Community discussions

MikroTik App
 
3dfx
newbie
Topic Author
Posts: 43
Joined: Sun Sep 15, 2013 6:57 pm
Location: Bulgaria

L2TP/IpSec tunnel drops because of client IP change

Thu Aug 11, 2022 11:57 am

Hello everyone!

We have approximately 50 MikroTik routers distributed around the country that are set up to connect to a VPN server running on MikroTik router in our main office. Those VPN tunnels are used only for remote management of the clients as many of them are behind NAT - during most of the time there is no traffic going through them.
A couple of months ago we started to gradually migrate from PPTP to L2TP/IpSec, but soon after that we've noticed that some of the clients experience frequent drops of the VPN session while idle and no drops at all if there is an active connection going through the specific VPN tunnel.
Further investigation showed that the affected devices are those connected to the Internet via the mobile 3G/4G/5G network and apparently their traffic is randomly routed by the ISP through different gateways. As a result the VPN server reports "ipsec XXX.XXX.XXX.XXX remote address mismatched" and drops the session.

Can anyone recommend a solution for that issue?
Thanks!
 
3dfx
newbie
Topic Author
Posts: 43
Joined: Sun Sep 15, 2013 6:57 pm
Location: Bulgaria

Re: L2TP/IpSec tunnel drops because of client IP change

Sun Aug 21, 2022 10:59 pm

Sorry for pushing, but any ideas on that question?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP/IpSec tunnel drops because of client IP change

Mon Aug 22, 2022 8:48 am

Since Mikrotik has not implemented MOBIKE yet, the IPsec session cannot automatically accommodate to change of peer IP address. But MOBIKE would not change much about the overall result, because the outage due to LTE session re-establishment (which is the most common root cause of the change of public IP address from behind which the traffic from the L2TP clients arrives to the server) takes so long that the difference between recovery of the session using MOBIKE and re-establishment from scratch is negligible.

So what is your actual issue? That there is an outage for less than a minute or that the session doesn't recover at all? Different mobile operators use different networking equipment, so maybe your one uses so short-lived pinholes that the 20 second period of NAT keepalive is too long and the pinhole expires, so next time a packet is sent, it gets another IP address from the pool? If so, running a netwatch script on the clients, with a shorter time between packets, could be the solution.
 
3dfx
newbie
Topic Author
Posts: 43
Joined: Sun Sep 15, 2013 6:57 pm
Location: Bulgaria

Re: L2TP/IpSec tunnel drops because of client IP change

Mon Aug 22, 2022 8:55 pm

Thank you very much for your reply!

Actually the client device does not experience LTE session drops and never loses connection with the internet. However the gateway through which the traffic exits the private network of the ISP is changing extremely often - every 2-3 minutes. On each change the tunnel drops and has to be reestablished again. If we establish any connection with the client device through the tunnel, the exit gateway stops changing and the tunnel remains stable...
I will try netwatch to see if it would change something,

Who is online

Users browsing this forum: outtahere, sas2k and 53 guests