Hi.
Have customer with two locations connected by IPSec tunnel.
One location: RB1200 v.6.28
Second location: RB2011LS v.6.32.2

Some time IPSec tunnel is stopworking and I can't find a reason and method to restore tunnel.
While IPSec is not working I see that internet on both sides is working perfectly.

Who can help?

This can be an issue of mismatching lifetimes (peer definition as well as proposal) or lifebytes (peer defintion).
Additionallly, make sure that both Peers sync against the very same NTP server. IPsec is very delicate in timing.

Cheers
-Chris

Hi,

1. Set-up netwatch to ping the other end of tunnel on both sides. It helps keep it up.
2. If the tunnel goes down the best way (so far) is to "kill" peer in /ip ipsec .... to make it work again

This can be an issue of mismatching lifetimes (peer definition as well as proposal) or lifebytes (peer defintion).
Additionallly, make sure that both Peers sync against the very same NTP server. IPsec is very delicate in timing.

Cheers
-Chris

Yea! I found lifetime mismatch! Thank you!

Ok. Another trouble.
I have two locations. Both locations has two ISP (active-backup). And both locations use simple recursive routing for failower. I created 4 ipip-tunnels:
Offices location has the same config:

• ipip-main-isp-remotemain-isp
  ipip-main-isp-remotebackup-isp
  ipip-backup-isp-remotemain-isp
  ipip-backup-isp-remotebackup-isp

It work's perfect WITHOUT IPSec. When i turn on IPSec password (and check IPSec proposals settings for same settings) I have troubles some time:
phase1 negotiation failed due time up xxx.xxx.xxx.xxx[500] <=> yyy.yyy.yyy.yyy[1] c4cfd9.....ee43
ports in the "[ ]" may differnt: 4500 and 4500, 500 and 1, 500 and 2
But I found that this time internet interfaces are accessible.

Time. I use sntp client.
proposals. Identical on both gateways.

Do you mark connections and routing for your incoming connections on the WAn ports?