Hi all,
I Setup a RB4011iGS+ a few weeks ago, to replace an overloaded 3011UiAS. Everything went fine except our GRE/IPsec tunnel between this router and another 3011UiAS located in a different data-center room.
We got this in the distant 3011's log:
phase1 negotiation failed due to time up <3011's IP>[500]<=><4011's IP>[500] 1ab84487cc1a4ee9:20e8b7c03c9260d2
Back in the lab, I setup the "faulty" 4011, a spare 3011 with a backed up production configuration, connected the two using a little switch to my pc, which acted as a router for the two MikroTiks. Ping works fine in both ways, but I still get the same "phase1 negotiation failed due to time up" on every router. I disabled every "drop" rule on the firewall, but no luck. However in the #IP:Firewall.Connections page I can see the connection as "C" (Confirmed), but with no S (Reply)...
Here is the IPSec part of the 4011 router:
[admin@4011] > /interface eoip print
Flags: X - disabled, R - running
0 name="eoip2" mtu=auto actual-mtu=1458 l2mtu=65535 mac-address=XXXXXXXX arp=enabled arp-timeout=1m loop-protect=default loop-protect-status=off loop-protect-send-interval=5s loop-protect-disable-time=5m local-address=XXXXXXXX remote-address=XXXXXXXX tunnel-id=1 keepalive=10s,10
dscp=inherit clamp-tcp-mss=yes dont-fragment=inherit ipsec-secret="XXXXXXXX" allow-fast-path=no
[admin@4011] > /ip ipsec export
# sep/02/2020 11:55:08 by RouterOS 6.45.9
# software id = XXXXXXXX
#
# model = RB4011iGS+
# serial number = XXXXXXXX
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
[admin@4011] > /ip ipsec identity print
Flags: D - dynamic, X - disabled
0 D ;;; eoip2
peer=eoip2 auth-method=pre-shared-key secret="XXXXXXXX" generate-policy=no
Here is the 3011 one:
[admin@3011] > /interface eoip print
Flags: X - disabled, R - running
0 name="eoip1" mtu=auto actual-mtu=1458 l2mtu=65535 mac-address=XXXXXXXX arp=enabled arp-timeout=auto loop-protect=default loop-protect-status=off loop-protect-send-interval=5s loop-protect-disable-time=5m local-address=XXXXXXXX remote-address=XXXXXXXX tunnel-id=1 keepalive=10s,10
dscp=inherit clamp-tcp-mss=yes dont-fragment=inherit ipsec-secret="XXXXXXXX" allow-fast-path=no
[admin@3011] > /ip ipsec export
# sep/02/2020 11:57:41 by RouterOS 6.45.9
# software id = XXXXXXXX
#
# model = RouterBOARD 3011UiAS
# serial number = XXXXXXXX
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
[admin@3011] > /ip ipsec identity print
Flags: D - dynamic, X - disabled
0 D ;;; eoip1
peer=eoip1 auth-method=pre-shared-key secret="XXXXXXXX" generate-policy=no
As you can see this is pretty much the same. I must be missing something (I must admit I'm a newbie in the MikroTik world - I'm more used to Cisco hardware), but what...
All 3011 routers in production are running RouterOS 6.35.2, the 4011 one is running latest long-term (6.45.9), I upgraded the 3011 router in the lab to 6.45.9 too but nothing changes.
Any help will be much appreciated there. I can post other parts of the configuration if needed.
Thanks in advance,
Nicolas