotik and Cisco and I can say that this IPSec connection in fact works. I can ping from the local network on Cisco to the local network on Mikrotik and vice versa. The problem occurs that this IPSec connection suddenly fails down. And stays down. The IPSec does not establish connection again. It only helps if I manualy disable Polices and Peers on the Mikrotik and then enable them again.

I would appreciate any help or suggestions on this, thanks.

Version on MikroTik: 6.32.2

Configuration on MikroTik
ip firewall filter add chain=input proto=ipsec-ah action=accept place-before=0
ip firewall filter add chain=input proto=ipsec-esp action=accept place-before=0
ip firewall filter add chain=input proto=udp port=500 action accept place-before=0
ip firewall filter add chain=input proto=udp port=4500 action accept place-before=0
ip firewall nat add chain=srcnat src-address=192.168.0.0/24 dst-address=10.111.10.0/24 action=accept place-before=0

ip ipsec proposal add name=IPSec auth-algorithms=sha1 enc-algorithms=3des lifetime=32800

ip ipsec policy add src-address=192.168.0.0/24 dst-address=10.11.10.0/24 protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=PublicIP1 sa-dst-address=PublicIP2 proposal=IPSec

ip ipsec peer add address=PublicIP2 port=500 auth-method=pre-shared-key secret=********** exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256,3des dh-group=modp1024 generate-policy=no lifetime=32800 dpd-interval=120 dpd-maximum-failures=5

/system scheduler
add disabled=no interval=30s name=“Ping remote” on-event=
“ping 10.11.10.1 src-address=192.168.0.1 count=1” policy=
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api
start-date=nov/25/2011 start-time=00:00:00

Configuration on Cisco

crypto isakmp policy 30
encr 3des
authentication pre-share
group 2

crypto isakmp key ********** address PublicIP1
crypto isakmp keepalive 60
crypto isakmp nat keepalive 20

crypto ipsec transform-set STRONG esp-3des esp-sha-hmac

crypto map CISCO 30 ipsec-isakmp
set peer PublicIP1
set transform-set STRONG
match address 110

Add to: interface FastEthernet0/0
crypto map CISCO

ip access-list extended IPSec
permit ip 10.11.10.0 0.0.0.255 192.168.0.0 0.0.0.255

2

I have a problem like that, but in my case it recovers after some time.
I think a requirement for that is that there is regular traffic from the Cisco side. I have a ping every 15 seconds from a computer behind the Cisco to a computer behind my MikroTik.
This both serves as a monitoring facility (the missing pings are logged) and also as a kind of “keep alive” in cases like you describe. After a couple of minutes, the connection comes back to life.

I think it is a bug in the MikroTik. I have long experience with Cisco VPN in the past, both between Cisco routers and between Cisco and Linux. About 10 years ago this bug occurred in both situations. At some point in time Cisco had solved it between their routers (of course! they get support calls about that) but it continued between Cisco and Linux.
However, some years ago this was also solved in Linux. I have had very stable IPsec connects between my OpenSuSE 13.1 system and a Cisco router. Then I bought a MikroTik and moved the endpoint of the IPsec connection from my Linux system to the MikroTik and essentially the same problem is back! As if the MikroTik people have not yet included the fix for this bug in their codebase.

Interestingly enough, I also have IPsec tunnels from my MikroTik to other Linux systems (A OpenSuSE 13.x and Debian Wheezy) and the VPN to THOSE systems is stable! So here it only occurs between MikroTik and Cisco.

Recently I have seen a problem on a VPN between another MikroTik and another Linux box which I am debugging now, and in that case I saw that the MikroTik is repeating sending “quick mode” ISAKMP interactions while the Linux box has lost its association and so cannot process those. The MikroTik does not fall back to “main mode” until its ISAKMP association times out, which can take up to a day. Then the link recovers.
Maybe this problem is the cause of the MikroTik ↔ Cisco problem as well? However, to trigger this problem a short internet interruption is required that makes the Linux side discard the association (because of dead peer detect) while the MikroTik has not yet given up when the connection is back (different parameters of dead peer detect?). However, I have seen the MikroTik-Cisco VPN fail without such an interruption.

Anyway, I think there is work for MikroTik to do. When you feel like it, maybe you can open a support case with them.
(for me, this MikroTik-Cisco VPN is not important enough)

3

Enable debugging on the Cisco side and logging on the MikroTik side to see if you can capture any messages that relate to the issue.

If you do see log entries, then post them here.

4

Unfortunately, in my experience enabling debugging on both ends causes only vague messages or incredible amounts of output, so much that the syslog daemon will start skipping lines because they are coming in to fast.

5

I have found debugging to be invaluable over the years of dealing with IPSEC, especially when doing it cross vendor. One of the things debugging is incredibly helpful for is letting you know if the issue is in phase 1 or phase 2, then you can compare settings and behavior on each side of the link.

6

IPSEC settings are not the same in many places.
Where is “PFS Group 2” in Mikrotik (phase 1)?

crypto isakmp policy 30
encr 3des
authentication pre-share
group 2

you set it on Cisco…
The default values for “Lifetime” are also different in Cisco and Mikrotik.
I’m not sure that the Cisco is compatible with Mikrotik through messages “keepalive”.
Etc.
There is no problem for communication between Cisco and Mikrotik with ipsec protocol except misconfiguration.

7

Maybe when you have problems during establishment. Even then it is difficult to make any sense out of the racoon debug output.

However, in the case under discussion in this thread, the link will work just fine for some days and then it suddenly fails.
Of course you are not sitting there with the debug enabled at that time.
So it is difficult to see what really happened.

8

So I change configuration.
MikroTik:
ip ipsec proposal add name=IPSec auth-algorithms=sha1 enc-algorithms=3des pfs-group=modp1024 lifetime=32800

and add to Cisco under: crypto isakmp policy 30:
lifetime 32800

I will see if will be now better… TNX!

9

Yes, please report your findings! When it can be solved by setting lifetimes equal it is still a bug but it would be interesting to know a workaround. In my setup, PFS is already configured correctly but lifetimes are not the same. However, that should not be an issue I think.

10

I have the same problem… :frowning:

11

Hello,

I need your help!

Now, I have de same problem (falling IPSEC VPN connection between Mikrotik and CISCO). I have a MIKROTIK CCR1036-12G-4S one side, and a CISCO ASA5515-X other side. So I have created 10 vpn´s IPSEC between those equipments. So, I have all the vpn´s IPSEC “PH2 State = Established” but i can´t do ping from my server (together to mikrotik) to a host in a CISCO net. But, if I push enable button in every policy of IPSec, I get connection!!!.. After, a minutes later, I come back to lose the connection!!!

Could you help me?
Do you need more information?

Thanks