Community discussions

MikroTik App
 
txfz
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Tue Mar 10, 2020 9:02 am

IPsec phase 2 not reestablishing on responder only after connection downtime

Thu Jun 17, 2021 12:23 pm

Hi,

We have an IPsec device set up as a responder for a number of peers. This all works perfectly fine normally, but two of our peers face some strange issues. Occasionally we find that while the peer connection is active, we don't have phase 2 established on our end (responder), and the policy is marked red in Winbox, but on their end it's showing as established. It's not a display error; the IPsec tunnel is really down, as evidenced by the fact that they lose connection to a server on our end.

I am fairly certain that this happens after Internet connectivity between the peers has been down for more than a short while. Both of these peer devices are placed on ferries, which connect via 4G modem and briefly lose connection every now and then, but every time they have been unable to reach their server it has been after a major outage. Yesterday our ISP had some issues, and so it had failed after that. Before that there had been a power outage on their end, after which the same thing occured.

Manually restarting the tunnel fixes the issue. Responder runs 6.47.1 on a CCR1009 and initiators run 6.47.9 on RB2011iLS.

Responder:
# jun/17/2021 10:02:05 by RouterOS 6.47.1
# software id = IJAY-6B8W
#
# model = CCR1009-7G-1C-1S+
# serial number = 914F0B645669
/interface bridge
add admin-mac=C4:AD:34:CD:3F:6C auto-mac=no name=dc-bridge protocol-mode=mstp vlan-filtering=yes
/interface ethernet
set [ find default-name=combo1 ] disabled=yes
set [ find default-name=ether1 ] advertise=1000M-full comment=Internet mac-address=C4:AD:34:CD:3F:6E
set [ find default-name=ether2 ] comment=bonding1 disabled=yes
set [ find default-name=ether3 ] comment=bonding1 disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no mac-address=C4:AD:34:CD:3F:6C speed=1Gbps
/interface vlan
add comment="TS" interface=dc-bridge name=vlan13 vlan-id=13
/interface bonding
add mode=802.3ad name=bonding1 slaves=ether2,ether3
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=kt-1
add name=kt-2
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=kt
/ip ipsec peer
add exchange-mode=ike2 name=magic passive=yes profile=kt
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=kt
/system logging action
set 1 disk-file-count=1
/user group
add name=local policy="local,reboot,read,write,policy,test,winbox,password,sniff,sensitive,!telnet,!ssh,!ftp,!web,!api,!romon,!dude,!tikapp"
/interface bridge port
add bridge=dc-bridge interface=sfp-sfpplus1
add bridge=dc-bridge interface=bonding1
add bridge=dc-bridge interface=ether7 pvid=5
/ip firewall connection tracking
set enabled=yes loose-tcp-tracking=no tcp-established-timeout=6h
/interface bridge vlan
add bridge=dc-bridge tagged=dc-bridge,sfp-sfpplus1,bonding1 vlan-ids=13
/ip address
add address=<public address>/30 comment=Internet interface=ether1
add address=10.7.13.1/24 comment="TS" interface=vlan13 network=10.7.13.0
/ip dns
set allow-remote-requests=yes servers=9.9.9.9,1.1.1.1
/ip firewall address-list
add address=10.7.13.0/24 list=private
add address=10.7.13.0/24 list=ts
add address=10.7.13.119 comment="TEMP. KT" list=vpn-local-lan
add address=10.21.1.0/24 comment="TEMP: KT-1" list=vpn-remote-lan
add address=10.21.0.0/24 comment="TEMP: KT-2" list=vpn-remote-lan
/ip firewall filter
add action=accept chain=forward comment="traffic leaving private networks" dst-address-list=!private src-address-list=private
add action=jump chain=forward comment="forward-private chain" dst-address-list=private jump-target=forward-private
add action=drop chain=forward-private comment="drop invalid" connection-state=invalid
add action=accept chain=forward-private comment="accept established, related" connection-state=established,related
add action=accept chain=forward-private comment=dstnat connection-nat-state=dstnat
add action=accept chain=forward-private comment="TEMP: IPsec traffic" ipsec-policy=in,ipsec
add action=drop chain=forward-private comment="drop traffic to private networks"
add action=accept chain=input comment="accept established, related" connection-state=established,related
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept DNS from DC" dst-port=53 in-interface=!ether1 protocol=udp
add action=accept chain=input comment="accept DHCP from DC" dst-port=67 in-interface=!ether1 protocol=udp
add action=accept chain=input comment="TEMP: IPsec traffic" ipsec-policy=in,ipsec
add action=accept chain=input comment="TEMP: IPsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="TEMP: IPsec IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="TEMP: IPsec NAT-Traversal" dst-port=4500 protocol=udp
add action=drop chain=input comment="drop all"
/ip firewall nat
add action=accept chain=srcnat comment="TEMP: Do not masquerade IPsec tunneled traffic" dst-address-list=vpn-remote-lan src-address-list=vpn-local-lan
add action=masquerade chain=srcnat out-interface=ether1 src-address-list=private
add action=masquerade chain=srcnat dst-address-list=ts src-address-list=ts
/ip firewall raw
add action=accept chain=prerouting src-address-list=private
add action=accept chain=prerouting dst-address-list=private
add action=accept chain=prerouting dst-address=<public address>
add action=notrack chain=prerouting
/ip ipsec identity
add generate-policy=port-strict peer=magic policy-template-group=kt-1 remote-id=fqdn:kt-1.local
add generate-policy=port-strict peer=magic policy-template-group=kt-2 remote-id=fqdn:kt-2.local
/ip ipsec policy
add dst-address=10.21.1.0/24 group=kt-1 proposal=kt src-address=10.7.13.119/32 template=yes
add dst-address=10.21.0.0/24 group=kt-2 proposal=kt src-address=10.7.13.119/32 template=yes
/ip route
add distance=1 gateway=<gateway-address>
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/lcd
set backlight-timeout=5m default-screen=informative-slideshow read-only-mode=yes
/lcd screen
set 0 disabled=yes
set 1 disabled=yes
set 5 disabled=yes
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name=DC-RT1
/system logging
set 3 action=memory
add disabled=yes topics=ipsec
/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface=ether1
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool romon
set enabled=yes

Peer 1:
# jun/17/2021 10:04:49 by RouterOS 6.47.9
# software id = 05SH-005Y
#
# model = 2011iLS
# serial number = 608205B4FC26
/interface bridge
add admin-mac=E4:8D:8C:7E:F4:93 auto-mac=no fast-forward=no name=LAN
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface list
add name=WAN
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=ts
/ip ipsec peer
add address=ktab.trinax.se exchange-mode=ike2 name=ts profile=ts
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc lifetime=8h pfs-group=none
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ts
/ip pool
add name=dhcp ranges=10.21.0.50-10.21.0.199
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=LAN lease-time=1h name=dhcp1
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 1 disk-file-count=10
/interface bridge port
add bridge=LAN interface=ether2
add bridge=LAN interface=ether6
add bridge=LAN interface=ether3
add bridge=LAN interface=ether4
add bridge=LAN interface=ether5
add bridge=LAN interface=ether7
add bridge=LAN interface=ether8
add bridge=LAN interface=ether9
add bridge=LAN interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1 list=WAN
add interface=LAN
add interface=LAN
/ip address
add address=10.21.0.1/24 interface=ether2 network=10.21.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=10.21.0.99 client-id=1:c0:3f:d5:6d:5c:83 mac-address=C0:3F:D5:6D:5C:83 server=dhcp1
/ip dhcp-server network
add address=10.21.0.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.21.0.1 netmask=24
/ip dns
set servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add address=10.21.0.0/24 list=vpn-local-lan
add address=10.7.13.119 list=vpn-remote-lan
/ip firewall filter
add action=drop chain=input comment="Drop external DNS" dst-port=53 in-interface=ether1 protocol=udp
/ip firewall nat
add action=accept chain=srcnat comment="Do not masquerade IPsec tunneled traffic" dst-address-list=vpn-remote-lan src-address-list=vpn-local-lan
add action=masquerade chain=srcnat out-interface=ether1 out-interface-list=WAN
/ip ipsec identity
add my-id=fqdn:kt-2.local peer=ts
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.7.13.119/32 peer=ts proposal=ts sa-dst-address=<responder address> sa-src-address=0.0.0.0 src-address=10.21.0.0/24 tunnel=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name=kt-2
/system logging
add action=disk topics=ipsec
/system package update
set channel=long-term
/system routerboard settings
set auto-upgrade=yes
/tool bandwidth-server
set enabled=no

Peer 2:
# jun/17/2021 10:39:15 by RouterOS 6.47.9
# software id = WUZX-P11F
#
# model = 2011iLS
# serial number = 60820482F57B
/interface bridge
add admin-mac=4C:5E:0C:1B:4B:7D auto-mac=no fast-forward=no name=LAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] name=ether3-slave speed=100Mbps
set [ find default-name=ether4 ] name=ether4-slave speed=100Mbps
set [ find default-name=ether5 ] name=ether5-slave speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether6-master
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether7-slave
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether8-slave
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether9-slave
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether10-slave poe-out=forced-on
/interface list
add name=WAN
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=ts
/ip ipsec peer
add address=<responder address> exchange-mode=ike2 name=ts profile=ts
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc lifetime=8h pfs-group=none
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ts
/ip pool
add name=dhcp ranges=10.21.1.100-10.21.1.198
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=LAN lease-time=1d name=dhcp1
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 1 disk-file-count=10
/interface bridge port
add bridge=LAN interface=ether2-master
add bridge=LAN interface=ether6-master
add bridge=LAN interface=ether3-slave
add bridge=LAN interface=ether4-slave
add bridge=LAN interface=ether5-slave
add bridge=LAN interface=ether7-slave
add bridge=LAN interface=ether8-slave
add bridge=LAN interface=ether9-slave
add bridge=LAN interface=ether10-slave
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1_WAN list=WAN
add interface=LAN
/ip address
add address=10.21.1.1/24 interface=ether2-master network=10.21.1.0
add address=192.168.1.3/24 interface=ether1_WAN network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=ether1_WAN
/ip dhcp-server lease
add address=10.21.1.99 mac-address=B8:AE:ED:74:B7:B7
/ip dhcp-server network
add address=10.21.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.21.1.1
/ip firewall address-list
add address=10.21.1.0/24 list=vpn-local-lan
add address=10.7.13.119 list=vpn-remote-lan
/ip firewall filter
add action=drop chain=input comment="Drop external DNS" dst-port=53 in-interface=ether1_WAN protocol=udp
/ip firewall nat
add action=accept chain=srcnat comment="Do not masquerade IPsec tunneled traffic" dst-address-list=vpn-remote-lan src-address-list=vpn-local-lan
add action=masquerade chain=srcnat out-interface-list=WAN
/ip ipsec identity
add my-id=fqdn:kt-1.local peer=ts
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.7.13.119/32 peer=ts proposal=ts sa-dst-address=<responder address> sa-src-address=0.0.0.0 src-address=10.21.1.0/24 tunnel=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name=kt-1
/system logging
add action=disk topics=ipsec
/system package update
set channel=long-term
/system routerboard settings
set auto-upgrade=yes
/tool bandwidth-server
set enabled=no

Who is online

Users browsing this forum: No registered users and 100 guests