IPsec-SA expired before finishing rekey

Experimentator · Thu Sep 14, 2017 5:54 pm

Hi All,

I'm setting up IPsec connection from my Windows laptop to the Mikrotik router (ROS version 6.40.1) based on IKEv2 and RSA signatures authentication (RoadWarrior setup with Mikrotik acting as a server with a fixed IP, and laptop being 'on the go' with random IP addresses). The connection works for 30 minutes, and then it drops. When it happens, I see an "IPsec-SA expired before finishing rekey" message in Mikrotik log.

How do I set it up so that the rekey procedure works and the link doesn't drop?
I guess I am missing some obvious parameter, but I cannot figure out what it is...
Can someone please advise what to look for?

lordcoke · Mon Jan 29, 2018 3:29 pm

Had the same issue. It has been solved by setting pfs-group for RW to none under IPsec Proposal menu

Experimentator · Tue Aug 21, 2018 4:16 pm

Thanks! This seems to have fixed it!

tomaskir · Tue Aug 21, 2018 5:01 pm

I would suggest creating a ticket with support as well so MKT can check if this is something they can fix.
Simply using PFS for P2 should not break re-keying.

theprojectgroup · Sat Sep 08, 2018 1:33 pm

I have the same issue with IOS and MacOS (current build):

10:04:00 ipsec processing payload: KE (not found) 
10:04:00 ipsec IPsec-SA established: IP_OF_CLIENT[4500]->IP_OF_VPN_Router[4500] spi=0xa37f177 
10:04:00 ipsec IPsec-SA established: IP_OF_VPN_Router[4500]->IP_OF_CLIENT[4500] spi=0xb93a775 
10:04:02 ipsec ike2 request, exchange: INFORMATIONAL:97e IP_OF_A_Different_working_Connection[4500] 
10:04:02 ipsec payload seen: ENC 
10:04:02 ipsec processing payload: ENC 
10:04:02 ipsec respond: info 
10:04:03 ipsec IPsec-SA expired: ESP/Tunnel IP_OF_CLIENT[4500]->IP_OF_VPN_Router[4500] spi=0xca8e3d2 
10:04:03 ipsec adding payload: DELETE 
10:04:03 ipsec IPsec-SA expired: ESP/Tunnel IP_OF_VPN_Router[4500]->IP_OF_CLIENT[4500] spi=0x73be941 
10:04:03 ipsec adding payload: DELETE 
10:04:03 ipsec ike2 reply, exchange: INFORMATIONAL:7 IP_OF_CLIENT[4500] 
10:04:03 ipsec my msg id not matching, ignoring 
10:04:04 ipsec ike2 request, exchange: INFORMATIONAL:97f IP_OF_A_Different_working_Connection[4500] 
10:04:04 ipsec payload seen: ENC 
10:04:04 ipsec processing payload: ENC 
10:04:04 ipsec respond: info 
10:04:06 ipsec ike2 request, exchange: INFORMATIONAL:980 IP_OF_A_Different_working_Connection[4500] 
10:04:06 ipsec payload seen: ENC 
10:04:06 ipsec processing payload: ENC 
10:04:06 ipsec respond: info 
10:04:08 ipsec ike2 request, exchange: INFORMATIONAL:981 IP_OF_A_Different_working_Connection[4500] 
10:04:08 ipsec payload seen: ENC 
10:04:08 ipsec processing payload: ENC 
10:04:08 ipsec respond: info 
10:04:08 ipsec retransmit 
10:04:08 ipsec IPsec-SA expired: ESP/Tunnel IP_OF_CLIENT[4500]->IP_OF_VPN_Router[4500] spi=0xa37f177 
10:04:08 ipsec ike2 expire 0xb93a775 
10:04:08 ipsec queued 
10:04:08 ipsec IPsec-SA expired: ESP/Tunnel IP_OF_VPN_Router[4500]->IP_OF_CLIENT[4500] spi=0xb93a775 
10:04:10 ipsec ike2 request, exchange: INFORMATIONAL:982 IP_OF_A_Different_working_Connection[4500] 
10:04:10 ipsec payload seen: ENC 
10:04:10 ipsec processing payload: ENC 
10:04:10 ipsec respond: info 
10:04:11 ipsec IPsec-SA expired: ESP/Tunnel IP_OF_CLIENT[4500]->IP_OF_VPN_Router[4500] spi=0xa37f177 
10:04:11 ipsec,error IPsec-SA expired before finishing rekey: IP_OF_CLIENT[4500]<->IP_OF_VPN_Router[4500] spi=0xb93a775 
10:04:11 ipsec,info killing ike2 SA: IP_OF_VPN_Router[4500]-IP_OF_CLIENT[4500] spi:e4956eaededf97f6:870f419dd796c477 
10:04:11 ipsec IPsec-SA killing: IP_OF_CLIENT[4500]->IP_OF_VPN_Router[4500] spi=0xa37f177 
10:04:11 ipsec IPsec-SA killing: IP_OF_VPN_Router[4500]->IP_OF_CLIENT[4500] spi=0xb93a775 
10:04:11 ipsec removing generated policy 
10:04:11 ipsec IPsec-SA expired: ESP/Tunnel IP_OF_VPN_Router[4500]->IP_OF_CLIENT[4500] spi=0xb93a775 
10:04:11 ipsec adding payload: DELETE 
10:04:11 ipsec KA remove: IP_OF_VPN_Router[4500]->IP_OF_CLIENT[4500] 
10:04:11 ipsec,info releasing address 10.10.100.82 
10:04:11 ipsec ike2 reply, exchange: INFORMATIONAL:9 IP_OF_CLIENT[4500] 
10:04:11 ipsec SPI f697dfdeae6e95e4 not registred for IP_OF_CLIENT[4500] 
10:04:12 ipsec ike2 request, exchange: INFORMATIONAL:983 IP_OF_A_Different_working_Connection[4500]

/ip ipsec peer print

 5   R ;;; ikev2 clients
       address=0.0.0.0/0 passive=yes auth-method=rsa-signature certificate=TPGGateway254-ovpn generate-policy=port-strict policy-template-group=default exchange-mode=ike2 
       mode-config=ikev2-default send-initial-contact=no my-id=fqdn:sstp.ontpg.com hash-algorithm=sha256 enc-algorithm=aes-256,aes-128 dh-group=modp2048,modp1024 lifetime=1h 
       dpd-interval=2m

/ip ipsec policy print

 T * ;;; default
       group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=l2tp-default template=yes

/ip ipsec mode-config print

Flags: * - default 
 0 * name="request-only" 

 1   name="ikev2-default" system-dns=no static-dns=172.17.1.43,172.17.1.44 address-pool=l2tp-pool-default address-prefix-length=24

/ip ipsec mode-config print

Flags: * - default 
 0 * name="request-only" 
 1   name="ikev2-default" system-dns=no static-dns=172.17.1.43,172.17.1.44 address-pool=l2tp-pool-default address-prefix-length=24

/ip ipsec proposal print

4    name="l2tp-default" auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=0s pfs-group=none

IPsec-SA expired before finishing rekey [SOLVED]

IPsec-SA expired before finishing rekey

Re: IPsec-SA expired before finishing rekey [SOLVED]

Re: IPsec-SA expired before finishing rekey

Re: IPsec-SA expired before finishing rekey

Re: IPsec-SA expired before finishing rekey

Who is online