IPsec VPN keeps disconnecting

Jacka · Wed Oct 31, 2012 2:56 pm

Hi all,

I established a IPsec VPN tunnel to link with the main office but every XX minutes it keeps disconnecting so I have to flush Installed SAs and the reconnect again manually.

Why is this happening ? Need some help.

13:17:25 ipsec,debug,packet delete payload for protocol ISAKMP
13:17:25 ipsec,debug ISAKMP-SA expired 68.27.131.110[500]-82.222.220.11[500] spi:abcf97e836c75e2d:2ed4ab8c4495152f
13:17:25 ipsec,debug,packet purged SAs.
13:17:26 ipsec,debug ISAKMP-SA deleted 68.27.131.110[500]-82.222.220.11[500] spi:abcf97e836c75e2d:2ed4ab8c4495152f

13:17:25 ipsec,debug,packet ========== 
13:17:25 ipsec,debug,packet 76 bytes message received from 82.222.220.11[500] to 68.27.131.110[500] 
13:17:25 ipsec,debug,packet abcf97e8 36c75e2d 2ed4ab8c 4495152f 08100501 a2d6fa3c 0000004c 8f8ba5db 
13:17:25 ipsec,debug,packet 6c7bce0c b0bf173a 7adc86f0 2c02c112 d48260bd d2dfe2c1 bd782708 5255257c 
13:17:25 ipsec,debug,packet e557fbf9 b8ba2172 169dee6a 
13:17:25 ipsec,debug,packet receive Information. 
13:17:25 ipsec,debug,packet compute IV for phase2 
13:17:25 ipsec,debug,packet phase1 last IV: 
13:17:25 ipsec,debug,packet afdba7e6 e12d3116 150b7dd0 6daace36 a2d6fa3c 
13:17:25 ipsec,debug,packet hash(sha1) 
13:17:25 ipsec,debug,packet encryption(aes) 
13:17:25 ipsec,debug,packet phase2 IV computed: 
13:17:25 ipsec,debug,packet 9aaed305 bf08a6e6 79064395 61de7c61 
13:17:25 ipsec,debug,packet encryption(aes) 
13:17:25 ipsec,debug,packet IV was saved for next processing: 
13:17:25 ipsec,debug,packet 5255257c e557fbf9 b8ba2172 169dee6a 
13:17:25 ipsec,debug,packet encryption(aes) 
13:17:25 ipsec,debug,packet with key: 
13:17:25 ipsec,debug,packet 0409491e a8afe0ad 1c356ff5 1c25e787 0cc88e1f e05f87c8 a9b72961 484d8f5e 
13:17:25 ipsec,debug,packet decrypted payload by IV: 
13:17:25 ipsec,debug,packet 9aaed305 bf08a6e6 79064395 61de7c61 
13:17:25 ipsec,debug,packet decrypted payload, but not trimed. 
13:17:25 ipsec,debug,packet 0c000018 5fe7e35b 6f2d5ae7 87014718 b301e453 941b0ea8 00000010 00000001 
13:17:25 ipsec,debug,packet 03040001 f58b4ba5 00000000 00000000 
13:17:25 ipsec,debug,packet padding len=1 
13:17:25 ipsec,debug,packet skip to trim padding. 
13:17:25 ipsec,debug,packet decrypted. 
13:17:25 ipsec,debug,packet abcf97e8 36c75e2d 2ed4ab8c 4495152f 08100501 a2d6fa3c 0000004c 0c000018 
13:17:25 ipsec,debug,packet 5fe7e35b 6f2d5ae7 87014718 b301e453 941b0ea8 00000010 00000001 03040001 
13:17:25 ipsec,debug,packet f58b4ba5 00000000 00000000 
13:17:25 ipsec,debug,packet HASH with: 
13:17:25 ipsec,debug,packet a2d6fa3c 00000010 00000001 03040001 f58b4ba5 
13:17:25 ipsec,debug,packet hmac(hmac_sha1) 
13:17:25 ipsec,debug,packet HASH computed: 
13:17:25 ipsec,debug,packet 5fe7e35b 6f2d5ae7 87014718 b301e453 941b0ea8 
13:17:25 ipsec,debug,packet hash validated. 
13:17:25 ipsec,debug,packet begin. 
13:17:25 ipsec,debug,packet seen nptype=8(hash) 
13:17:25 ipsec,debug,packet seen nptype=12(delete) 
13:17:25 ipsec,debug,packet succeed. 
13:17:25 ipsec,debug,packet delete payload for protocol ESP 
13:17:25 ipsec,debug,packet purge_ipsec_spi: 
13:17:25 ipsec,debug,packet dst0: 82.222.220.11[500] 
13:17:25 ipsec,debug,packet SPI: F58B4BA5 
13:17:25 ipsec,debug,packet purged SAs. 
13:17:25 ipsec,debug,packet ========== 
13:17:25 ipsec,debug,packet 92 bytes message received from 82.222.220.11[500] to 68.27.131.110[500] 
13:17:25 ipsec,debug,packet abcf97e8 36c75e2d 2ed4ab8c 4495152f 08100501 68782ae3 0000005c 07cc2e17 
13:17:25 ipsec,debug,packet 29367edb ee38852c 6c7499d2 0a830034 ff3e76f7 fb099deb 041cbe02 78775f51 
13:17:25 ipsec,debug,packet 9402ed66 c2141812 6268f6a2 1e6de155 0aad0621 a0b79ab9 ddd98fce 
13:17:25 ipsec,debug,packet receive Information. 
13:17:25 ipsec,debug,packet compute IV for phase2 
13:17:25 ipsec,debug,packet phase1 last IV: 
13:17:25 ipsec,debug,packet afdba7e6 e12d3116 150b7dd0 6daace36 68782ae3 
13:17:25 ipsec,debug,packet hash(sha1) 
13:17:25 ipsec,debug,packet encryption(aes) 
13:17:25 ipsec,debug,packet phase2 IV computed: 
13:17:25 ipsec,debug,packet 93c81ac9 b5dca0d6 6b462503 d0ee7ab4 
13:17:25 ipsec,debug,packet encryption(aes) 
13:17:25 ipsec,debug,packet IV was saved for next processing: 
13:17:25 ipsec,debug,packet 1e6de155 0aad0621 a0b79ab9 ddd98fce 
13:17:25 ipsec,debug,packet encryption(aes) 
13:17:25 ipsec,debug,packet with key: 
13:17:25 ipsec,debug,packet 0409491e a8afe0ad 1c356ff5 1c25e787 0cc88e1f e05f87c8 a9b72961 484d8f5e 
13:17:25 ipsec,debug,packet decrypted payload by IV: 
13:17:25 ipsec,debug,packet 93c81ac9 b5dca0d6 6b462503 d0ee7ab4 
13:17:25 ipsec,debug,packet decrypted payload, but not trimed. 
13:17:25 ipsec,debug,packet 0c000018 6cbfa204 348e3643 4ae4fe4c c591a26d 657c257e 0000001c 00000001 
13:17:25 ipsec,debug,packet 01100001 abcf97e8 36c75e2d 2ed4ab8c 4495152f 00000000 00000000 00000000 
13:17:25 ipsec,debug,packet padding len=1 
13:17:25 ipsec,debug,packet skip to trim padding. 
13:17:25 ipsec,debug,packet decrypted. 
13:17:25 ipsec,debug,packet abcf97e8 36c75e2d 2ed4ab8c 4495152f 08100501 68782ae3 0000005c 0c000018 
13:17:25 ipsec,debug,packet 6cbfa204 348e3643 4ae4fe4c c591a26d 657c257e 0000001c 00000001 01100001 
13:17:25 ipsec,debug,packet abcf97e8 36c75e2d 2ed4ab8c 4495152f 00000000 00000000 00000000 
13:17:25 ipsec,debug,packet HASH with: 
13:17:25 ipsec,debug,packet 68782ae3 0000001c 00000001 01100001 abcf97e8 36c75e2d 2ed4ab8c 4495152f 
13:17:25 ipsec,debug,packet hmac(hmac_sha1) 
13:17:25 ipsec,debug,packet HASH computed: 
13:17:25 ipsec,debug,packet 6cbfa204 348e3643 4ae4fe4c c591a26d 657c257e 
13:17:25 ipsec,debug,packet hash validated. 
13:17:25 ipsec,debug,packet begin. 
13:17:25 ipsec,debug,packet seen nptype=8(hash) 
13:17:25 ipsec,debug,packet seen nptype=12(delete) 
13:17:25 ipsec,debug,packet succeed. 
13:17:25 ipsec,debug,packet delete payload for protocol ISAKMP 
13:17:25 ipsec,debug ISAKMP-SA expired 68.27.131.110[500]-82.222.220.11[500] spi:abcf97e836c75e2d:2ed4ab8c4495152f 
13:17:25 ipsec,debug,packet purged SAs. 
13:17:26 ipsec,debug ISAKMP-SA deleted 68.27.131.110[500]-82.222.220.11[500] spi:abcf97e836c75e2d:2ed4ab8c4495152f 

[admin@MikroTik] >

Thank you.

jandafields · Wed Oct 31, 2012 5:23 pm

ikrotik ipsec is bad about not being able to always reconnect after a network glitch, requiring a flush. are you using the very newest mikrotik version? there have been some fixes in some of the more recent versions.

Jacka · Thu Nov 01, 2012 8:44 am

Yes, I use the latest version 5.21.
Is there a workaround of my problem ?

jandafields · Thu Nov 01, 2012 3:12 pm

Yes, I use the latest version 5.21.
Is there a workaround of my problem ?

My own workaround is that i no longer use ipsec on mikrotik. Too unreliable.

Try sstp instead. It appears to be more stable.

Jacka · Fri Nov 02, 2012 10:28 am

Yes, I use the latest version 5.21.
Is there a workaround of my problem ?
My own workaround is that i no longer use ipsec on mikrotik. Too unreliable.

Try sstp instead. It appears to be more stable.

The main office requires IPsec tunnel, can't do nothing about it.

I have another issue with IPsec, some details:

There are five interfaces:

1. WAN1
2. WAN2
3. LAN1 (192.168.0.0/24)
4. LAN2(master LAN1)
5. LAN3 (175.21.221.0/24)

On LAN3 I created a network (175.21.221.0/24) which was given by the main site (the server), the network is only required for IPsec tunnel.
Created the IPsec tunnel, everything is fine, the main office asked for a ping one address (175.34.200.20) from the 175.21.221.0/24 network, using Tools -> Ping on Mikrotik I got a ping reply. But when trid to ping from my computer (192.168.0.200) there was no response (request timed out). I know that the problem is in one missing rule, a NAT or Mangle rule, but don't know which one and how to create it properly.

Tried the masquerade: chain=srcnat action=masquerade out-interface=LAN3 - but didn't helped.

*the IPsec is needed for my local users on network (192.168.0.0/24 | 175.21.221.0/24) they will work on 175.34.200.20 (web server) through the tunnel.

Need some help with this one, thank you.

Log and print screen, from mikrotik the ping is good but not from my PC:

C:\Users\Admin>ping 175.34.200.20

Pinging 175.34.200.20 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 175.34.200.20:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Users\Admin

jandafields · Fri Nov 02, 2012 2:56 pm

In my opinion, the Mikrotik is GREAT for many things.... but IPSEC is not one of them, unfortunately... at least not for me.

Fri Nov 02, 2012 8:07 pm

In my opinion, the Mikrotik is GREAT for many things.... but IPSEC is not one of them, unfortunately... at least not for me.

+1

psamsig · Fri Nov 02, 2012 10:30 pm

@Jacka: Post your configuration (peer, policy and proposal). What equipment is in the main office? Are lifetimes/lifebytes equal on both ends? Are you using DPD? Do you use Netwatch to keep trafic running?

tomaskir · Sat Nov 03, 2012 6:10 pm

In my opinion, the Mikrotik is GREAT for many things.... but IPSEC is not one of them, unfortunately... at least not for me.

-1

We do A LOT of IPSec site-to-site tunneling on Mikrotik, and I must say that I am very happy. IPSec in Mikrotik just requires you to learn it and to do it by its rules...

@Jacka: Post your configuration (peer, policy and proposal). What equipment is in the main office? Are lifetimes/lifebytes equal on both ends? Are you using DPD? Do you use Netwatch to keep trafic running?

To be on topic, this is what you need to check OP.

Jacka · Sat Nov 03, 2012 7:51 pm

@Jacka: Post your configuration (peer, policy and proposal). What equipment is in the main office? Are lifetimes/lifebytes equal on both ends? Are you using DPD? Do you use Netwatch to keep trafic running?

Post your configuration (peer, policy and proposal)

[admin@MikroTik] > ip ipsec peer print detail 
Flags: X - disabled 
 0   address=82.222.220.11/32 port=500 auth-method=pre-shared-key 
     secret="123456789" generate-policy=no exchange-mode=main 
     send-initial-contact=yes nat-traversal=no my-id-user-fqdn="" 
     proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256 
     dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m 
     dpd-maximum-failures=5

[admin@MikroTik] > ip ipsec policy print detail 
Flags: X - disabled, D - dynamic, I - inactive 
 0   src-address=175.21.221.0/24 src-port=any dst-address=175.34.200.20/32 
     dst-port=any protocol=all action=encrypt level=unique 
     ipsec-protocols=esp tunnel=yes sa-src-address=68.27.131.110
     sa-dst-address=82.222.220.11 proposal=sha priority=0

[admin@MikroTik] > ip ipsec proposal  print detail 
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=md5 enc-algorithms=3des lifetime=1d 
      pfs-group=none 

 1    name="sha" auth-algorithms=sha1 enc-algorithms=aes-256 lifetime=1d 
      pfs-group=none 
[admin@MikroTik] >

What equipment is in the main office?

It's a Cisco device.

Are lifetimes/lifebytes equal on both ends?

Yes, 1d.

Are you using DPD?

Yes.

Do you use Netwatch to keep trafic running?

No.

*Yesterday I've upgraded to RouterOS 6.0rc2 still no changes, the connections drops and still don't know how to get to 175.34.200.20 from my network 192.168.0.0/24 | 175.21.221.0/24.

[admin@MikroTik] > system package print
Flags: X - disabled 
 #   NAME                    VERSION                    SCHEDULED              
 0 X ipv6                    6.0rc2                                            
 1   security                6.0rc2                                            
 2 X hotspot                 6.0rc2                                            
 3   routing                 6.0rc2                                            
 4   dhcp                    6.0rc2                                            
 5   ppp                     6.0rc2                                            
 6   advanced-tools          6.0rc2                                            
 7   mpls                    6.0rc2                                            
 8 X wireless                6.0rc2                                            
 9   system                  6.0rc2                                            
[admin@MikroTik] >

Really need some help with this one, thank you in advance.

Jacka · Tue Nov 06, 2012 12:14 pm

BUMP, anyone ?

psamsig · Tue Nov 06, 2012 9:04 pm

Did you happen to read the answer on same question?

http://forum.mikrotik.com/viewtopic.php ... 34#p340974

Jacka · Wed Nov 07, 2012 10:53 am

I set the level to unique, nothing changed.

psamsig · Wed Nov 07, 2012 12:23 pm

From the thread it seems to be related to DPD, and cases where the Cisco end drops a SA, but MT router doesn't tries to negotiate a new. Try lower your DPD, both interval and failures (dpd-interval=2m dpd-maximum-failures=5), start with 20s/1. You could also ask somebody in Cisco-land, if it really is a Cisco pequliarity, then someone may be bound to have bumped into it before, and can suggest something different in that end.

shelbynetworks · Fri Jun 15, 2018 9:03 pm

try setting the PFS group to none; its the second phase thats the prob.

IPsec VPN keeps disconnecting

IPsec VPN keeps disconnecting

Re: IPsec VPN keeps disconnecting

Re: IPsec VPN keeps disconnecting

Re: IPsec VPN keeps disconnecting

Re: IPsec VPN keeps disconnecting

Re: IPsec VPN keeps disconnecting

Re: IPsec VPN keeps disconnecting

Re: IPsec VPN keeps disconnecting

Re: IPsec VPN keeps disconnecting

Re: IPsec VPN keeps disconnecting

Re: IPsec VPN keeps disconnecting

Re: IPsec VPN keeps disconnecting

Re: IPsec VPN keeps disconnecting

Re: IPsec VPN keeps disconnecting

Re: IPsec VPN keeps disconnecting

Who is online