I have tunnels configured with ipsec vpn. 2 problems:
sometimes, without any known reason, the tunnel is going to “sleep”. thats meen that i have to ping the remote LAN in order to wake the tunnel up (when i ping, the first reply is “time out” and in the second i have a reply).
is there any idea why? (it happens only between an ipsec tunnel between 2 mikrotik routers. i don’t have this problem between a my mikrotik and a citadel router).
when i reboot my router, i have to “wake up” the ipsec tunnels by pinging to the remote LAN. why it doesn’t start automaticlly like my pppeo client?
On the IP Sec peer, make sure Dead Peer detection (DPD) is enabled.
By default it tries every 120 seconds and reconnects after 5 failures. While this works a lot of the time, I have had a few instances similar to yours where DPD was misbehaving or there was some loss in the connection. Turning this down to 60s / 3 max failures seems to have cleared this up for several of my clients.
What would you recommend for the Lifetime values in both Peer and Proposal? I have this issues with tunnels going to sleep overnight. I just changed my Peer Lifetimes from eight hours to one day. My Proposal lifetimes are at one hour, I have not yet changed them.
Also, per CCDKP’s suggestion, I reduced the DPD Maximum Failures from five to three, but I already had the DPD Interval as low as ten seconds.
Nevermind on those Lifetime values. The way to go is to add a route to bridge-local to the other side of the tunnel and ping the router with a Netwatch. I’ve been keeping my eye on this and it has fixed the sleeping tunnel issue.