Hi all,

I have 2 x RB3011's running v6.45.7 (inc firmware) that are exhibiting the same behavior after creating L2TP IPSec tunnels and I believe that IPSec hardware encryption might have something to do with it. When I configure L2TP back to head office (used by RB2011's + others for the same purpose) the tunnel works fine. As soon as I enable IPSec on the L2TP connection with our pre-shared key, the RB3011 thinks for a few seconds, sends a couple of screen updates to winbox, then reboots itself. In the log after reboot is message 'system, error, critical: kernel failure in previous boot' and 'router was rebooted without proper shutdown'.

Now I see that IPSec hardware encryption was enabled for the RB3011 in v6.43.1. I can't see many others talking about this specific issue since then. I believe the issue is due to hardware encryption because if I manually configure the peer & proposal at both ends and set the proposal to use SHA512, the tunnel + IPSec work fine. SHA512 is not supported by hardware encryption according to documentation, so I assume it is falling back to software encryption.

I don't have a broken config to export at the moment - it's working right now and I need it to work. However I can replicate this in lab next week if required.

Is this a common/known issue that I just haven't found discussion on? Or is this more likely a config issue on my part?

I have a couple of IPsec tunnels with hw crypto running on my RB3011 without any issues.

On 6.44.6?

And are you using L2TP?

Yes, 6.44.6. ( prefer long term unless really need some new features in stable)

No L2TP, just IPsec on this one.

Today our router rebooted due to kernel failure lot of times. I guess this is due to IPSec.
I can force kernel failure by sending big packet via VPN from PC in LAN :
ping 10.50.1.200 -l 10000

After this line I got kernel failure with router reboot.
Our hardware CCR1009-7G-1C-1S+
ROS 6.44.5
IPSec VPN Exchange mode: IKE2
Will create support file, knocking to Mikrotik support

Upgraded to 6.44.6, still same behavior - kernel failure.

I have a lot of both GRE + IPSec and L2TP +IPSec and I do not have this issue. I use SHA256 + AES 256 in all proposals for IPSec and I have not seen this issue. Most of the tunnels do not have heavy traffic but one that push backup data off site using GRE.
What proposal do you have for the tunnel?

Dears, situation is as follows:

Site1, ISP with 1Gbps line (CCR1009-7G-1C-1S+) <- - -> Site2, ISP with 30Mbps line (SonicWall)
IPSEC AES256-cbc – no kernel panic.

Site2 migrated to new ISP with about 10 times faster line. Right after that CCR started to panic in kernel even in RDP session via tunnnel.

Site1 1Gbps (CCR1009-7G-1C-1S+) <- - -> Site2 300Mbps (SonicWall)
IPSEC AES256-cbc – kernel panic.

We have changed encryption to 3des on both sides - no more kernel panic.
Nothing is more permanent than a temporary solution
I want to pay attention - same config caused no problems with 30Mbps line, where in 300Mbps line CCR started to panic.
All that info was sent to Mikrotik support. Hope to have the fix in the upcoming releases.

Update:
Before 3des I try to limit gw interface speed with Queues to 10Mbps - still kernel panic.
Is it related to ISP, or is it related to line speed - hard to understand.
I think no kernel panic should occur in any case.

Hello.
I faced with a problem of CCR1036-12G-4S reboot.
The problem appears when we add two eoIP tunnels with IPsec(without IPsec we haven’t got this problem) in bonding.
There are two tunnels to a certain remote router.
Site1 CCR1036-12G-4S - Site 2 Rb2011.
IPSEC AES128-cbc

If I add the same tunnels to other remote routers RB2011 with the same IPSEC settings – the situation doesn’t repeat.

I can reproduce this problem in two different routers CCR1036-12G-4S. I’ve already tried to update firmware in both of routers. I've also tried to copy all the settings to another RB2011.
The problem isn’t solved

Never before have we faced with such problem including the situation we add more than 200 similar tunnels with other remote routers RB2011. IF we add 2 certain tunnels the router CCR1036-12G-4S reboots.
In the remote router we don’t see any mistakes.
We can’t figure out how to cope with this situation as soon as possible.
Do you have any ideas?

This is related to packet fragmentation. In my case workaround was:
use 3DES encryption in phase 2 (in IPSec profiles) instead of AES256.
Because reboot occurs only in case of AES256 encryption.
or change MSS to 1350: https://wiki.mikrotik.com/wiki/Manual:I ... Change_MSS
Sample rule is below. Change dst-address and out-interface according your situation.

/ip firewall mangle
add action=change-mss chain=forward dst-address=192.168.15.0/24 \
new-mss=1350 out-interface=sfp1-gw passthrough=no protocol=tcp \
tcp-flags=syn tcp-mss=1301-65535

More info:
I have contacted Mikrotik support, we have actively worked on this issue. I hope next ROs release will have the fix

More info:
I have contacted Mikrotik support, we have actively worked on this issue. I hope next ROs release will have the fix

Hello.
Could you get any new information from colleagues from Mikrotik?

Hello.
Could you get any new information from colleagues from Mikrotik?

Few days ago had small conversation, MT support suggested 6.46.1 version. This is not so easy to do for me because I am admin only of local router.
Currently we are on 3DES, both routers have to be reconfigured, quite a difficult to find time for that, I need contact admin of remote site, no so much space for testing on PROD tunnel