Hi, I have an IPSec related issue.
We have working IPSec tunnel between Azure static gateway from Azure side and MikroTik RB 1200 (6.20 firmware) from the other.
The problem is that since very recently, a little more than a week ago, the tunnel became very ‘unstable’. It’s working fine for some time, but once in a while it just stops working. IPsec peer is there, SAs are there, no errors in the logs, no nothing, it just packets (any packets in any direction) stops passing.
I’d like to add that this configuration was 100% working and stable for over a month. Nothing has changed from my side.
Here is related configuration sections from MikroTik, obviously, I cannot provide the same from Azure side:
/ip ipsec peer print
address=104.45.27.xx/32 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key secret=“***” generate-policy=no policy-group=default exchange-mode=main send-initial-contact=no nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
/ip ipsec policy print
(We have 192.168.100.0/22 network from Azure side and 3 networks for different users group from my local side - 192.168.0.0/24, 192.168.3.0/24, 192.168.137.0/24. Of course, all 3 networks are listed in Virtual Network properties on Azure side)
src-address=192.168.3.0/24 src-port=any dst-address=192.168.100.0/22 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes
sa-src-address=xx.xx.xx.xx sa-dst-address=104.45.27.xx proposal=default priority=0
src-address=192.168.0.0/24 src-port=any dst-address=192.168.100.0/22 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes
sa-src-address=xx.xx.xx.xx sa-dst-address=104.45.27.xx proposal=default priority=0
src-address=192.168.137.0/24 src-port=any dst-address=192.168.100.0/22 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes
sa-src-address=xx.xx.xx.xx sa-dst-address=104.45.27.xx proposal=default priority=0
/ip ipsec proposal print
name=“default” auth-algorithms=sha1 enc-algorithms=aes-256-cbc lifetime=0s pfs-group=none
Also, every time new SA is established, I see the error in the log:
authtype mismatched: my:hmac-sha1 peer:hmac-sha256
I understand that it is because of my side and Azure side wants to use different hash algorithms, but unfortunately MikroTik does not support sha-265 for IKE phase 2. However, even with this error, SAs are established successfully. And this error was there long time before the problem occurred, so I don’t believe this is the root cause of the issue.
As a temporary workaround I have created a script that runs on MikroTik and sends ping packets to one of the hosts in Azure and if 3 sequential packets are lost it resets IPSec SAs on MikroTik side (/ip ipsec installed-sa flush sa-type=all). On average, the script is triggered every 90 minutes ± 30 minutes.
What can I do to make the tunnel stable again? How else I can troubleshoot this issue? Any suggestions on what I can tweak on my side to solve this?