I have set vpn ipsec and working between 2 mikrotik routeros 4.11. OR between mikrotik routeros 4.11 and ipcop 1.4.21. I followed the manual ‘Manual:IP/IPsec’. But i have problem on lose connection/disconnection by itself in some occasion, in one day it happened several times. Currently, the workaround is i have to go inside thru winbox to one of the router:
using cmd.exe to do ping other router site network
if above still failed, go to ‘Policies’ and disable it and enable back again
if above still failed, ‘Installed SAs’ and press ‘Flush’
Because of this problem, the working is always interrupted between 2 sites network. It’s troublesomes.
I saw inside the manual said that ‘IPsec is very sensitive to time changes’. And i have done setting on NPT client at both routers to set same ip for ntp server. But the problem still exist.
As I understand your description, link could be unstable between your IPSec peers.
There is DPD option, that could be enabled to remove all information, when link between peers is unstable (not reachable). Enable dpd on both ends, then SA should be cleared as soon as link is not available.
I too am battling with this issue at the moment. I have my DPD interval set to 60s and retries set to 1, however even when the remote peer disappears the SA’s are still active and I have to manually flush them. This is on a tunnel from RouterOS5.0rc5 on a RB750G to a Cisco concentrator.
someone is on same boat with me…
I hope this thread will find the best setting to make the vpn ipsec more stable.
Report: after enable DPD, connection seem to be quite ok but not really stable yet. (N.B.: i must keep doing ping to the other end router for triggering to keep maximun alive connection.)
Sorry for my ignorance, i thought that only ‘1’ and ‘0’ for DPD Interval. So i put ‘1’ for enable. Actually, It is time in second.
(for #2) cos same product, MT, of course all the exact same setting on \ipsec policies, peers, & proposals. Including same Primary NTP Server ip address. (for #1) cos not same product, MT & IPCop. But for MT is same with these settings.
The RB750G (192.168.1.0) is my central. Other site RB750 (192.168.20.0) link to it and get data. If the connection lost (means ping rto), then currently workaround is just remote by public ip to svr central and do a ping (192.168.20.x) and will back to alive again. Troublesome right?
I heard from my friends feedback that MT weaks on vpn
The RB750G (192.168.1.0) is my central. Other site RB750 (192.168.20.0) link to it and get data. If the connection lost (means ping rto), then currently workaround is just remote by public ip to svr central and do a ping (192.168.20.x) and will back to alive again. Troublesome right?
Maybe it would be good idea to fix the link between both routers firstly.
DPD is working fine for me, when link is down after specific time /installed-sa are cleared.
Note, that DPD does not stabilize the connection, it helps for IPSec to clear installed-sa when link is down.
I heard from my friends feedback that MT weaks on vpn
DId they contacted us and reported all the problems to (support@mikrotik.com)?
As far as I know all supported tunnels are working fine. At least I’m not aware of any serious issue.
There are no ‘best values’ for those - they are policy decisions.
Got peers with unknown (dynamic or road warrior) IPs? You’ll need generate-policy set to yes to even be operational. Got only static peers? Might as well write out the policies manually and set generate-policy to no. Which one you choose depends on what kind of peers you have.
If there are only static peers it would be better to turn it off and use manual policies only.
Lifetime and lifebytes? What kind of security does your policy require? The longer the SA is in effect, the longer an adversary has to crack it. The more data is encrypted with the same SA the more data an adversary has to work with. Shorter is better, but more resource intensive. How much traffic is traversing the link? That significantly affects lifebytes. How important is that traffic? What kind of impact on your business would someone having the plaintext have? How many resources can you spare? How are your SAs negotiated - certificates or PSKs? An RB133 using certificates should regenotiate far less often an a Xeon x86 or RB1000 with hardware encryption offloading.
DPD is also based on your requirements - how fast do you need to detect link failure? Don’t go lower than 15 seconds. Above five minutes is probably also unreasonable. Unless your situation makes more extreme values OK.
The VPN is from a Cisco concentrator to a RB750G. DPD is set to 10seconds, but still the IPSEC will lock up and we will need to “Kill Connections” to get it running again.
I will log a ticket with Mikrotik as this is driving me nuts.
