Hi all

We have a Mikrotik (hEX lite) -> Mikrotik (RB750GL) ipsec site to site vpn set up from a branch office to our main office. Yesterday, I replaced the branch office router (with a new hEX lite) because the vpn link was acting strangely under load.

The issue we are facing since the new installation, is that the vpn link shuts down and refuses to reconnect after an internet outage. The Microtik is running a PPPOE client connected to a bridged modem. The only way to get the vpn link up again is to reboot the router which had it's ppp link reset. Below is a log starting from an established ipsec connection, to after the PPPOE client reconnects:

may/27 07:26:53 ipsec,info respond new phase 1 (Identity Protection): 203.173.163.191[500]<=>203.118.137.74[500]
may/27 07:26:54 ipsec,info ISAKMP-SA established 203.173.163.191[500]-203.118.137.74[500] spi:d3ec45fb04e861d5:a9ac45cecdaa51bf
may/27 07:35:01 pppoe,ppp,info pppoe-out1: terminating... - administrator request
may/27 07:35:01 pppoe,ppp,info pppoe-out1: disconnected
may/27 07:35:01 pppoe,ppp,info pppoe-out1: initializing...
may/27 07:35:01 pppoe,ppp,info pppoe-out1: connecting...
may/27 07:35:01 system,info device changed by admin
may/27 07:35:04 pppoe,ppp,info pppoe-out1: authenticated
may/27 07:35:04 pppoe,ppp,info pppoe-out1: connected
may/27 07:37:35 ipsec,info purging ISAKMP-SA 203.173.163.191[500]<=>203.118.137.74[500] spi=eaab6c07091fe751:9a9bb03101b99138.
may/27 07:37:36 ipsec,info ISAKMP-SA deleted 203.173.163.191[500]-203.118.137.74[500] spi:eaab6c07091fe751:9a9bb03101b99138 rekey:1
may/27 07:37:38 ipsec,info purging ISAKMP-SA 203.173.163.191[500]<=>203.118.137.74[500] spi=d3ec45fb04e861d5:a9ac45cecdaa51bf.
may/27 07:37:39 ipsec,info ISAKMP-SA deleted 203.173.163.191[500]-203.118.137.74[500] spi:d3ec45fb04e861d5:a9ac45cecdaa51bf rekey:1
may/27 07:37:45 ipsec,info initiate new phase 1 (Identity Protection): 203.173.163.191[500]<=>203.118.137.74[500]
may/27 07:38:45 ipsec,error phase1 negotiation failed due to time up 203.173.163.191[500]<=>203.118.137.74[500] 3dba98f0205561b5:0000000000000000

Any suggestions? Thanks in advance

Hi All Good morning.

We have a similar issue at our end too with PPPOE WAN and L2TP/IPSEC VPN.

We basically have a Hexlite (RB750r2) with LT2P/IPSEC configured, that is connected to the internet via a PPPOE connection to a bridged modem
Following a reboot of either the modem or the mikrotik router the PPPOE connection would not be able to connect again.
The only way we found to revive the PPPOE connection is to disable the L2TP server from the PPP section on the mikrotik (disabling the VPN).

Any help on this matter would be greatly appreciated.

Thanks and kind regards,
Luigi

I have similar problem like luigimallia. My internet provider has defined PPPoE session timeout every 12h so after PPPoE connection is reestablished, IPsec negotiation with remote peer never comes to established state.
I have tested with RB951 and RB2011 on client side, with RB951 and Check Point on HQ location, but results were similar, always got response : ipsec,error phase1 negotiation failed due to time up.
When tests were with RB on both sides, i have torch-ed WAN interfaces for traffic between the static IP addresses, and all other traffic was normally exchanged (ping, telnet, ssh) except ISAKMP [port 500]. IPsec initiator logs that there are attempts to exchange packets with remote peer, but on the others side there was no incoming packet from its IP on port 500.

Resetting PPPoE session manually (pppoe-client disable/enable) was not a solutuon, but resetting physical port (Ethernet1-Gateway in my case) solves the problem, and IPsec tunnel becomes to state : established. Temporary I have solution with small script and netwatch tool, monitoring IP through the tunnel, and when this monitor changes state to DOWN, this small script deactivate first PPPoE client, then disable the Ethernt port, and after one second delay, again first enables the Ethernet port and activate the PPPoE client, Shortly after this script is executed, IPsec tunel is live again.
This explains why luigimallia has VPN link up with restarting the router. This solution takes little longer time
Regards

I have similar problem like luigimallia. My internet provider has defined PPPoE session timeout every 12h so after PPPoE connection is reestablished, IPsec negotiation with remote peer never comes to established state.
I have tested with RB951 and RB2011 on client side, with RB951 and Check Point on HQ location, but results were similar, always got response : ipsec,error phase1 negotiation failed due to time up.
When tests were with RB on both sides, i have torch-ed WAN interfaces for traffic between the static IP addresses, and all other traffic was normally exchanged (ping, telnet, ssh) except ISAKMP [port 500]. IPsec initiator logs that there are attempts to exchange packets with remote peer, but on the others side there was no incoming packet from its IP on port 500.

Resetting PPPoE session manually (pppoe-client disable/enable) was not a solutuon, but resetting physical port (Ethernet1-Gateway in my case) solves the problem, and IPsec tunnel becomes to state : established. Temporary I have solution with small script and netwatch tool, monitoring IP through the tunnel, and when this monitor changes state to DOWN, this small script deactivate first PPPoE client, then disable the Ethernt port, and after one second delay, again first enables the Ethernet port and activate the PPPoE client, Shortly after this script is executed, IPsec tunel is live again.
This explains why luigimallia has VPN link up with restarting the router. This solution takes little longer time
Regards

Would you mind posting up your script? I have the same issue at about 10 sites and would be great to have resolved.

I have the exact same problem whenever PPPoE is reestablished quickly (because of some ISP drop - usually during maintenance), it requires a reboot of the router to restore IPSec tunnels.

Has been this way for years and running all firmwares from 6.35 to current 6.44.3

Is the address assigned by the ISP to the PPPoE interface the same before and after the PPPoE outage or it changes?

Is the address assigned by the ISP to the PPPoE interface the same before and after the PPPoE outage or it changes?

Yes they are all public static IP addresses between the tunnels.