IPSec, Ike2 Phase 1 lifetime expiration: no renegotiation, tunnel just killed
Posted: Sun Feb 07, 2021 8:30 pm
Dear all,
I have a succesfully running IPsec connectivity with several endpoints of several brands (ie: Mikrotik with MacOS, opnsense, Fritzbox ...).
Sometimes my Mikrotik acts as server, sometimes as client.
However each time, I notice that a few minutes before Ipsec IKE2 phase 1 expiry, the tunnel is killed instead of being re-negociated, and then the other endpoint restart the connectivity.
Typically this is the only message I see on the logs:
killing ike2 SA: 192.168.xx.xx[4500]-90.xx.xx.xx[4500] spi:41dedfecbb1d8781:835e15596b3d17a4
For details;
I am running RouterOS 6.48.1 on a CCR1009-7G-1C-1S+
Kind Regards
I have a succesfully running IPsec connectivity with several endpoints of several brands (ie: Mikrotik with MacOS, opnsense, Fritzbox ...).
Sometimes my Mikrotik acts as server, sometimes as client.
However each time, I notice that a few minutes before Ipsec IKE2 phase 1 expiry, the tunnel is killed instead of being re-negociated, and then the other endpoint restart the connectivity.
Typically this is the only message I see on the logs:
killing ike2 SA: 192.168.xx.xx[4500]-90.xx.xx.xx[4500] spi:41dedfecbb1d8781:835e15596b3d17a4
For details;
- The Phase 1 lifetime is set to 24H (in IP > IPsec > Profiles)
- this log message usually shows ~12-15 minutes before the full 24H are elapsed
- my Phase 2 are set of 8H and re-negociate without issue within this 24H interval
- it happens no matter the other endpoint, and if mikrotik is server or client: I have observed this to happen when Mikrotik is a server and opnsense is client, or when mikrotik is server and macOs is client, or when mikrotik is client and FritzBox is server
I am running RouterOS 6.48.1 on a CCR1009-7G-1C-1S+
Kind Regards