Community discussions

MUM Europe 2020
 
makkan
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 26, 2010 12:38 am

Cisco lan-to-lan IPSEC tunnel

Tue Nov 22, 2011 3:25 pm

Hi!

I am having some issues with my VPN-tunnel and I have been searching the forum without finding anything usable.

The tunnel works perfectly but 2-3, maybe 4-5 times a day sometimes, the tunnel is disconnected and it's not re-established until i have ran "/ip ipsec installed-sa flush sa-type=all".

I've tried everything (as far as I know), both configurations are identical, they use the same NTP-servers for time, upgraded to version 5.7 etc etc.

Does anybody have an idea of what might cause this?

I do know that Mikrotik follows the RFC for IPSEC whilst Cisco doesn't and that this might be the issue. But is there any work-around?

I'm currently testing to schedule "/ip ipsec installed-sa flush sa-type=all" for every hour but it doesn't feel like the "correct" solution. Feels like a bad work around.

Appreciate any help!

Marcus
 
makkan
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 26, 2010 12:38 am

Re: Cisco lan-to-lan IPSEC tunnel

Wed Nov 23, 2011 8:25 pm

Yesterday I checked the box "Generate Policy" and after that it was almost up for 24 hours!

Unfortunately the vpn died at 17:18 today and got back online at 17:30 when my scheduled flush ran.
Nothing in the logs as far as I can see, attached.
You do not have the required permissions to view the files attached to this post.
 
Jaaazman
just joined
Posts: 4
Joined: Tue Aug 02, 2011 4:32 pm

Re: Cisco lan-to-lan IPSEC tunnel

Tue Jan 10, 2012 2:41 pm

Hello!
does anybody have any idea of the issue?
We have the same problem, (RB1200, ROS 5.7) , ipsec RB1200 <-> Cisco PIX 525

IPSEC periodically stops working without any reasons
sometimes it comes up after iniatiing the connection from mikrotik
if it doesn't help, we use /ip ipsec installed-sa flush sa-type=all
 
makkan
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 26, 2010 12:38 am

Re: Cisco lan-to-lan IPSEC tunnel

Fri Jan 13, 2012 5:46 pm

Hi,

To be concise - there is no good solution for this. Cisco does not follow the RFC for IPSEC and Mikrotik does. Therefore the Mikrotik will want to create a new SA everytime that the VPN lifetime is reached.
The Cisco doesn't care about that and keeps using the old one - hence new tunnel cannot be established.

The only solution I have found is to schedule "/ip ipsec installed-sa flush sa-type=all" once every hour on the Mikrotik. The one packet is lost every hour so I wouldn't say that this is a good solution - its just a walkaround.

Until Cisco decide to follow the RFC or Mikrotik creates a "Cisco-support" - the VPN wont work good no matter what settings you change.
 
Jaaazman
just joined
Posts: 4
Joined: Tue Aug 02, 2011 4:32 pm

Re: Cisco lan-to-lan IPSEC tunnel

Mon Jan 16, 2012 7:59 am

makkan, thank you for your answer!
following your idea, if to configure IPsec between two mikrotik routers, it should work fine

besides, what exact RFC have you meant?
http://en.wikipedia.org/wiki/IPsec
 
makkan
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 26, 2010 12:38 am

Re: Cisco lan-to-lan IPSEC tunnel

Mon Jan 16, 2012 12:28 pm

Hi,

Yes - IPSec between two Mikrotiks should work without any issues but I've never tried it.

I'm not 100% sure about which RFC - but thats what I have been told by some highly decorated Mikrotik technicians ;-)
 
Jaaazman
just joined
Posts: 4
Joined: Tue Aug 02, 2011 4:32 pm

Re: Cisco lan-to-lan IPSEC tunnel

Tue Jan 17, 2012 11:06 am

I'm not 100% sure about which RFC - but thats what I have been told by some highly decorated Mikrotik technicians ;-)
it is strange that Cisco doesn't follow the RFC, which was created by themselves.

maybe, there can be another explanation?

If "cisco - mikrotik" IPsec is a real problem, why there is no official information about it?
Cisco is extremely popular equipment
 
User avatar
otgooneo
Trainer
Trainer
Posts: 570
Joined: Tue Dec 01, 2009 3:24 am
Location: Mongolia
Contact:

Re: Cisco lan-to-lan IPSEC tunnel

Mon Jan 23, 2012 2:59 pm

We provide solution that transfers all traffic through IPSEC tunnel. We use RouterBoard with Linksys RV042 and RV082. Same problem occurs on every installations. So I always configure schedule to flush ipsec. There is no way to fix it using lifetime or dead-peer-detection. I believe MT-to-MT works without disconnection. But RouterOS doesn`t support IPSec tunnel with dst-address=0.0.0.0/0. If create tunnel with destination network 0.0.0.0/0, can not access to the ROS itself. The MT Support said that ROS encrypts all packets even destined to itself and sourced by direct connected IP subnet.
----------------------------
Want to learn more and more...
 
makkan
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 26, 2010 12:38 am

Re: Cisco lan-to-lan IPSEC tunnel

Wed Feb 01, 2012 5:21 pm

I'm not 100% sure about which RFC - but thats what I have been told by some highly decorated Mikrotik technicians ;-)
it is strange that Cisco doesn't follow the RFC, which was created by themselves.

maybe, there can be another explanation?

If "cisco - mikrotik" IPsec is a real problem, why there is no official information about it?
Cisco is extremely popular equipment
Yes - thats indeed very strange!
I have been working with Cisco to Cisco VPNs without any problems for a long time and with Cisco to MT VPN for the past 6 months and I've tried everything I can come up with but there simply is no solution, or I just don't know how to do it.

The Mikrotik developers say that there is no problems with Cisco to MT VPNs but that you might need to use DPD (Dead peer detection) on both ends. However, I never had any luck with that and a lot of other people havent' had any luck either.

My suggestion to the MT developers would be to make an official statement that Mikrotik is not compatible with VPN to Cisco devices.
 
otys
just joined
Posts: 4
Joined: Tue Aug 05, 2008 5:28 pm

Cisco lan-to-lan IPSEC tunnel

Wed Feb 01, 2012 6:51 pm

Hi,

I have seen the same problem. The only thing I found, Mikrotik doesnt send any ipsec traffic to peer after some time - even if the valid SA is present at the Mikrotik side.

This situation happens more frequently at the idle tunnels and very busy tunnels run almost without any problems. So you need to pass some data often (dpd doesnt help, this is ike mechanism).

Dan
 
makkan
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 26, 2010 12:38 am

Re: Cisco lan-to-lan IPSEC tunnel

Wed Feb 01, 2012 7:41 pm

Thanks for sharing Dan!

I actually saw the same thing just some hours ago. Tunnel were running fine for 20min with constant Ping via tunnel but as soon as i terminated the ping it went down.

Seems like a workable solution is to keep a constant icmp ping going.
 
User avatar
otgooneo
Trainer
Trainer
Posts: 570
Joined: Tue Dec 01, 2009 3:24 am
Location: Mongolia
Contact:

Re: Cisco lan-to-lan IPSEC tunnel

Thu Feb 02, 2012 8:50 pm

Hi MT guys, please take attention at this post. If we are right please do official announcement that IPSec doesn`t support Cisco-with-MT solution and also doesn`t support MT-with-MT using destination=0.0.0.0/0.
----------------------------
Want to learn more and more...
 
matvej
just joined
Posts: 4
Joined: Thu Jul 08, 2010 2:22 pm

Re: Cisco lan-to-lan IPSEC tunnel

Fri Feb 03, 2012 1:32 pm

I have the same problem. :(
 
huntah
Member Candidate
Member Candidate
Posts: 270
Joined: Tue Sep 09, 2008 3:24 pm

Re: Cisco lan-to-lan IPSEC tunnel

Fri Feb 03, 2012 8:55 pm

HI,

Since I had similar problem I've made a script for workaround..
It is working ok.. Sometimes it doesnt help and in those cases (maybe once per month or two) I have to change excription from MD5 to sha1 on proposal.
Then flush all and voila its working :)

So if anybody else needs a script here it is:
Ipsec-Tunnel-Down
:local mailAddresses ("joe@keks.edu");
:local IPWatchServer 172.30.120.10
:local sysName [/system identity get name];
:if ([/ping src-address=172.30.110.1 $IPWatchServer count=10]<5) do={
  /ip ipsec installed-sa flush sa-type=all
  /tool e-mail send from="$sysName@keks.edu" server="172.30.110.10" body="VoIP IPSec Tunnel on $sysName is down" subject="IPSEC down" to=$mailAddres>
  :log info "IPSEC down: Flushing Installed SA!"
} else={
  :log info "IPSEC Tunnel OK"
}
I run this script once every minute...
 
kjagus
Frequent Visitor
Frequent Visitor
Posts: 74
Joined: Sun Jan 30, 2005 11:29 pm
Location: Poland

Re: Cisco lan-to-lan IPSEC tunnel

Tue Feb 07, 2012 4:44 am

have you try to set "level=use" instead of "level=require" or "level=unique" in a ipsec policy?
 
makkan
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 26, 2010 12:38 am

Re: Cisco lan-to-lan IPSEC tunnel

Tue Feb 07, 2012 10:09 am

have you try to set "level=use" instead of "level=require" or "level=unique" in a ipsec policy?
Yep - that did no difference for me.
 
miahac
Long time Member
Long time Member
Posts: 513
Joined: Wed Dec 14, 2005 5:04 pm
Location: Wichita, KS
Contact:

Re: Cisco lan-to-lan IPSEC tunnel

Wed Mar 21, 2012 4:38 pm

Chiming in with the same problem.
Network Administrator
Kansas Hosting and Wichita Data Centers
 
aluminumpork
just joined
Posts: 17
Joined: Mon Aug 15, 2011 9:27 pm

Re: Cisco lan-to-lan IPSEC tunnel

Wed Mar 21, 2012 5:25 pm

Same issue here with RouterOS 5.2 connecting to a VPN 3000 series concentrator. We also have noticed that you are unable to enter a CIDR notation IP subnet in the src-address field when creating a policy. You must enter from the terminal.
 
makkan
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 26, 2010 12:38 am

Re: Cisco lan-to-lan IPSEC tunnel

Thu Mar 22, 2012 12:11 pm

Hi again,

Our only solution is that we must setup a Mikrotik VPN concentrator along with our network. There simply is no other solution.

Mikrotik - please make an official statement that your routers are not compatible with Cisco VPN's.

Marcus
 
aluminumpork
just joined
Posts: 17
Joined: Mon Aug 15, 2011 9:27 pm

Re: Cisco lan-to-lan IPSEC tunnel

Fri Mar 23, 2012 5:28 pm

Well, we just updated our RB1200 that was having this issue to 5.14 (from 5.2) and we noted a couple interesting things:

#1 - The problem appears to have gone away.
#2 - No dynamic IPsec policies are generated when you create a policy specifying a src-address subnet (e.g. 10.150.24.245/29). We only see the one policy we've created.

The rest of our Tiks have been working properly for many months. These all have a couple of things in common. Firstly, they all have a single src-address. Secondly, they are all on 5.0 or older.
 
makkan
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 82
Joined: Mon Jul 26, 2010 12:38 am

Re: Cisco lan-to-lan IPSEC tunnel

Fri Mar 23, 2012 5:47 pm

Hi!

I actually haven't tried version 5.2 so it might be solved in that version. will test this immediately! :)

Marcus
 
aluminumpork
just joined
Posts: 17
Joined: Mon Aug 15, 2011 9:27 pm

Re: Cisco lan-to-lan IPSEC tunnel

Fri Mar 23, 2012 6:11 pm

Hi!

I actually haven't tried version 5.2 so it might be solved in that version. will test this immediately! :)

Marcus
5.2 was the version we having trouble with. 5.14 seems to have introduced some different behavior that is preferable.
 
miahac
Long time Member
Long time Member
Posts: 513
Joined: Wed Dec 14, 2005 5:04 pm
Location: Wichita, KS
Contact:

Re: Cisco lan-to-lan IPSEC tunnel

Wed Aug 08, 2012 7:40 pm

The script worked for me on one connection. But another does not allow ICMP. I do notice that if a connection drops, it is no longer in remoter peers. Does anybody have any idea how to modify the script below to flush the SA's based on something like /ip ipsec remote-peers print
?
:if ([/ping 10.6.51.11 interval=3 count=3]<2) do={
:log warning "IPSec KO, flushing SAs"
/ip ipsec installed-sa flush sa-type=all
} else={
:log info "IPSec OK"
}
Network Administrator
Kansas Hosting and Wichita Data Centers
 
miahac
Long time Member
Long time Member
Posts: 513
Joined: Wed Dec 14, 2005 5:04 pm
Location: Wichita, KS
Contact:

Re: Cisco lan-to-lan IPSEC tunnel

Tue Aug 28, 2012 5:56 pm

With some help in the scripting forum I put together a script that works better for me.

First I ping servers on both IPSEC connections to make sure the VPN connection gets initiated. Then I count the number of peers, if there are less than 2, I flush the SA's and finally I ping again to get the connection up. Even though the other side is blocking ICMP, the ping does initiate the actual connection.

I run this every 2 minutes.
[/ping 10.6.51.11 interval=3 count=3]
[/ping 172.21.10.47 interval=3 count=3]
local peer [len [ip ipsec remote-peers find ]]
put $peer   
log info $peer                                 
:if ($peer<2) do={
:log warning "IPSec KO, flushing SAs"
/ip ipsec installed-sa flush sa-type=all
} else={
:log info "IPSec OK"
}
[/ping 10.6.51.11 interval=3 count=3]
[/ping 172.21.10.47 interval=3 count=3]
Network Administrator
Kansas Hosting and Wichita Data Centers
 
rjickity
Member Candidate
Member Candidate
Posts: 212
Joined: Sat Jul 17, 2010 10:40 am
Location: Perth, Australia

Re: Cisco lan-to-lan IPSEC tunnel

Mon Apr 08, 2013 5:01 pm

I'm not sure if it means much but I've got tunnels running flawlessly for >1year using IPsec over a tunnel interface.

I generally use ipip for cisco <-> mikrotik. Helpful too because then you can route through it also.

here is a sanitised config example. 1.1.1.1 represents the mkt public IP and 2.2.2.2 the cisco IP
Mikrotik

/interface ipip
add comment="IPsec to Datacenter" disabled=no local-address=1.1.1.1 name=ipip1 remote-address=2.2.2.2

/ip ipsec proposal
add auth-algorithms=md5 name=IPSec
/ip ipsec peer
add address=2.2.2.2/32 lifebytes=10000000 secret=yoursecret
/ip ipsec policy
add dst-address=2.2.2.2/32 proposal=IPSec sa-dst-address=2.2.2.2 sa-src-address=1.1.1.1 src-address=1.1.1.1/32 tunnel=yes

Cisco IOS

interface Tunnel1
 description IPSec to Office
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1400
 tunnel source GigabitEthernet0/0
 tunnel destination 1.1.1.1/32
 tunnel mode ipip

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 1800
!crypto isakmp key <removed> address 1.1.1.1
!
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association idle-time 600
!
crypto ipsec transform-set vpn esp-3des esp-md5-hmac 
no crypto ipsec nat-transparency udp-encaps
!
crypto map vpn 1 ipsec-isakmp 
 set peer 1.1.1.1
 set security-association lifetime kilobytes 10000000
 set transform-set vpn 
 set pfs group2
 match address crypto

interface GigabitEthernet0/0
 <removed>
 crypto map vpn
hope this helps some people in future
 
User avatar
otgooneo
Trainer
Trainer
Posts: 570
Joined: Tue Dec 01, 2009 3:24 am
Location: Mongolia
Contact:

Re: Cisco lan-to-lan IPSEC tunnel

Tue Apr 09, 2013 5:04 am

hope this helps some people in future
Hi rjickity, Thanks for sharing your experience on the forum. How is your tunnel stability? Do you see traffic stops to pass after some times? Do you use any scheduler/script regarding IPSEC?
----------------------------
Want to learn more and more...
 
rjickity
Member Candidate
Member Candidate
Posts: 212
Joined: Sat Jul 17, 2010 10:40 am
Location: Perth, Australia

Re: Cisco lan-to-lan IPSEC tunnel

Tue Apr 09, 2013 12:17 pm

hope this helps some people in future
Hi rjickity, Thanks for sharing your experience on the forum. How is your tunnel stability? Do you see traffic stops to pass after some times? Do you use any scheduler/script regarding IPSEC?
hi otgooneo,

no i have never manually intervened on this link, last drop was due to a ROS upgrade and that was this long ago:
/system resource print              
uptime: 20w5d21h11m29s
no scripts, no scheduling. Just ipsec and ipip :)
 
User avatar
otgooneo
Trainer
Trainer
Posts: 570
Joined: Tue Dec 01, 2009 3:24 am
Location: Mongolia
Contact:

Re: Cisco lan-to-lan IPSEC tunnel

Thu Apr 11, 2013 6:37 pm

Hi rjickity. Brilliant! Thanks again for sharing your experience.
----------------------------
Want to learn more and more...
 
anaktos
newbie
Posts: 27
Joined: Wed Feb 10, 2010 8:55 pm
Location: Rosario - Argentina

Re: Cisco lan-to-lan IPSEC tunnel

Fri May 03, 2013 3:27 pm

I have the same problem, use cisco asa 5510 and mkt RB750 (v5.24)
The tunnel stays up long enough but when it falls the only way that I have to lift it is doing:
ip ipsec installed-sa flush sa-type = all
ip ipsec remote-peers kill-connections

If I do the latter does not raise more.

:(
______
MTCNA
 
chemil
just joined
Posts: 17
Joined: Thu Jun 23, 2011 10:33 am

Re: Cisco lan-to-lan IPSEC tunnel

Sat Jun 01, 2013 8:35 pm

I have the same problem. I would like to know if anyone has something new in this case.

Recently I moved two different IPSec lan2lan tunnels from Cisco ASA 5505 to brand new CCR.

I don't know what exactly sits at the ends however I have this problem with the one tunnel which is configured with 3DES and SHA. The other one is configured with AES128 and SHA and seems to be stable.

What is very strange for me is fact that 6.14rc and 6.0 works almost identically and the very new 6.1rc doesn't even make a connection on one of these IPSec tunnels.

Thank you in advance for any suggestions.

Who is online

Users browsing this forum: Bing [Bot] and 119 guests