Community discussions

MikroTik App
  4. RouterOS
  5. General

IPSec, Ike2 Phase 1 lifetime expiration: no renegotiation, tunnel just killed

Post Reply
 
eguun
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Fri Apr 10, 2020 10:18 pm

IPSec, Ike2 Phase 1 lifetime expiration: no renegotiation, tunnel just killed

Sun Feb 07, 2021 8:30 pm

Dear all,

I have a succesfully running IPsec connectivity with several endpoints of several brands (ie: Mikrotik with MacOS, opnsense, Fritzbox ...).
Sometimes my Mikrotik acts as server, sometimes as client.

However each time, I notice that a few minutes before Ipsec IKE2 phase 1 expiry, the tunnel is killed instead of being re-negociated, and then the other endpoint restart the connectivity.
Typically this is the only message I see on the logs:
killing ike2 SA: 192.168.xx.xx[4500]-90.xx.xx.xx[4500] spi:41dedfecbb1d8781:835e15596b3d17a4

For details;
  • The Phase 1 lifetime is set to 24H (in IP > IPsec > Profiles)
  • this log message usually shows ~12-15 minutes before the full 24H are elapsed
  • my Phase 2 are set of 8H and re-negociate without issue within this 24H interval
  • it happens no matter the other endpoint, and if mikrotik is server or client: I have observed this to happen when Mikrotik is a server and opnsense is client, or when mikrotik is server and macOs is client, or when mikrotik is client and FritzBox is server
Do you have some advise on what I could try to ensure a smooth re-negociation between mikrotik and the other endpoint, without needing to have this tunnel killed, then re-opened ... or is there no workaround?

I am running RouterOS 6.48.1 on a CCR1009-7G-1C-1S+

Kind Regards
Top
 
ramirez
Member Candidate
Member Candidate
Posts: 148
Joined: Sun May 12, 2013 9:48 pm

Re: IPSec, Ike2 Phase 1 lifetime expiration: no renegotiation, tunnel just killed

Mon Mar 22, 2021 10:48 am

Same problem here with 6.48.1

Edit: I changed the NAT keep alive from 30 to 60 and looks like the problem is fixed ? ? ? Will keep checking and will post here in a few days my findings ...

Edit2: No it seems I was wrong, as to this part: I disconnected the client from power (to simulate a power outage for 10 min) then plugged it back in, and although I can see on the server side that the Internet address has been updated (meaning the server knows the client's internet address in IP/IPsec/Policies the source address appears as 0.0.0.0 - the destination address is correct) the link is not established! If I reboot both MT's at the same time the link IS established !

I also found this: viewtopic.php?t=108908

Tried around with DPD disable/enable, didn't make a difference . The weird thing now is that If I disable the peer and re-enable it on the client side the connection doesn't come up ! I haven't changed anything else ...
Top
Post Reply

Who is online

Users browsing this forum: EnglishInfix, lurker888, voytecky and 39 guests
  4. RouterOS
  5. General