S-to-S Ipsec tunell comes up, but after 40 minutes I get error

RouterOS General
1

Hi!
I configured site to site Ipsec tunnel between Juniper SRX ( JUNOS 15.1X49-D45) and Mikrotik (running OS6.43.:sunglasses:.
The tunnel comes Up almost immediately after configuration, traffic between crypt networks are passing.
But then, after 20 to 60 minutes (it always differs) I get an error on Mikrotik “ipsec, error - 183.204.105.74 failed to pre-process ph2 packet.” And tunnel stops. IKE phase on Juniper Shows DOWN, even if it shows that “IKE SA negotiation successfully completed (n times)”.
Clearing IKE SA on Juniper would not help, only helps if I disable IPsec policy on Mikrotik for around 5 sec and enable it back.
Mikrotik Configuration:

]/ip ipsec peer profile
set [ find default=yes ] dh-group=modp1536 dpd-interval=10s enc-algorithm=\
    aes-256 nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc lifetime=1d pfs-group=\
    modp1536
/ip ipsec peer
add address=183.204.105.74/32 generate-policy=port-strict local-address=\
    94.23.104.157 secret='***********'
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.19.216.0/24 level=use sa-dst-address=183.204.105.74 \
    sa-src-address=94.23.104.157 src-address=10.168.88.0/24 tunnel=yes

On Juniper I have different Ipsec tunnel ( using same algorithms ) with Fortigate, and it works great.
Do You have any idea?

2

Mismatching lifetimes in proposals?
LifeBytes configured?
-Chris

3

lifetime on Juniper is 86400 seconds, on Mikrotik - 24:00:00 ( or 1 day in config output).
Lifebytes not configured.
Tunnel crashes even if there is no traffic, and if I set up RPM (similar to IP-SLA in Cisco world) probe to send ICMP ping across crypted networks.

I tried to enable NAT-T on Mikrotic ( I know I do not need it, but it is an Mikrotik, there is a chance that something that does not make any sense, will make it work :smiley: ). But still same result. Same with DPD, no matter, if I disable it on Mikrotik ( on Juniper still on), tunnel still crashes after 20-to 60 minutes.
After disabling Ipsec Policy for 5 seconds and enabling it beck, I can bring tunnel Up again, but that is not an solution.

4

Odd.
Do both routers use the same NTP server?
-Chris

5

No, but on both devices time is correct

6

Try it. IPsec relies a lot on proper synchronization - and even slightest drifts or glitches can break tunnels.
Had this a couple of times before.
-Chris

7

Found possible reason:
Phase 2 (Ipsec) lifetime. On juniper I had default value ( 8 hours), but on Mikrotik - 1 d.
If it still crash the tunnel, then I will try using same NTP server.

To that led me an message in IPSEC SA on Juniper:

  Fri Jan 25 2019 13:09:52 +0200: Hard lifetime of IPSec SA expired (1 times)
    Fri Jan 25 2019 12:09:52 +0200: IPSec SA negotiation successfully completed (2 times)
    Fri Jan 25 2019 11:15:37 +0200: IPSec SA delete payload received from peer, corresponding IPSec SAs cleared (1 times)
    Fri Jan 25 2019 11:13:02 +0200: IPSec SA negotiation successfully completed (1 times)
    Fri Jan 25 2019 10:25:05 +0200: Hard lifetime of IPSec SA expired (1 times)

About Hard lifetime expiration. On other peer IPSEC SA , witch works, there is not such messages.

After an hour I will update You on this matter.
Thanks for help Chris!

8

Problem solved!

BR
Dzincca

9

Perfect!
Glad it was so simple.
-Chris

10

Unfortunately, some 20 minutes after my post the tunnel went down again.
This time I changed authentication algorithm from SHA-1 to SHA-256, and also IKE lifetime changed from 24h to 8h and IPSEC lifetime from 8 to 4 hours.
Now the tunnel, for almost 3 days, has been working like a charm.

Might be that just change of timers would solve the problem, but now I just do not want to touch it anymore ( at least for some time).