Community discussions

MUM Europe 2020
 
jandafields
Forum Guru
Forum Guru
Topic Author
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Multiple IPSEC peers breaks connection?

Sun Feb 14, 2010 11:10 pm

I have an IPSEC tunnel between 2 routers, and it works fine.

When I add another peer, for a connection to a different router, it kills the first IPSEC connection. What would cause this to happen?
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Multiple IPSEC peers breaks connection?

Sun Feb 14, 2010 11:25 pm

Badly configured policies or peers that auto-generate policies, possibly. What do the logs say?
 
jandafields
Forum Guru
Forum Guru
Topic Author
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: Multiple IPSEC peers breaks connection?

Mon Feb 15, 2010 12:47 am

After additional testing, here is the issue:

I have a working ipsec tunnel. As soon as I add a new peer, whether or not that peer actually exists does not matter. The first tunnel breaks, and the only way to fix it is to flush SA's. After flushing SA's, everything works again.

So, is there a way to add new tunnels without affecting the existing ones and without having to flush SA's?
 
jandafields
Forum Guru
Forum Guru
Topic Author
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: Multiple IPSEC peers breaks connection?

Mon Feb 15, 2010 12:57 am

Also... here is the log everytime a peer is added or removed:

"Unknown Informational exchange received."
 
dsobin
Member Candidate
Member Candidate
Posts: 160
Joined: Mon Jun 04, 2007 3:58 am
Location: New Jersey, USA

Re: Multiple IPSEC peers breaks connection?

Fri Apr 09, 2010 6:21 am

I'm having the same problem. Running ROS 4.6, using ipsec in tunnel mode with esp.

I can run a single tunnel from MT 1 to MT 2 and it's stable.

I can run a single tunnel from MT 1 to a cisco router and it's also stable.

If, while either tunnel is up, I enable the peer entry for the second tunnel, the first tunnel fails and its "remote peer" entry disappears. The SA entries for the first tunnel remain.

In this state, the first tunnel no longer carries traffic. In order to get the first tunnel working, I have to flush the SA's. The remote peer re-appears and all is well.

I also get the log entry ""Unknown Informational exchange received." at the moment I enable the peer for the second tunnel.

All peer addresses are static. All policies use static addresses.

"Generate Policy" option is NOT selected.

This thread hasn't received much attention, which surprises me. It seems to be a bug, although perhaps there is some configuration issue we are overlooking.

Anyone out there care to try to reproduce this? It's seems really easy to set up.
 
jandafields
Forum Guru
Forum Guru
Topic Author
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: Multiple IPSEC peers breaks connection?

Fri Apr 09, 2010 4:02 pm

Actually, I sent support a message about this and they told me they cannot reproduce it.
 
dsobin
Member Candidate
Member Candidate
Posts: 160
Joined: Mon Jun 04, 2007 3:58 am
Location: New Jersey, USA

Re: Multiple IPSEC peers breaks connection?

Fri Apr 09, 2010 4:56 pm

I'm going to set this up in my lab with a simple config and see if I can get it to fail reliably. It's pretty simple right now.
I'll post the config after I do that and maybe you can try the same.
 
jandafields
Forum Guru
Forum Guru
Topic Author
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: Multiple IPSEC peers breaks connection?

Fri Apr 09, 2010 6:03 pm

I can already get it to fail everytime. Support is the ones that needs convincing, not me. Please send a message to support@mikrotik.com with this information.
 
dsobin
Member Candidate
Member Candidate
Posts: 160
Joined: Mon Jun 04, 2007 3:58 am
Location: New Jersey, USA

Re: Multiple IPSEC peers breaks connection?

Fri Apr 09, 2010 6:38 pm

Sorry, I wasn't clear. I meant if you post your config also, we will have two configurations that fail which might shed some light on the common elements of failure that the support folks missed.

In any case, after I post my failing configuration, I'll send a message to support. I've reported bugs to them before and they usually are responsive.
 
dsobin
Member Candidate
Member Candidate
Posts: 160
Joined: Mon Jun 04, 2007 3:58 am
Location: New Jersey, USA

Re: Multiple IPSEC peers breaks connection?

Fri Apr 09, 2010 7:43 pm

Well, I just set up an experiment and the first tunnel didn't fail when I enabled the second peer, but the entry under "Remote Peers" for the first tunnel did disappear. In this mode, even though there is no entry under remote peers, the tunnel continues to carry traffic.

In the current configuration, both ends of the first tunnel are MT 4.6. I realize now that in my previous experiment,
the first tunnel was MT to Cisco. In that case, when I enabled the peer for another tunnel, even if that peer didn't exist, the MT to Cisco tunnel failed and the log error appeared.

Diagnosing this simpler problem might shed some light on the bigger issue of tunnels failing.

Here is the configuration:

 /ip ipsec peer> print
 1   address=xx.yy.35.93/32:500 auth-method=pre-shared-key secret="first-tunnel" generate-policy=no exchange-mode=main 
     send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d 
     lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1 

 2 X address=10.1.10.1/32:500 auth-method=pre-shared-key secret="dummy-peer" generate-policy=no exchange-mode=main send-initial-contact=yes 
     nat-traversal=no proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 
     dpd-interval=disable-dpd dpd-maximum-failures=1 

/ip ipsec proposal> print
 0   name="default" auth-algorithms=md5 enc-algorithms=3des lifetime=1h pfs-group=none 

/ip ipsec policy> print
 1   src-address=192.168.1.0/24:any dst-address=192.168.0.0/24:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes 
     sa-src-address=xx.yy.231.12 sa-dst-address=qq.zz.35.93 proposal=default priority=0 

 /ip ipsec remote-peers> print
 0 local-address=xx.yy.231.12 remote-address=qq.zz.35.93 state=established side=initiator established=25s

At this point, tunnel 1 is running and carrying traffic. I now enable the dummy-peer and tunnel 1 disappears from
remote peers.
/ip ipsec remote-peers> print


In this case, tunnel 1 keeps running and no log entry shows up. The installed SA's for tunnel 1 remain intact.

The bug in this case seems to be that enabling a second peer causes the remote peer entry for the first tunnel to disappear from the Remote Peers list.

I'll send this thread to support and see what they have to say. Setting up the experiment with the remote end as Cisco is a bit harder, since I don't control the remote end.
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6619
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: Multiple IPSEC peers breaks connection?

Thu Apr 15, 2010 10:13 am

We are able to reproduce the same problem as dsobin has. We are working to fix it.
 
dsobin
Member Candidate
Member Candidate
Posts: 160
Joined: Mon Jun 04, 2007 3:58 am
Location: New Jersey, USA

Re: Multiple IPSEC peers breaks connection?

Thu Apr 15, 2010 8:01 pm

Thanks Sergejs. I hope you can also try this when the first tunnel is MT to Cisco. In my configuration, enabling a second
tunnel causes the first tunnel (MT to Cisco) to fail and require a flush SA to restore.
 
he1ium
newbie
Posts: 36
Joined: Fri Aug 07, 2009 7:30 am

Re: Multiple IPSEC peers breaks connection?

Tue Apr 27, 2010 11:25 pm

dsobin
Have you tried using IPIP tunnels like in this article http://wiki.mikrotik.com/wiki/IPSec_VPN ... _and_Cisco? Also, have you tried using something other than MD5/3DES? We experienced issues with MD5/3DES (300+ locations) and are testing SHA1/AES256 next week. Just a thought and good luck.
 
jandafields
Forum Guru
Forum Guru
Topic Author
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: Multiple IPSEC peers breaks connection?

Wed Apr 28, 2010 12:09 am

dsobin
Have you tried using IPIP tunnels like in this article http://wiki.mikrotik.com/wiki/IPSec_VPN ... _and_Cisco? Also, have you tried using something other than MD5/3DES? We experienced issues with MD5/3DES (300+ locations) and are testing SHA1/AES256 next week. Just a thought and good luck.
It doesn't matter what you use inside of the ipsec tunnel, if the ipsec tunnel ITSELF is the issue that we are talking about.

Sure, you might have more flexibility using ipip inside the ipsec tunnel, but that is not the issue here.

Anyway, Mikrotik support has already reproduced this in their lab, so it isn't an incorrect configuration.
 
dsobin
Member Candidate
Member Candidate
Posts: 160
Joined: Mon Jun 04, 2007 3:58 am
Location: New Jersey, USA

Re: Multiple IPSEC peers breaks connection?

Wed Apr 28, 2010 3:32 am

Well, I don't have much choice on config, since the Cisco end isn't controlled by me. I set up the MT to MT tunnel just as an
experiment, since it was easy for others to duplicate.
 
jandafields
Forum Guru
Forum Guru
Topic Author
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: Multiple IPSEC peers breaks connection?

Tue May 04, 2010 10:08 pm

4.7 came out... nothing in changelog
4.8 came out... nothing in changelog
4.9 came out... nothing in changelog

Is this problem still being worked on?

Thanks.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5962
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Multiple IPSEC peers breaks connection?

Wed May 05, 2010 12:40 pm

Thanks Sergejs. I hope you can also try this when the first tunnel is MT to Cisco. In my configuration, enabling a second
tunnel causes the first tunnel (MT to Cisco) to fail and require a flush SA to restore.
Please contact support [at] mikrotik.com. It looks like a different problem than we reproduced.
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6619
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: Multiple IPSEC peers breaks connection?

Mon May 10, 2010 3:12 pm

jandafields, we reproduce the problem as dsobin explained (actually it does not broke IPSec connection), it will be fixed in the future.

jandafields do you have the same policy for the second peer too?
Which level do you have at /ip ipsec policy configuration?
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6619
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: Multiple IPSEC peers breaks connection?

Mon May 10, 2010 3:13 pm

dsobin, the same question about the policy.
Do you have separate policy for the peer, or both peers share the same policy?
 
dsobin
Member Candidate
Member Candidate
Posts: 160
Joined: Mon Jun 04, 2007 3:58 am
Location: New Jersey, USA

Re: Multiple IPSEC peers breaks connection?

Mon May 10, 2010 7:24 pm

sergejs,

Are you referring to my configuration between MT and MT or MT and Cisco?

You wrote that you have reproduced the problem between MT and MT. Yes, I agree in that case the tunnel does not break, but the peer disappears
from the "Remote Peers" tab. I thought this was significant, since the same thing happens in the MT to Cisco case, but in that case, the tunnel
stops working.

I assume you are referring to my MT to Cisco configuration.
On the MT side, the configuration is the same as I posted in the MT to MT configuration.

You ask:
Do you have separate policy for the peer, or both peers share the same policy?
I'm unsure what you mean by "the peer". Do you mean the peer at the other end of the tunnel, or do you mean the second peer at my local end?

I will assume you mean the second peer at my local end. This is the peer, which, if enabled, causes the first tunnel to fail. Please confirm this is what you meant.

I have two configurations I have tried:

1) At the local end, the second peer has its own policy, which does not share a subnet with the first tunnel.
2) At the local end, I have not configured any policy for the second peer. I use a dummy address for the second peer.

In both configurations above, if I enable the second peer, the first tunnel stops carrying traffic and a message appears in the log
saying "unknown information exchange received." Also, the peer from the first tunnel disappears form the "Remote Peers" list. The
SA's remain in the "Installed SAs" list, but no traffic moves.

If I click Flush, the tunnel resumes carrying traffic.

I do not have access to the configuration at the remote (Cisco) end, so my experiments can only be performed at my end.

If there are any other configurations you would like me to try, please let me know.

These experiments were performed with ROS 4.6. I will be updating to 4.9, but I don't expect there is any difference.
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6619
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: Multiple IPSEC peers breaks connection?

Tue May 11, 2010 1:27 pm

Are you referring to my configuration between MT and MT or MT and Cisco?

You wrote that you have reproduced the problem between MT and MT. Yes, I agree in that case the tunnel does not break, but the peer disappears
from the "Remote Peers" tab. I thought this was significant, since the same thing happens in the MT to Cisco case, but in that case, the tunnel
stops working.

I assume you are referring to my MT to Cisco configuration.
On the MT side, the configuration is the same as I posted in the MT to MT configuration.
This problem will be fixed in the upcoming version of MikroTik RouterOS.
 
dsobin
Member Candidate
Member Candidate
Posts: 160
Joined: Mon Jun 04, 2007 3:58 am
Location: New Jersey, USA

Re: Multiple IPSEC peers breaks connection?

Tue May 11, 2010 4:10 pm

I'm looking forward to that!
 
kurtplaatjes
just joined
Posts: 4
Joined: Thu Feb 18, 2010 11:44 am
Location: Cape Town

Re: Multiple IPSEC peers breaks connection?

Fri May 21, 2010 9:26 pm

I sincerely hope that the bug is fixed in the next stable release? Any indication when it is due for release?
 
jandafields
Forum Guru
Forum Guru
Topic Author
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: Multiple IPSEC peers breaks connection?

Fri May 21, 2010 11:09 pm

Same as dsobin... Cisco on other end breaks. MT on other end disappears...
 
notwork
just joined
Posts: 2
Joined: Tue Jul 17, 2012 6:11 pm

Re: Multiple IPSEC peers breaks connection?

Sat Jul 28, 2012 6:26 pm

I'm seeing this problem too. I've configured 2 IPSec peers with different public IPs and a policy for each. When I enable the 2nd peer, the first breaks until I flush the SA's as mentioned above. (The tunnels are to Cisco equipment) I see that support said it would be fixed in another release, so maybe it has been fixed and I'm just being stupid?

The router is a 750G running RouterOS 5.19.
 
florinsanaja
just joined
Posts: 4
Joined: Sat Sep 15, 2012 6:17 pm

Re: Multiple IPSEC peers breaks connection?

Sat Sep 15, 2012 6:22 pm

Hi,

I am trying to connect multi peers to my cisco 2911 router to mikrotik routers?
My central is cisco and branches contain mikrotik.
When I configure multi peers in cisco, I can not create multi peers in same time, just first crypto map works and others not.
Can somebody help me how to configure multi peers in cisco in order to attach with branches.

My config in cisco is:
Crypto map mymap 1 ipsec-iskmp
set peer X.X.X.X
set pft group1
set transform-set myset
Crypto map mymap 2 ipsec-iskmp
set peer X.X.X.X
set pft group1
set transform-set myset

Just first VPN works, and others not??? What do I need to do

Thanks alot

Who is online

Users browsing this forum: Lifz, pwuk, ryba84 and 156 guests