Hello!
How can I check that the S2S VPN connection is working? What does meean the PH2 state: no pahse2 under the Policy/Status tab?
Thx.
No pahse 2 = no VPN 
PH2 State = Established → means VPN OK
Add ipsec topic in the /system logging - will help to find VPN issues.
When I disable and enable the IPsec Policy:
15:24:09 ipsec,debug "other side IP" notify: NO-PROPOSAL-CHOSEN
15:24:09 ipsec "other side IP" fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
15:24:09 ipsec,debug "other side IP" notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=019a7e40\08\E8\10(size=4).
15:24:09 ipsec "other side IP" Message: '8 '.
15:24:19 ipsec,debug 444 bytes from "own IP"[500] to "other side IP"[500]
15:24:19 ipsec,debug 1 times of 444 bytes message will be sent to "other side IP"[500]
15:24:19 ipsec,debug,packet 97835c51 668f2ce0 1174ab11 1a6363a7 08102001 fd51d0fb 000001bc a3cd51dd
15:24:19 ipsec,debug,packet c7b8e30d e177082f c5fc4ec6 9cc4fe64 5f2a7b4e 48173c41 08145c7a 28075e1b
15:24:19 ipsec,debug,packet 65e6f102 f38ac205 4dbd2e60 cc3e9d76 62693e0f 92230212 c4f3be22 dd7e8176
15:24:19 ipsec,debug,packet a51bdb49 f4b95e5a 4ecb63e6 b8d7b84b 91ff63e8 ed6fa648 c2eb9402 0d231652
15:24:19 ipsec,debug,packet 95d1eddd 181f8f79 4c66ad3e c9093fa7 c9c6ece9 f34047e2 470bed2b bac9f6c7
15:24:19 ipsec,debug,packet 69212247 238592ef f10d8db3 1e49035c 6d895f30 b1aeb608 c34c31f1 2aee5041
15:24:19 ipsec,debug,packet 058e2529 303100f3 d84278af 0e7319d2 0a53cb05 28b20889 52991994 025f0316
15:24:19 ipsec,debug,packet f082b5d2 1d1a6989 4a673eb6 0a0b13c4 60d529e5 6a3d5fe8 18d89fe1 2202c0e8
15:24:19 ipsec,debug,packet 52897ac9 87d8f6df cfe6485e c52df945 7a757bdd bd2fff2f 895d920b b0af6eca
15:24:19 ipsec,debug,packet ac31d362 3e473431 8e4a255b ca871c0a bb68df26 b3c3c2bc 3978fa32 3bf0db22
15:24:19 ipsec,debug,packet 8a203768 9f8a3dd5 d8a22d9f 52c4ad3f 3ceb71a8 458de681 a0ddedbe 7230aa52
15:24:19 ipsec,debug,packet b066d748 5e9578a0 6dc5ca7b dd72ae3c 1136ae7e 68315fe7 d9428c25 ea9a4244
15:24:19 ipsec,debug,packet 98950af9 2a7b4031 7d380f2e 574d19bb d4204ae1 b540e136 b2fff6c5 1fd1fba0
15:24:19 ipsec,debug,packet bdd43f15 c816de67 519a7d41 bc75441d 723634e5 3539e820 f7758c48
15:24:19 ipsec resent phase2 packet "own IP"[500]<=>"other side IP"[500] 97835c51668f2ce0:1174ab111a6363a7:0000fd51
15:24:23 ipsec,debug "other side IP" DPD monitoring....
15:24:23 ipsec,debug,packet compute IV for phase2
15:24:23 ipsec,debug,packet phase1 last IV:
15:24:23 ipsec,debug,packet 3229acbb cd237e8e 893e1010 68f7212c d95dc060
15:24:23 ipsec,debug hash(sha1)
15:24:23 ipsec,debug,packet encryption(aes)
15:24:23 ipsec,debug,packet phase2 IV computed:
15:24:23 ipsec,debug,packet ac4cc941 51b88d14 8c3e95ea 202b3039
15:24:23 ipsec,debug,packet HASH with:
15:24:23 ipsec,debug,packet d95dc060 00000020 00000001 01108d28 97835c51 668f2ce0 1174ab11 1a6363a7
15:24:23 ipsec,debug,packet 00000913
15:24:23 ipsec,debug,packet hmac(hmac_sha1)
15:24:23 ipsec,debug,packet HASH computed:
15:24:23 ipsec,debug,packet 75e4066a 2560e3a0 0233f65b c9a2b3ac 7009cbf5
15:24:23 ipsec,debug,packet begin encryption.
15:24:23 ipsec,debug,packet encryption(aes)
15:24:23 ipsec,debug,packet pad length = 8
15:24:23 ipsec,debug,packet 0b000018 75e4066a 2560e3a0 0233f65b c9a2b3ac 7009cbf5 00000020 00000001
15:24:23 ipsec,debug,packet 01108d28 97835c51 668f2ce0 1174ab11 1a6363a7 00000913 9084d5da f084d807
15:24:23 ipsec,debug,packet encryption(aes)
15:24:23 ipsec,debug,packet with key:
15:24:23 ipsec,debug,packet f738668d 00d7e971 f009308c 6e9b3f7f b7adb6b8 a7652cab 1eebc2cb c4458f21
15:24:23 ipsec,debug,packet encrypted payload by IV:
15:24:23 ipsec,debug,packet ac4cc941 51b88d14 8c3e95ea 202b3039
15:24:23 ipsec,debug,packet save IV for next:
15:24:23 ipsec,debug,packet 93efed98 186c40b8 dcf54976 a1c42535
15:24:23 ipsec,debug,packet encrypted.
15:24:23 ipsec,debug 92 bytes from "own IP"[500] to "other side IP"[500]
15:24:23 ipsec,debug 1 times of 92 bytes message will be sent to "other side IP"[500]
15:24:23 ipsec,debug,packet 97835c51 668f2ce0 1174ab11 1a6363a7 08100501 d95dc060 0000005c 65411b70
15:24:23 ipsec,debug,packet 544554a3 396e4236 becb6108 98f378d9 2dbcc54c 781596c8 42021f75 8142d761
15:24:23 ipsec,debug,packet 84cd9e59 d4e8040f b98b1903 93efed98 186c40b8 dcf54976 a1c42535
15:24:23 ipsec,debug sendto Information notify.
15:24:23 ipsec,debug "other side IP" DPD R-U-There sent (0)
15:24:23 ipsec,debug "other side IP" rescheduling send_r_u (5).
15:24:23 ipsec,debug ===== received 92 bytes from "other side IP"[500] to "own IP"[500]
15:24:23 ipsec,debug,packet 97835c51 668f2ce0 1174ab11 1a6363a7 08100501 5aa7f56c 0000005c 88ae2a8b
15:24:23 ipsec,debug,packet 346c263b 45e1020e be37379d d143e375 d3adbabe e9228e5c c1044b4f 59064ffa
15:24:23 ipsec,debug,packet 8b05415d 3b0c99da f053a60b 5c87722d 5adccbd9 8422a0fc 8cdfc77f
15:24:23 ipsec,debug receive Information.
15:24:23 ipsec,debug,packet compute IV for phase2
15:24:23 ipsec,debug,packet phase1 last IV:
15:24:23 ipsec,debug,packet 3229acbb cd237e8e 893e1010 68f7212c 5aa7f56c
15:24:23 ipsec,debug hash(sha1)
15:24:23 ipsec,debug,packet encryption(aes)
15:24:23 ipsec,debug,packet phase2 IV computed:
15:24:23 ipsec,debug,packet a72ab4bc 59e2d7e6 e81dbfcc 161224af
15:24:23 ipsec,debug,packet encryption(aes)
15:24:23 ipsec,debug,packet IV was saved for next processing:
15:24:23 ipsec,debug,packet 5c87722d 5adccbd9 8422a0fc 8cdfc77f
15:24:23 ipsec,debug,packet encryption(aes)
15:24:23 ipsec,debug,packet with key:
15:24:23 ipsec,debug,packet f738668d 00d7e971 f009308c 6e9b3f7f b7adb6b8 a7652cab 1eebc2cb c4458f21
15:24:23 ipsec,debug,packet decrypted payload by IV:
15:24:23 ipsec,debug,packet a72ab4bc 59e2d7e6 e81dbfcc 161224af
15:24:23 ipsec,debug,packet decrypted payload, but not trimed.
15:24:23 ipsec,debug,packet 0b000018 b5188336 5803a994 802befff 60e0a9a9 27f52876 00000020 00000001
15:24:23 ipsec,debug,packet 01108d29 97835c51 668f2ce0 1174ab11 1a6363a7 00000913 00000000 00000000
15:24:23 ipsec,debug,packet padding len=1
15:24:23 ipsec,debug,packet skip to trim padding.
15:24:23 ipsec,debug,packet decrypted.
15:24:23 ipsec,debug,packet 97835c51 668f2ce0 1174ab11 1a6363a7 08100501 5aa7f56c 0000005c 0b000018
15:24:23 ipsec,debug,packet b5188336 5803a994 802befff 60e0a9a9 27f52876 00000020 00000001 01108d29
15:24:23 ipsec,debug,packet 97835c51 668f2ce0 1174ab11 1a6363a7 00000913 00000000 00000000
15:24:23 ipsec,debug,packet HASH with:
15:24:23 ipsec,debug,packet 5aa7f56c 00000020 00000001 01108d29 97835c51 668f2ce0 1174ab11 1a6363a7
15:24:23 ipsec,debug,packet 00000913
15:24:23 ipsec,debug,packet hmac(hmac_sha1)
15:24:23 ipsec,debug,packet HASH computed:
15:24:23 ipsec,debug,packet b5188336 5803a994 802befff 60e0a9a9 27f52876
15:24:23 ipsec,debug hash validated.
15:24:23 ipsec,debug begin.
15:24:23 ipsec,debug seen nptype=8(hash) len=24
15:24:23 ipsec,debug seen nptype=11(notify) len=32
15:24:23 ipsec,debug succeed.
15:24:23 ipsec,debug "other side IP" notify: R_U_THERE_ACK
15:24:23 ipsec,debug "other side IP" DPD R-U-There-Ack received
15:24:23 ipsec,debug received an R-U-THERE-ACK
15:24:29 ipsec,debug 444 bytes from "own IP"[500] to "other side IP"[500]
15:24:29 ipsec,debug 1 times of 444 bytes message will be sent to "other side IP"[500]
15:24:29 ipsec,debug,packet 97835c51 668f2ce0 1174ab11 1a6363a7 08102001 fd51d0fb 000001bc a3cd51dd
15:24:29 ipsec,debug,packet c7b8e30d e177082f c5fc4ec6 9cc4fe64 5f2a7b4e 48173c41 08145c7a 28075e1b
15:24:29 ipsec,debug,packet 65e6f102 f38ac205 4dbd2e60 cc3e9d76 62693e0f 92230212 c4f3be22 dd7e8176
15:24:29 ipsec,debug,packet a51bdb49 f4b95e5a 4ecb63e6 b8d7b84b 91ff63e8 ed6fa648 c2eb9402 0d231652
15:24:29 ipsec,debug,packet 95d1eddd 181f8f79 4c66ad3e c9093fa7 c9c6ece9 f34047e2 470bed2b bac9f6c7
15:24:29 ipsec,debug,packet 69212247 238592ef f10d8db3 1e49035c 6d895f30 b1aeb608 c34c31f1 2aee5041
15:24:29 ipsec,debug,packet 058e2529 303100f3 d84278af 0e7319d2 0a53cb05 28b20889 52991994 025f0316
15:24:29 ipsec,debug,packet f082b5d2 1d1a6989 4a673eb6 0a0b13c4 60d529e5 6a3d5fe8 18d89fe1 2202c0e8
15:24:29 ipsec,debug,packet 52897ac9 87d8f6df cfe6485e c52df945 7a757bdd bd2fff2f 895d920b b0af6eca
15:24:29 ipsec,debug,packet ac31d362 3e473431 8e4a255b ca871c0a bb68df26 b3c3c2bc 3978fa32 3bf0db22
15:24:29 ipsec,debug,packet 8a203768 9f8a3dd5 d8a22d9f 52c4ad3f 3ceb71a8 458de681 a0ddedbe 7230aa52
15:24:29 ipsec,debug,packet b066d748 5e9578a0 6dc5ca7b dd72ae3c 1136ae7e 68315fe7 d9428c25 ea9a4244
15:24:29 ipsec,debug,packet 98950af9 2a7b4031 7d380f2e 574d19bb d4204ae1 b540e136 b2fff6c5 1fd1fba0
15:24:29 ipsec,debug,packet bdd43f15 c816de67 519a7d41 bc75441d 723634e5 3539e820 f7758c48
15:24:29 ipsec resent phase2 packet "own IP"[500]<=>"other side IP"[500] 97835c51668f2ce0:1174ab111a6363a7:0000fd51
15:24:39 ipsec "other side IP" give up to get IPsec-SA due to time up to wait.
15:24:39 ipsec IPsec-SA expired: ESP/Tunnel "other side IP"[500]->"own IP"[500] spi=0x19a7e40
Hard to say why you get “ipsec IPsec-SA expired”, could be any reason. Cannot comment much without knowing exact info like:
hardware you are using on both sides, ROS version, exact config (/export compact hide-sensitive).
You have to:
- properly configure ipsec on both sides
- on both sides open in the firewall input chain protocol 50(ipsec-esp) and protocol 17 (udp) ports 500,4500
- do not masquerade packets which goes to VPN (when VPN is OK)
The on side is an Cisco ASA (site A). It configured another technical team. My router is MikroTik CCR1016 with 6.45.6 RouterOS version (site B). The site A can reach to the system behind site B with S2S VPN. So the connection is good, but I don’t understand why the PH sate is no pahse2…
The input chain rules is created.
/ip ipsec identity
add peer=peer_S2S_VPN_GE_Phase1
/ip ipsec policy
add dst-address=140.1.0.0/16 peer=peer_S2S_VPN_GE_Phase1 proposal=proposal_S2S_VPN_GE_Phase2 sa-dst-address=196.178.213.156 \
sa-src-address=0.0.0.0 src-address=10.10.10.0/24 tunnel=yes
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 name=profile_S2S_VPN_GE_Phase1 nat-traversal=no
/ip ipsec peer
add address=196.178.213.156/32 name=peer_S2S_VPN_GE_Phase1 profile=profile_S2S_VPN_GE_Phase1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
add enc-algorithms=aes-256-cbc lifetime=1h name=proposal_S2S_VPN_GE_Phase2 pfs-group=modp2048
I have created tunnels with Cisco ASA, as well as with SonicWall - always got PH2 Established. No problems with that.
For PROD routers I am using latest long-term version.
If tunnel itself is OK - could be incorrectly displayed PH2 status, but I didn’t saw such case.
Try 6.44.6 ROS version.