Community discussions

 
sherpya
just joined
Topic Author
Posts: 3
Joined: Mon Oct 07, 2019 8:37 pm

peer sent packet for dead phase2

Mon Oct 07, 2019 8:42 pm

I've made a site 2 site ipsec connection that actually does work, however the log gets filled of these messages, I mean 10 messages avery 4 seconds:
17:14:33 ipsec,error 1.2.3.4 failed to pre-process ph2 packet.
17:14:35 ipsec,error 1.2.3.4 peer sent packet for dead phase2
17:14:37 ipsec,error 1.2.3.4 peer sent packet for dead phase2
17:14:39 ipsec,error 1.2.3.4 peer sent packet for dead phase2
17:14:41 ipsec,error 1.2.3.4 peer sent packet for dead phase2
17:14:43 ipsec,error 1.2.3.4 peer sent packet for dead phase2
17:14:45 ipsec,error 1.2.3.4 peer sent packet for dead phase2
17:14:49 ipsec,error 1.2.3.4 peer sent packet for dead phase2
my configuration is the following:
/ip ipsec profile
add dh-group=modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256,3des name=profile-msc nat-traversal=no
/ip ipsec peer
add address=1.2.3.4/32 name=msc profile=profile-msc
/ip ipsec proposal
add enc-algorithms=aes-256-cbc lifetime=1h name=proposal-msc pfs-group=none
/ip ipsec identity
add peer=msc secret=secret
/ip ipsec policy
add dst-address=10.0.0.0/24 peer=msc proposal=proposal-msc sa-dst-address=1.2.3.4 sa-src-address=0.0.0.0 src-address=192.168.1.0/24 tunnel=yes 
routeros version is 6.45.6, the other end is a checkpoint
 
Zacharias
Member
Member
Posts: 458
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: peer sent packet for dead phase2

Tue Oct 08, 2019 12:26 am

According to the wiki phase 2 should match the following settings:
Ipsec protocol
mode (tunnel or transport)
authentication method
PFS (DH) group
lifetime
https://wiki.mikrotik.com/wiki/Manual:IP/IPsec

Make sure they match on both sides...
 
sherpya
just joined
Topic Author
Posts: 3
Joined: Mon Oct 07, 2019 8:37 pm

Re: peer sent packet for dead phase2

Tue Oct 08, 2019 1:35 pm

I've already checked my side, I'm waiting for double check the other side.
I've noticed I have 358 established connections in active peers, looks like the vpn is connecting multiple times.
 
deathandtaxes
just joined
Posts: 6
Joined: Fri Jun 23, 2017 5:20 pm

Re: peer sent packet for dead phase2

Thu Oct 10, 2019 6:14 pm

I've already checked my side, I'm waiting for double check the other side.
I've noticed I have 358 established connections in active peers, looks like the vpn is connecting multiple times.
I'm seeing similar behavior, multiple instances of same remote address under ipsec > remote peers. I get local log messages for "peer sent packet for dead phase2" from this host as well. Running 6.44.5 currently, considering updating to 6.45.6.
 
sherpya
just joined
Topic Author
Posts: 3
Joined: Mon Oct 07, 2019 8:37 pm

Re: peer sent packet for dead phase2

Thu Oct 10, 2019 6:19 pm

I've solved adding a rule to allow ip-sec (50) protocol input packets from the other end.
The tunnel was working even without this rule, but the other end maybe was dropping the tunnel after a while

Who is online

Users browsing this forum: Google [Bot] and 93 guests