Today I spent many hours for this problem.
My ipsec is very unstable.
I have central mikrotik 192.168.40.1 (static ip)
and two sites 192.168.1.0/24 (static ip) and 102.168.30.0/24 (dynamic ip)
192.168.30.0/24 works perfectly
But 192.168.1.0 isn't.
I get ipsec disconnects after it successfully established and gets SAs.
Mikrotik 1 6.73.3 stable
/ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; defconf
192.168.1.73/24 192.168.1.0 bridge
1 192.168.2.254/24 192.168.2.0 ether1
/ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 TX* group=default src-address=::/0 dst-address=::/0 protocol=all
proposal=default template=yes
1 src-address=192.168.1.0/24 src-port=any dst-address=192.168.40.0/24
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=192.168.2.254
sa-dst-address=80.xxx.115.108 proposal=default priority=0
/ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=80.xxx.115.108/32 local-address=0.0.0.0 passive=no port=500
auth-method=pre-shared-key secret="xxxxxx" generate-policy=no
policy-template-group=default exchange-mode=main-l2tp
send-initial-contact=yes nat-traversal=yes hash-algorithm=sha1
enc-algorithm=aes-128,3des dh-group=modp1024 lifetime=1d
dpd-interval=disable-dpd dpd-maximum-failures=1
/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept dst-address=192.168.40.0/24 log=no
1 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1
/ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 192.168.2.73 1
1 ADC 192.168.1.0/24 192.168.1.73 bridge 0
2 ADC 192.168.2.0/24 192.168.2.254 ether1 0
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; p2p
chain=forward action=drop p2p=all-p2p log=no
2 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
3 chain=input action=accept protocol=ipsec-esp log=no
4 chain=input action=accept protocol=udp dst-port=500,4500,1701
log=no
5 ;;; defconf: accept established,related
chain=input action=accept connection-state=established,related
6 ;;; defconf: accept established,related
chain=forward action=accept
connection-state=established,related
7 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1
8 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection
connection-state=established,related
9 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
10 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface=ether1
dec/20 01:20:34 ipsec,debug initiate new phase 1 negotiation: 192.168.2.254[500]<=>80.xxx.115.108[500]
dec/20 01:20:34 ipsec,debug begin Identity Protection mode.
dec/20 01:20:34 ipsec,debug sent phase1 packet 192.168.2.254[500]<=>80.xxx.115.108[500] efb5b13b3a9c152a:0000000000000000
dec/20 01:20:43 ipsec,debug new acquire 192.168.2.254[0]<=>80.xxx.115.108[0]
dec/20 01:20:43 ipsec,debug suitable outbound SP found: 192.168.1.0/24[0] 192.168.40.0/24[0] proto=any dir=out
dec/20 01:20:43 ipsec,debug suitable inbound SP found: 192.168.40.0/24[0] 192.168.1.0/24[0] proto=any dir=in
dec/20 01:20:43 ipsec,debug 80.xxx.115.108 request for establishing IPsec-SA was queued due to no phase1 found.
dec/20 01:20:44 ipsec,debug resent phase1 packet 192.168.2.254[500]<=>80.xxx.115.108[500] efb5b13b3a9c152a:0000000000000000
dec/20 01:20:44 ipsec,debug received Vendor ID: RFC 3947
dec/20 01:20:44 ipsec,debug received Vendor ID: CISCO-UNITY
dec/20 01:20:44 ipsec,debug received Vendor ID: DPD
dec/20 01:20:44 ipsec,debug 80.xxx.115.108 Selected NAT-T version: RFC 3947
dec/20 01:20:44 ipsec,debug 80.xxx.115.108 Hashing 80.xxx.115.108[500] with algo #2
dec/20 01:20:44 ipsec,debug 192.168.2.254 Hashing 192.168.2.254[500] with algo #2
dec/20 01:20:44 ipsec,debug Adding remote and local NAT-D payloads.
dec/20 01:20:44 ipsec,debug sent phase1 packet 192.168.2.254[500]<=>80.xxx.115.108[500] efb5b13b3a9c152a:5a32b3c476d9ac3d
dec/20 01:20:44 ipsec,debug 192.168.2.254 Hashing 192.168.2.254[500] with algo #2
dec/20 01:20:44 ipsec,debug NAT-D payload #0 doesn't match
dec/20 01:20:44 ipsec,debug 80.xxx.115.108 Hashing 80.xxx.115.108[500] with algo #2
dec/20 01:20:44 ipsec,debug NAT-D payload #1 doesn't match
dec/20 01:20:44 ipsec,debug NAT detected: ME PEER
dec/20 01:20:44 ipsec,debug KA list add: 192.168.2.254[4500]->80.xxx.115.108[4500]
dec/20 01:20:44 ipsec,debug sent phase1 packet 192.168.2.254[4500]<=>80.xxx.115.108[4500] efb5b13b3a9c152a:5a32b3c476d9ac3d
dec/20 01:20:44 ipsec,debug ISAKMP-SA established 192.168.2.254[4500]-80.xxx.115.108[4500] spi:efb5b13b3a9c152a:5a32b3c476d9ac3d
dec/20 01:20:45 ipsec,debug initiate new phase 2 negotiation: 192.168.2.254[4500]<=>80.xxx.115.108[4500]
dec/20 01:20:45 ipsec,debug pfkey GETSPI succeeded: ESP/Tunnel 80.xxx.115.108[4500]->192.168.2.254[4500] spi=208801044(0xc720d14)
dec/20 01:20:45 ipsec,debug NAT detected -> UDP encapsulation (ENC_MODE 1->3).
dec/20 01:20:45 ipsec,debug sent phase2 packet 192.168.2.254[4500]<=>80.xxx.115.108[4500] efb5b13b3a9c152a:5a32b3c476d9ac3d:fb383998
dec/20 01:20:45 ipsec,debug Adjusting my encmode UDP-Tunnel->Tunnel
dec/20 01:20:45 ipsec,debug Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
dec/20 01:20:45 ipsec IPsec-SA established: ESP/Tunnel 80.xxx.115.108[4500]->192.168.2.254[4500] spi=208801044(0xc720d14)
dec/20 01:20:45 ipsec IPsec-SA established: ESP/Tunnel 192.168.2.254[4500]->80.xxx.115.108[4500] spi=662371(0xa1b63)
dec/20 01:21:15 ipsec,debug 80.xxx.115.108 DPD: remote (ISAKMP-SA 192.168.2.254[4500]<=>80.xxx.115.108[4500] spi=efb5b13b3a9c152a:5a32b3c476d9ac3d) seems to be dead.
dec/20 01:21:15 ipsec,debug purging ISAKMP-SA 192.168.2.254[4500]<=>80.xxx.115.108[4500] spi=efb5b13b3a9c152a:5a32b3c476d9ac3d.
dec/20 01:21:15 ipsec purged IPsec-SA spi=662371.
dec/20 01:21:15 ipsec purged IPsec-SA spi=208801044.
dec/20 01:21:15 ipsec purged ISAKMP-SA 192.168.2.254[4500]<=>80.xxx.115.108[4500] spi=efb5b13b3a9c152a:5a32b3c476d9ac3d.
dec/20 01:21:15 ipsec,debug pfkey DELETE received: ESP 192.168.2.254[4500]->80.xxx.115.108[4500] spi=662371(0xa1b63)
dec/20 01:21:15 ipsec,debug pfkey DELETE received: ESP 80.xxx.115.108[4500]->192.168.2.254[4500] spi=208801044(0xc720d14)
dec/20 01:21:16 ipsec,debug ISAKMP-SA deleted 192.168.2.254[4500]-80.xxx.115.108[4500] spi:efb5b13b3a9c152a:5a32b3c476d9ac3d rekey:1
dec/20 01:21:16 ipsec,debug KA remove: 192.168.2.254[4500]->80.xxx.115.108[4500]
dec/20 01:21:17 ipsec,debug new acquire 192.168.2.254[0]<=>80.xxx.115.108[0]
dec/20 01:21:17 ipsec,debug suitable outbound SP found: 192.168.1.0/24[0] 192.168.40.0/24[0] proto=any dir=out
dec/20 01:21:17 ipsec,debug suitable inbound SP found: 192.168.40.0/24[0] 192.168.1.0/24[0] proto=any dir=in
dec/20 01:21:17 ipsec,debug IPsec-SA request for 80.xxx.115.108 queued due to no phase1 found.
dec/20 01:21:17 ipsec,debug initiate new phase 1 negotiation: 192.168.2.254[500]<=>80.xxx.115.108[500]
dec/20 01:21:17 ipsec,debug begin Identity Protection mode.
dec/20 01:21:17 ipsec,debug sent phase1 packet 192.168.2.254[500]<=>80.xxx.115.108[500] 46ec621b557aa2da:0000000000000000
dec/20 01:21:27 ipsec,debug resent phase1 packet 192.168.2.254[500]<=>80.xxx.115.108[500] 46ec621b557aa2da:0000000000000000
dec/20 01:21:37 ipsec,debug resent phase1 packet 192.168.2.254[500]<=>80.xxx.115.108[500] 46ec621b557aa2da:0000000000000000
dec/20 01:21:46 system,info,account user dima logged in from 192.168.1.75 via web
dec/20 01:21:46 system,info,account user dima logged in via local
dec/20 01:21:47 ipsec,debug resent phase1 packet 192.168.2.254[500]<=>80.xxx.115.108[500] 46ec621b557aa2da:0000000000000000
dec/20 01:21:48 ipsec,debug 80.xxx.115.108 phase2 negotiation failed due to time up waiting for phase1. ESP 80.xxx.115.108[0]->192.168.2.254[0]
dec/20 01:21:48 ipsec,debug delete phase 2 handler.
dec/20 01:21:50 ipsec,debug new acquire 192.168.2.254[0]<=>80.xxx.115.108[0]
dec/20 01:21:50 ipsec,debug suitable outbound SP found: 192.168.1.0/24[0] 192.168.40.0/24[0] proto=any dir=out
dec/20 01:21:50 ipsec,debug suitable inbound SP found: 192.168.40.0/24[0] 192.168.1.0/24[0] proto=any dir=in
dec/20 01:21:50 ipsec,debug 80.xxx.115.108 request for establishing IPsec-SA was queued due to no phase1 found.
Mikrotik 2 6.37.3 (stable)
/ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; defconf
192.168.40.1/24 192.168.40.0 bridge
1 192.168.41.254/24 192.168.41.0 ether1
/ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all
proposal=default template=yes
1 D src-address=192.168.40.0/24 src-port=any dst-address=192.168.30.0/24
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=192.168.41.254
sa-dst-address=188.xxx.194.106 priority=2
2 D src-address=192.168.40.0/24 src-port=any dst-address=192.168.1.0/24
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=192.168.41.254
sa-dst-address=188.xxx.169.232 priority=2
/ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=0.0.0.0/0 local-address=0.0.0.0 passive=yes port=500
auth-method=pre-shared-key secret="grskrm126"
generate-policy=port-override policy-template-group=default
exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=yes
hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp1024
lifetime=1d dpd-interval=30s dpd-maximum-failures=1
/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept dst-address=192.168.1.0/24 log=no
log-prefix=""
1 chain=srcnat action=accept dst-address=192.168.30.0/24 log=no
log-prefix=""
2 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1 log=no
log-prefix=""
/ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 192.168.41.1 1
1 ADC 192.168.40.0/24 192.168.40.1 bridge 0
2 ADC 192.168.41.0/24 192.168.41.254 ether1 0
3 X S 192.168.50.0/24 ether1 1
/ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 chain=output action=accept log=no log-prefix=""
2 ;;; allow forward for local adresses
chain=forward action=accept src-address-list=local_adresses log=no
log-prefix=""
3 chain=input action=accept log=no log-prefix=""
4 chain=forward action=accept log=no log-prefix=""
5 ;;; allow local adresses
chain=input action=accept src-address-list=local_adresses log=no
log-prefix=""
6 chain=input action=accept protocol=ipsec-esp log=no log-prefix=""
7 chain=input action=accept protocol=udp dst-port=500 log=no log-prefix=""
8 chain=input action=accept protocol=udp dst-port=4500 log=no log-prefix=">
9 chain=forward action=accept protocol=udp src-port=4500 log=no
log-prefix=""
10 chain=input action=accept protocol=udp src-port=1701 log=no log-prefix=">
11 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""
12 ;;; defconf: accept established,related
chain=input action=accept connection-state=established,related log=no
log-prefix=""
13 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related log=no
log-prefix=""
14 XI ;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1 log=no log-prefix=""
15 XI ;;; defconf: fasttrack
chain=forward action=fasttrack-connection
connection-state=established,related log=no log-prefix=""
16 XI ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
17 XI ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface=ether1 log=no log-prefix=""
dec/20 01:20:44 ipsec,debug received Vendor ID: RFC 3947
dec/20 01:20:44 ipsec,debug received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
dec/20 01:20:44 ipsec,debug received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
dec/20 01:20:44 ipsec,debug received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
dec/20 01:20:44 ipsec,debug received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
dec/20 01:20:44 ipsec,debug received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
dec/20 01:20:44 ipsec,debug received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
dec/20 01:20:44 ipsec,debug received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
dec/20 01:20:44 ipsec,debug received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
dec/20 01:20:44 ipsec,debug
dec/20 01:20:44 ipsec,debug received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
dec/20 01:20:44 ipsec,debug received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
dec/20 01:20:44 ipsec,debug received Vendor ID: CISCO-UNITY
dec/20 01:20:44 ipsec,debug received Vendor ID: DPD
dec/20 01:20:44 ipsec,debug 188.xxx.169.232 Selected NAT-T version: RFC 3947
dec/20 01:20:44 ipsec,debug sent phase1 packet 192.168.41.254[500]<=>188.162.
169.232[500] efb5b13b3a9c152a:5a32b3c476d9ac3d
dec/20 01:20:44 ipsec,debug 192.168.41.254 Hashing 192.168.41.254[500] with a
lgo #2
dec/20 01:20:44 ipsec,debug NAT-D payload #0 doesn't match
dec/20 01:20:44 ipsec,debug 188.xxx.169.232 Hashing 188.xxx.169.232[500] with
algo #2
dec/20 01:20:44 ipsec,debug NAT-D payload #1 doesn't match
dec/20 01:20:44 ipsec,debug NAT detected: ME PEER
dec/20 01:20:44 ipsec,debug 188.xxx.169.232 Hashing 188.xxx.169.232[500] with
algo #2
dec/20 01:20:44 ipsec,debug 192.168.41.254 Hashing 192.168.41.254[500] with a
lgo #2
dec/20 01:20:44 ipsec,debug Adding remote and local NAT-D payloads.
dec/20 01:20:44 ipsec,debug sent phase1 packet 192.168.41.254[500]<=>188.162.
169.232[500] efb5b13b3a9c152a:5a32b3c476d9ac3d
dec/20 01:20:44 ipsec,debug NAT-T: ports changed to: 188.xxx.169.232[4500]<=>
192.168.41.254[4500]
dec/20 01:20:44 ipsec,debug KA found: 192.168.41.254[4500]->188.xxx.169.232[4
500] (in_use=2)
dec/20 01:20:44 ipsec,debug ISAKMP-SA established 192.168.41.254[4500]-188.16
2.169.232[4500] spi:efb5b13b3a9c152a:5a32b3c476d9ac3d
dec/20 01:20:45 ipsec,debug respond new phase 2 negotiation: 192.168.41.254[4
500]<=>188.xxx.169.232[4500]
dec/20 01:20:45 ipsec,debug Update the generated policy : 192.168.1.0/24[0] 1
92.168.40.0/24[0] proto=any dir=in
dec/20 01:20:45 ipsec,debug Adjusting my encmode UDP-Tunnel->Tunnel
dec/20 01:20:45 ipsec,debug Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
dec/20 01:20:45 ipsec,debug pfkey GETSPI succeeded: ESP/Tunnel 188.162.169.23
2[4500]->192.168.41.254[4500] spi=662371(0xa1b63)
dec/20 01:20:45 ipsec,debug sent phase2 packet 192.168.41.254[4500]<=>188.162
.169.232[4500] efb5b13b3a9c152a:5a32b3c476d9ac3d:fb383998
dec/20 01:21:15 ipsec,debug 188.xxx.169.232 DPD: remote (ISAKMP-SA 192.168.41
.254[4500]<=>188.xxx.169.232[4500] spi=efb5b13b3a9c152a:5a32b3c476d9ac3d) see
ms to be dead.
dec/20 01:21:15 ipsec,debug purging ISAKMP-SA 192.168.41.254[4500]<=>188.162.
169.232[4500] spi=efb5b13b3a9c152a:5a32b3c476d9ac3d.
dec/20 01:21:15 ipsec,debug keeping IPsec-SA spi=208801044 - found valid ISAK
MP-SA spi=9377272138298b80:675887a9bd417e1e.
dec/20 01:21:15 ipsec,debug keeping IPsec-SA spi=662371 - found valid ISAKMP-
SA spi=9377272138298b80:675887a9bd417e1e.
dec/20 01:21:16 ipsec,debug ISAKMP-SA deleted 192.168.41.254[4500]-188.162.16
9.232[4500] spi:efb5b13b3a9c152a:5a32b3c476d9ac3d rekey:1
dec/20 01:21:16 ipsec,debug KA remove: 192.168.41.254[4500]->188.xxx.169.232[
4500]