Community discussions

MikroTik App
 
AwesomeDuke
newbie
Topic Author
Posts: 26
Joined: Wed Jun 21, 2017 2:11 pm

IPSec VPN Stops Working - Ready To Send

Sat Mar 02, 2019 12:58 am

Hi Everyone,

I'm a Mikrotik newb and inherited this configuration so please bear that in mind when tearing me a new one. :)

Not sure if anyone has ever come across this, but I have an Site to Site IPSec VPN issue that recently started causing me headaches. This must have started after a recent update, but prior to that the VPN was rock solid and I never had to touch it. I’m talking years of trouble free performance.

What happens is that the VPN stops working and checking the status of the VPN is says ready to send. I can try and restart it, but nothing works. The only way to get the VPN to come back up is to reboot the router. Then it’s stable for a few days and then it happens again.

I deleted the whole setup at both ends and recreated it, but still no joy.

Here is the script for the remote site:

/ip ipsec profile
add dh-group=modp1024 name=HeadOffice nat-traversal=no
/ip ipsec peer
add address=xx.xx.xx.xx/32 comment=HeadOffice local-address=xx.xx.xx.xx name=\
HeadOffice profile=HeadOffice
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,3des
/ip ipsec identity
add peer=peer2 secret=MyPassword
add comment=HeadOffice peer=HeadOffice secret=MyPassword
/ip ipsec policy
add comment=HeadOffice dst-address=10.0.0.0/24 sa-dst-address=xx.xx.xx.xx \
sa-src-address=xx.xx.xx.xx src-address=10.0.2.0/24 tunnel=yes

Here is the script for the Head Office site which is essentially the reverse of the previous one:

/ip ipsec profile
add dh-group=modp1024 name=RemoteSite nat-traversal=no
/ip ipsec peer
add address=xx.xx.xx.xx/32 comment=RemoteSite local-address=xx.xx.xx.xx name=\
RemoteSite profile=RemoteSite
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,3des
/ip ipsec identity
add peer=RemoteSite secret=MyPassword
/ip ipsec policy
add comment=RemoteSite dst-address=10.0.2.0/24 sa-dst-address=xx.xx.xx.xx \
sa-src-address=xx.xx.xx.xx src-address=10.0.0.0/24 tunnel=yes
Any ideas where to look?

Thanks

Duke
 
AndreyRa
just joined
Posts: 8
Joined: Wed Jun 06, 2018 1:30 pm

Re: IPSec VPN Stops Working - Ready To Send

Sun Mar 03, 2019 1:10 am

Same here. Just upgraded routeros to the new 6.44 firmware and got the same "ready to send" status for the one of my L2TP/IPSec connections. This connection based on Ubuntu Strongswan+xl2tpd service. All other Routers that work on old 6.43.12 firmware connecting to this L2TP-server without problems. I think this is a bug in new firmware.
After I've downgraded to 6.43.12 - all works fine as always.
 
Sarel0092
newbie
Posts: 48
Joined: Tue Aug 07, 2018 8:25 am

Re: IPSec VPN Stops Working - Ready To Send

Mon Mar 04, 2019 7:05 pm

For the L2TP server problem I found that simply disabling and re-enabling it resolved the problem.

/interface l2tp-server server set enabled=no
/interface l2tp-server server set enabled=yes
 
algisr
newbie
Posts: 27
Joined: Sat Apr 28, 2018 11:30 am

Re: IPSec VPN Stops Working - Ready To Send

Wed Mar 06, 2019 10:08 pm

Create Netwatch and ping other side gateway IP or any other LoopBack-IP which never changes.
If you get a time out (HOST DOWN section): run what Sarel0092 suggested. This should refresh IPSEC VPN.
Main Problem is that if your MikroTik isn't very expensive it will take like 10-20 seconds to create new IPsec VPN connection for ping to work. Keep that in mind and adjust Netwatch Interval.
 
AwesomeDuke
newbie
Topic Author
Posts: 26
Joined: Wed Jun 21, 2017 2:11 pm

Re: IPSec VPN Stops Working - Ready To Send

Mon Mar 11, 2019 10:32 am

Same here. Just upgraded routeros to the new 6.44 firmware and got the same "ready to send" status for the one of my L2TP/IPSec connections. This connection based on Ubuntu Strongswan+xl2tpd service. All other Routers that work on old 6.43.12 firmware connecting to this L2TP-server without problems. I think this is a bug in new firmware.
After I've downgraded to 6.43.12 - all works fine as always.
Thanks Audrey. I've just downgraded mine and will see if that stabilises the connection. Thank you for the suggestion.

Duke
 
AwesomeDuke
newbie
Topic Author
Posts: 26
Joined: Wed Jun 21, 2017 2:11 pm

Re: IPSec VPN Stops Working - Ready To Send

Thu Mar 14, 2019 7:03 am

Just an update for anyone else experiencing this issue.

Since downgrading the RouterOS to 6.42.12 the Site to Site VPN has been stable.

Thank you to Audrey for the suggestion. There must be a bug in the IPSec setup for the 6.44 RouterOS.
 
vacari
just joined
Posts: 10
Joined: Fri Mar 04, 2016 2:56 am

Re: IPSec VPN Stops Working - Ready To Send

Fri Oct 01, 2021 8:31 pm

Same here. For more than 2 years.
RouterOS 6.48.4 and earlier.
CCR1009-8G-1S-1S+
 
User avatar
loloski
Member
Member
Posts: 367
Joined: Mon Mar 15, 2021 9:10 pm

Re: IPSec VPN Stops Working - Ready To Send

Mon Oct 16, 2023 9:35 am

We have seen this today on one of our CCR2004 L2TP + IPSEC, there's no workaround on this other than restarting the whole device which is very annoying we don't know what the condition needs to reproduce the issue, but other installation is working fine for months without the issue with the same configuration

We are ros v7.11.2

Who is online

Users browsing this forum: Eriks, markatel, seriosha and 38 guests