Hello.
I have a BIG problem for my organization. We have over 30 routerboards 411U and 750. We are using them on ATM.
All of them connected via GREvsIpSec to cisco router. And a few times a day tunnel with IpSec down. No packets transmit in SA.
Help only "\ip ipsec installed sa flush". But it's not good.
Mikrotik with mikrotik work perfect.
What can i do to solve this?

----------------------------------------------
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 disabled=no enc-algorithms=3des lifetime=10m name=default pfs-group=modp1024

/ip ipsec peer
add address=x.x.x.x/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=10s dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main \
generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=10m my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=obey secret=\
somepass send-initial-contact=yes

/ip ipsec policy
add action=encrypt disabled=no dst-address=x.x.x.x/32 dst-port=any ipsec-protocols=esp level=require priority=0 proposal=default protocol=ip-encap \
sa-dst-address=x.x.x.x sa-src-address=y.y.y.y src-address=y.y.y.y/32 src-port=any tunnel=no

This is fixed in 6.0beta3

This is fixed in 6.0beta3

Thanks, but last version on mikrotik site is Version 6.0beta2.
Where i can download beta3 for testing?

Cisco lan-to-lan IPSEC tunnel

I saw it, but there are no solution.

I use huntah script(modified):

I use huntah script(modified):

Code: Select all

:local IPWatchServer 10.0.1.2
:local OutInterface bridge-lan
:if ([/ping interface=$OutInterface $IPWatchServer count=4]<3) do={
  /ip ipsec installed-sa flush sa-type=all
  :log info "IPSEC tunnel with XO is down: Flushing Installed SA !!!"
} else={
  :log info "IPSEC tunnel with XO is OK !"
}

I used it too, exclude "tunnel isOK" in log. I added delay 30s and write logs on syslog server.
But realy, it's not solution. Almost when tunnel down state is critical. Sript flush SA for 10-15 times a day.

I have the same routerboards in branches. There are better situation. On ATM there are less traffic. May be this is a problem?

I use ipsec encryption over ip-ip tunnel from a RB1200 to a 7301. Too many problems with tunnel mode

Volart

But realy, it's not solution

Completely agree with you, but ... this is Mikrotik
I tried to do this via Netwatch, but noticed that I can't do this because it isn't possible to indicate out interface.
I made a future request for this:

Hello,

Netwatch does not have interface, but you can add static route to send ping over
different interface.

Perhaps you can change IPsec lifetime timeouts and set it to low values or even
use DPD on both ends, (DPD allows you to remove unused SA, when there is no
connection between two hosts).

Can someone of mikrotik supports answer in this topic? I saw, you watched it:)
I like mikrotik, but it's a very big problem.