Community discussions

MUM Europe 2020
 
ben1876
just joined
Topic Author
Posts: 7
Joined: Tue Nov 16, 2010 6:36 am

VPN IPsec lose connection/disconnected by itself

Fri Jan 14, 2011 7:31 am

Hi.. All experts pls advice.

I have set vpn ipsec and working between 2 mikrotik routeros 4.11. OR between mikrotik routeros 4.11 and ipcop 1.4.21. I followed the manual 'Manual:IP/IPsec'. But i have problem on lose connection/disconnection by itself in some occasion, in one day it happened several times. Currently, the workaround is i have to go inside thru winbox to one of the router:
- using cmd.exe to do ping other router site network
- if above still failed, go to 'Policies' and disable it and enable back again
- if above still failed, 'Installed SAs' and press 'Flush'

Because of this problem, the working is always interrupted between 2 sites network. It's troublesomes.
I saw inside the manual said that 'IPsec is very sensitive to time changes'. And i have done setting on NPT client at both routers to set same ip for ntp server. But the problem still exist.

Any idea? Pls help.
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6619
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: VPN IPsec lose connection/disconnected by itself

Fri Jan 14, 2011 11:23 am

As I understand your description, link could be unstable between your IPSec peers.
There is DPD option, that could be enabled to remove all information, when link between peers is unstable (not reachable). Enable dpd on both ends, then SA should be cleared as soon as link is not available.
 
ben1876
just joined
Topic Author
Posts: 7
Joined: Tue Nov 16, 2010 6:36 am

Re: VPN IPsec lose connection/disconnected by itself

Mon Jan 17, 2011 5:29 am

Thx alot for ur value info.
I have done on changing setting (at both ends) for:
- dpd interval to enable (i put it '1' correct?).
- dpd maximun failures to '5' (before was '1')

and see how later... (will be reported)
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 1825
Joined: Mon Jan 14, 2008 1:53 pm
Location: Straya
Contact:

Re: VPN IPsec lose connection/disconnected by itself

Tue Jan 18, 2011 9:20 am

Hi guys,

I too am battling with this issue at the moment. I have my DPD interval set to 60s and retries set to 1, however even when the remote peer disappears the SA's are still active and I have to manually flush them. This is on a tunnel from RouterOS5.0rc5 on a RB750G to a Cisco concentrator.

It's as if DPD is not working at all.

Mikrotik, is there a solution to this problem ?
http://thebrotherswisp.com/ | Mikrotik MTCNA, MTCRE, MTCINE | Fortinet FTCNA, FCNSP, FCT | Extreme Networks ENA
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6619
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: VPN IPsec lose connection/disconnected by itself

Tue Jan 18, 2011 4:13 pm

DPD should be enabled on both peers to make it work.
 
ben1876
just joined
Topic Author
Posts: 7
Joined: Tue Nov 16, 2010 6:36 am

Re: VPN IPsec lose connection/disconnected by itself

Wed Jan 19, 2011 9:35 am

someone is on same boat with me...
I hope this thread will find the best setting to make the vpn ipsec more stable.

Report: after enable DPD, connection seem to be quite ok but not really stable yet. (N.B.: i must keep doing ping to the other end router for triggering to keep maximun alive connection.)

Sorry for my ignorance, i thought that only '1' and '0' for DPD Interval. So i put '1' for enable. Actually, It is time in second.

@sergejs:
- what's the best time (in second) should i put?
- Lifetime: 1d:00:00, then i changed to 00:00:00. What's the important on setting this?

Currently:
1. Between RB750G (192.168.1.0) - IPCop 1.4.21 (192.168.10.0) ==> some occasion disconnected
2. Between RB750G (192.168.1.0) - RB750 (192.168.20.0) ==> even more often disconnected than #1

FYI, net-to-net vpn between 2 IPCop 1.4.21 is really stable.
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6619
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: VPN IPsec lose connection/disconnected by itself

Wed Jan 19, 2011 4:18 pm

ben1876,

- dpd time depends on the outages (how frequent outages are possible, how long average time);
- lifetime (time; default: 1d) - phase 1 lifetime: specifies how long the SA will be valid; SA will be discarded after this time;

- Do you have the identical configuration on both ends for /ipsec (as well /system clock)?
What about connection between two routers, is it stable?
 
ben1876
just joined
Topic Author
Posts: 7
Joined: Tue Nov 16, 2010 6:36 am

Re: VPN IPsec lose connection/disconnected by itself

Thu Jan 20, 2011 11:41 am

- (for #2) cos same product, MT, of course all the exact same setting on \ipsec policies, peers, & proposals. Including same Primary NTP Server ip address. (for #1) cos not same product, MT & IPCop. But for MT is same with these settings.

The RB750G (192.168.1.0) is my central. Other site RB750 (192.168.20.0) link to it and get data. If the connection lost (means ping rto), then currently workaround is just remote by public ip to svr central and do a ping (192.168.20.x) and will back to alive again. Troublesome right?

I heard from my friends feedback that MT weaks on vpn
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6619
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: VPN IPsec lose connection/disconnected by itself

Thu Jan 20, 2011 3:54 pm

The RB750G (192.168.1.0) is my central. Other site RB750 (192.168.20.0) link to it and get data. If the connection lost (means ping rto), then currently workaround is just remote by public ip to svr central and do a ping (192.168.20.x) and will back to alive again. Troublesome right?
Maybe it would be good idea to fix the link between both routers firstly.
DPD is working fine for me, when link is down after specific time /installed-sa are cleared.
Note, that DPD does not stabilize the connection, it helps for IPSec to clear installed-sa when link is down.
I heard from my friends feedback that MT weaks on vpn
DId they contacted us and reported all the problems to (support@mikrotik.com)?
As far as I know all supported tunnels are working fine. At least I'm not aware of any serious issue.
 
ben1876
just joined
Topic Author
Posts: 7
Joined: Tue Nov 16, 2010 6:36 am

Re: VPN IPsec lose connection/disconnected by itself

Fri Jan 21, 2011 7:29 am

DPD is working fine for me, when link is down after specific time /installed-sa are cleared.
Note, that DPD does not stabilize the connection, it helps for IPSec to clear installed-sa when link is down.
Could u advice me on best config on peers? (especially on what the value to put on fields like:
- DPD interval & DPD max failures
- Lifetime & lifebytes
- whether checked/unchecked for 'Generate Policy' on both or 1 of routers
- etc... should be aware of...
Thx
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: VPN IPsec lose connection/disconnected by itself

Fri Jan 21, 2011 7:40 am

There are no 'best values' for those - they are policy decisions.

Got peers with unknown (dynamic or road warrior) IPs? You'll need generate-policy set to yes to even be operational. Got only static peers? Might as well write out the policies manually and set generate-policy to no. Which one you choose depends on what kind of peers you have.
If there are only static peers it would be better to turn it off and use manual policies only.

Lifetime and lifebytes? What kind of security does your policy require? The longer the SA is in effect, the longer an adversary has to crack it. The more data is encrypted with the same SA the more data an adversary has to work with. Shorter is better, but more resource intensive. How much traffic is traversing the link? That significantly affects lifebytes. How important is that traffic? What kind of impact on your business would someone having the plaintext have? How many resources can you spare? How are your SAs negotiated - certificates or PSKs? An RB133 using certificates should regenotiate far less often an a Xeon x86 or RB1000 with hardware encryption offloading.

DPD is also based on your requirements - how fast do you need to detect link failure? Don't go lower than 15 seconds. Above five minutes is probably also unreasonable. Unless your situation makes more extreme values OK.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 1825
Joined: Mon Jan 14, 2008 1:53 pm
Location: Straya
Contact:

Re: VPN IPsec lose connection/disconnected by itself

Thu Feb 03, 2011 11:09 am

If DPD is not working for you (it wasnt for us), try this script:

:if ([:len [/ip ipsec remote-peers print as-value]] = 0) do={/ip ipsec installed-sa flush};

It checks if there are any remote-peers up, if not it just flushes the SA's

We run it once every few minutes using the scheduler, it's a dirty method but it saves us from logging in and clearing them manually.
http://thebrotherswisp.com/ | Mikrotik MTCNA, MTCRE, MTCINE | Fortinet FTCNA, FCNSP, FCT | Extreme Networks ENA
 
pkelly1603
Frequent Visitor
Frequent Visitor
Posts: 78
Joined: Mon Jun 15, 2009 11:13 pm

Re: VPN IPsec lose connection/disconnected by itself

Mon Aug 15, 2011 11:30 pm

DPD does not work for me either. My connection is not flakey.

Thanks Monkey, I'm using your script.
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 1825
Joined: Mon Jan 14, 2008 1:53 pm
Location: Straya
Contact:

Re: VPN IPsec lose connection/disconnected by itself

Mon Aug 15, 2011 11:54 pm

We are still having issues with this even on 5.6

The VPN is from a Cisco concentrator to a RB750G. DPD is set to 10seconds, but still the IPSEC will lock up and we will need to "Kill Connections" to get it running again.

I will log a ticket with Mikrotik as this is driving me nuts.

I would appreciate Karma for the script ;)
http://thebrotherswisp.com/ | Mikrotik MTCNA, MTCRE, MTCINE | Fortinet FTCNA, FCNSP, FCT | Extreme Networks ENA
 
LukasSVK
newbie
Posts: 40
Joined: Tue Dec 07, 2010 1:57 am
Location: Bratislava, Slovakia

Re: VPN IPsec lose connection/disconnected by itself

Sun Jul 29, 2012 7:34 am

Same problem on 5.19, setup is two RB750, ipsec between ..

5.16 is OK.

Who is online

Users browsing this forum: gius64, quackyo, tslytsly, wispmikrotik, Z0ltan and 127 guests