i am having trouble with my ipsec tunnels for my branch offices throughout the state. after some period of time the tunnel will quit working on either branch side or central office side.... ( not sure which one ) and i will have to manually bring the individual tunnel/tunnels up myself.
my central office router is an x86 platform on routerOS ver. 4.16. right now i am testing 1 location of an rb450 with routeros version 5.0, the other branch offices have versions 4.10 and above.
i was able to figure out the netwatch and have it email me when the tunnel to my test site goes down and so far it went down last night for about 30 mins. i checked the logs and the router it's self did not go down, what is it that causes the ipsec tunnels to be so flaky?
Re: ipsec tunnel issues
well folks i see alot of people have viewed this topic but no replys, however using the netwatch has seemed to work so far. its been in place for about two weeks now and so far has been working great and the tunnels do not die out unless the internet goes down. here are the steps to do so, keep in mind this is based off the mikrotik wiki on how to setup netwatch.
To enable net watch you first have to setup the scripts it will use in order to have this work properly by clicking on system>scripts.
Add the script by clicking on the plus button, name the script a descriptive name such as the branch name. In this example of dallas1. Leave all policies checked by default and in the source section put in the following:/ip route set [/ip route find dst x.x.x.0/24] gateway x.x.x.1 click apply and then ok.
Next you need to add the scripts to automatically email cfs/unitetech staff when the tunnel goes down and comes back up, add the script again and name it the branch name down/up. For example dallas1-down and dallas1-up. leave the policies all checked by default again and enter the following into source:{/tool e-mail send from=”branch@whatevercompany.com” server=”x.x.x.x″ body=”tunnel down” subject=”ipsec tunnel down” to=”outages@companyname.com”}=dallas1-down{/tool e-mail send from=”branch@whatevercompany.com” server=”x.x.x.x″ body=”tunnel up” subject=”ipsec tunnel up” to=”outages@whatevercompany.com”} =dallas1-up
The from email address can be anything you want it to read, such as dallas1@companyname.com. the body will be what the email should say, short and to the point is best in this case. The subject will be the subject line of the email and can read what you want it to display as well.
After the scripts have been added we can not enable the netwatch utility. To do this click on tools>netwatch, click the plus button and for the host enter in the internal gateway (x.x.x.1) of the location your trying to monitor. Next we will set the interval for how often the home office router will probe for the connection. We will start out using a 10 minuet interval and the timeout we will set to 10000ms.Next click on the up tab and enter in the name of the up script we created earlier, then do the same on the down tab and the down script name. click apply and then ok.
Our final step is to create a route to the gateway we are monitoring. Click on IP>Routes, click the plus button. In the dst. address input the internal IP of the gateway x.x.x.1 (10.1.5.1 for example) in the gateway we are going to select an interface instead of putting in a physical IP address, select the main LAN port. Distance=1 scope=255 and target scope=10 click apply and ok, once the interval hits its mark it should show in the netwatch utility the connection is up.
hope this helps everyone
To enable net watch you first have to setup the scripts it will use in order to have this work properly by clicking on system>scripts.
Add the script by clicking on the plus button, name the script a descriptive name such as the branch name. In this example of dallas1. Leave all policies checked by default and in the source section put in the following:/ip route set [/ip route find dst x.x.x.0/24] gateway x.x.x.1 click apply and then ok.
Next you need to add the scripts to automatically email cfs/unitetech staff when the tunnel goes down and comes back up, add the script again and name it the branch name down/up. For example dallas1-down and dallas1-up. leave the policies all checked by default again and enter the following into source:{/tool e-mail send from=”branch@whatevercompany.com” server=”x.x.x.x″ body=”tunnel down” subject=”ipsec tunnel down” to=”outages@companyname.com”}=dallas1-down{/tool e-mail send from=”branch@whatevercompany.com” server=”x.x.x.x″ body=”tunnel up” subject=”ipsec tunnel up” to=”outages@whatevercompany.com”} =dallas1-up
The from email address can be anything you want it to read, such as dallas1@companyname.com. the body will be what the email should say, short and to the point is best in this case. The subject will be the subject line of the email and can read what you want it to display as well.
After the scripts have been added we can not enable the netwatch utility. To do this click on tools>netwatch, click the plus button and for the host enter in the internal gateway (x.x.x.1) of the location your trying to monitor. Next we will set the interval for how often the home office router will probe for the connection. We will start out using a 10 minuet interval and the timeout we will set to 10000ms.Next click on the up tab and enter in the name of the up script we created earlier, then do the same on the down tab and the down script name. click apply and then ok.
Our final step is to create a route to the gateway we are monitoring. Click on IP>Routes, click the plus button. In the dst. address input the internal IP of the gateway x.x.x.1 (10.1.5.1 for example) in the gateway we are going to select an interface instead of putting in a physical IP address, select the main LAN port. Distance=1 scope=255 and target scope=10 click apply and ok, once the interval hits its mark it should show in the netwatch utility the connection is up.
hope this helps everyone
Re: ipsec tunnel issues
I'm having the same issue for some reason if their is not regular traffic over IPSEC the tunnels quit working. If I disable IPSEC and just use the IPIP tunnel without it things work fine. If i ping each in of the tunnel from each router the tunnel comes back up. I need to know how to fix this i guess i could put in place a script that will ping things every min or so but that seems like a duct tape work around. The other thing i have noticed is that using a L2TP tunnel with IPSEC works all of the time it doesn't go down.
I don't think i have configuration issue but it's certainly possible.
Thanks
Tyler Costantini
I don't think i have configuration issue but it's certainly possible.
Thanks
Tyler Costantini
Re: ipsec tunnel issues
Have you tried the setting DPD (Dead Peer Detection)? If I understood correctly, it is exactly what you need.
You do not have the required permissions to view the files attached to this post.