Page 1 of 1

IPSec Rekeying

Posted: Tue Jun 03, 2014 6:05 pm
by burkon

I just set up a IPSec Connection between two Routerboards ROS v. 6.13
The connection works fine.

I just noticed that there seems to be something wrong with the rekeying.

As far as I understand the logic the rekeying of the phase2 should happen while
the current SAs are in the "dying" state.

To me it looks like the rekeying only happens when the old SA is hard expired and removed.
This leads to some packets of loss on each rekey.

Am I missing something or how could this be fixed?


Re: IPSec Rekeying

Posted: Fri Jun 13, 2014 4:24 pm
by mrz
Please try v6.15.

Re: IPSec Rekeying

Posted: Tue Jun 17, 2014 9:45 pm
by mt-guy
Exactly the same problem here, and 6.15 does not solve this.

Re: IPSec Rekeying

Posted: Wed Jun 18, 2014 6:27 pm
by sanitycheck
I wonder if this IPSEC problem could be the cause of the SIP phone problem I've been having. Random phone sets connected through a new, multi-site, all-Mikrotik IPSEC VPN to a PBX in the main office would fail to register inside of 24 hours. Manual reboot of main office router or PBX would fix for a time. So far defeating the SIP helper on the phone connections seems to have fixed the problem. Maybe this IPSEC problem hangs up the SIP helper.

An older but nearly identical configuration at a different business never had this problem. The main difference there is the firmware releases are all 6.7, where this new installation are all 6.13 or 6.15 (main office). In the old installation the SIP helper is enabled on all routers, the default.