Hi folks,
I am running into a issue and your input would be much appreciated. To make it simple, I have 3 MT routers with GRE/IPsec (IKev2) tunnels in a triangle.
router A: RB3011, ROS 7.5, static public IP address
router B: RB3011, ROS 7.5, static public IP address
router C: LDF LTE6kit, ROS 7.5, dynamic public IP address with CG-NAT
Tunnel A-B is rock solid and works like a charm
Tunnels A-C and B-C (the ones terminated on the LDF LTE6kit) also work great for over 24 hours, but after a day or so, they "freeze" and I see the following error messages in the logs on both ends endpoints:
ipsec: dpd collision
[...]
ipsec,debug: reply ignored
If I flush the SA manually (on either end), a new SA establishes and the GRE tunnel comes up immediately. It is worth mentioning that the last public IP change on the router C was over 30 hours ago, so this can be ruled out as a possible cause.
I ran into this post here: viewtopic.php?p=543834 but it hasn't been followed up. Indeed, I have set up DPD on IPsec (interval=5, max failures=3). IPsec SA Lifetime is set to 1hour.
Could you give me some insights about the 2 error messages ("dpd collision" and "reply ignored"). I can't rule out that my DPD settings are non optimal. I have to admit that it is the 1st time I set up an Ikev2 Ipsec in production environment. So I took over most settings from my old ikev1 configs...
Cheers!
PS: I don't think posting my configs here would bring any benefit (yet), for the moment these are more conceptual questions/global recommendations.