Two RB750gr3 RouterOS 6.47.8
Very simple IPsec config for testing purposes:
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=3des hash-algorithm=md5 name=profile1 nat-traversal=no
/ip ipsec peer
add address=xxx.xxx.158.248/32 name=ipsec-db profile=profile1
/ip ipsec proposal
add auth-algorithms=md5 enc-algorithms=3des name=proposal1
/ip ipsec identity
add peer=ipsec-db secret=password_here
/ip ipsec policy
add dst-address=192.168.10.0/24 peer=ipsec-db proposal=proposal1 sa-dst-address=xxx.xxx.158.248 sa-src-address=xxx.xxx.121.42 src-address=\
192.168.20.0/24 tunnel=yes
------------------------------------------------------------------------
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=3des hash-algorithm=md5 name=profile1 nat-traversal=no
/ip ipsec peer
add address=xxx.xxx.121.42/32 name=ipsec-zp passive=yes profile=profile1 send-initial-contact=no
/ip ipsec proposal
add auth-algorithms=md5 enc-algorithms=3des name=proposal1
/ip ipsec identity
add peer=ipsec-zp secret=password_here
/ip ipsec policy
add dst-address=192.168.20.0/24 peer=ipsec-zp proposal=proposal1 sa-dst-address=xxx.xxx.121.42 sa-src-address=xxx.xxx.158.248 src-address=192.168.10.0/24 \
tunnel=yes
----------------------------------------------------
Tunnel can work for an hour or two or two days. If I reboot one router, tunnel does not rise. I see status "Established" and success keyexchange in logs, but data doesn't go through the tunnel. Only one way to get the tunnel workable again. I have to restore every router from its backup.
Active side first, passive second. And tunnel works until next accident.
Is there a way to make the tunnel work stably and start automatically after rebooting the router or disconnecting for other reason?