NordVPN IKEv2 connection hanging - how to fix?

jdub88 · Wed Dec 21, 2022 1:24 pm

Hey Everyone,

I am trying to troubleshoot a troublesome issue with a NordVPN on my Hex S (software version v6.49.7)

I am using the fairly tried and tested config that sends all traffic behind the Mikrotik over the VPN, plus the killswitch/blackhole config. This has been in place for a while, but occasionally (though can sometimes be several times in a short burst) traffic will stop passing until I flush the SAs (or reboot!). There is no clear trend or trigger, and it's not after a set amount of time. Sometimes I can go all day and have no problem, other times I have to literally keep a console window open to flush SAs as it's so unstable

My IPSEC/mangle config is as follows

/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=local
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add enc-algorithm=aes-128 hash-algorithm=sha256 name=NordVPN
/ip ipsec peer
add address=xxxxx.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha256 name=NordVPN pfs-group=none
/ip firewall address-list
add address=192.168.88.0/24 list=local
add address=192.168.88.2-192.168.88.254 list=local-range
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
    disabled=yes
/ip firewall mangle
add action=mark-connection chain=forward ipsec-policy=out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward ipsec-policy=in,ipsec new-connection-mark=ipsec
add action=mark-routing chain=prerouting new-routing-mark=via-vpn passthrough=yes src-address-list=local
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none \
    out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate=root.der_0 eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN \
    peer=NordVPN policy-template-group=NordVPN username=xxxxxxxxxxx
/ip ipsec policy
set 0 disabled=yes
add action=none dst-address=192.168.88.0/24 src-address=0.0.0.0/0
add disabled=yes dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
/ip route
add distance=1 gateway=blackhole routing-mark=via-vpn

I note I have the line 'add disabled=yes dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes' I dont recall why this is disabled - can anyone comment?

Using ping tool, I notice that if the VPN drops, pings will fail, but the ping tool itself does not let me run any action or script. I did find a thread about this topic and a ping script but I could not seem to get it to run. Example the last comment here seems to be my experience too: viewtopic.php?p=587765 and also here: viewtopic.php?p=587528

Can I test scripts via console first? That's not something I have tried before (eg I can't see a way to see the output of the script as its ran)

I tried using Netwatch, but oddly when the VPN is down, pings still succeed, and I don't see a way to make sure that traffic goes over the VPN

The idea for the above to points being to flush SAs when pings fail.

- Are there any crypto settings I could try differently?
- Are there any specific log lines that may help? I tried adding IPSEC to the logs but there did not seem to be anything obvious/incriminating when an issue occurs.
- I am happy to flush ALL SAs because this device only has a single tunnel for all traffic, so any wider impact is not a concern here as it would be for others

I understand I could leverage Wireguard, but that is a significant upgrade with a new learning curve entirely (and my existing config will not directly port to V7 so I can't have like for like without more research and testing). The hardware accelleration on the Hex S (the main reason I bought it to upgrade my old hAP Lite) makes performance very good, however there is a stability issue with my current config.

As this is acting purely as a VPN client, there's no 'other end' device for me to troubleshoot, but I do note that my config differs slightly from the current Nord guide here: https://support.nordvpn.com/Connectivit ... ordVPN.htm - Namely I note they don't boost the crypto like I have

Many Thanks in advance!

jdub88 · Wed Dec 21, 2022 2:01 pm

Just wondering, could DPD and/or NAT-T be playing a part here? It is not something I have configured manually but I see it set as follows:

[admin@MikroTik] /ip ipsec profile> print detail
Flags: * - default
 1   name="NordVPN" hash-algorithm=sha256 enc-algorithm=aes-128 dh-group=modp2048,modp1024 lifetime=1d
     proposal-check=obey nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5

Example SA:

[admin@MikroTik] /ip ipsec active-peers> /ip ipsec installed-sa print
Flags: H - hw-aead, A - AH, E - ESP
 0 HE spi=0xxxxx src-address=xxxxxxx:4500 dst-address=1xxxxxx:4500 state=mature auth-algorithm=sha256
      enc-algorithm=aes-cbc enc-key-size=128
      auth-key="xxxx"
      enc-key="xxxxxxx" addtime=dec/21/2022 11:44:47 expires-in=29m add-lifetime=24m5s/30m7s
      current-bytes=53787485 current-packets=38764 replay=128

Can I also just refresh my memory in that Profile = Phase 1 and Proposal = Phase 2?

jdub88 · Wed Dec 21, 2022 9:36 pm

So earlier I upped my Proposal lifetime from 30m to 8h and changed the Policy & Proposal crypto to aes-256 - the tunnel has been up since, no blips, too early to tell if it's helped..the thing is, the stability problem did not present at/around 30 mins so not sure why it would be this.... Will update the thread with results of tinkering, in case this helps anyone in future..coming up on 8h soon, so that will be interesting.

shogunx · Thu Dec 22, 2022 2:09 am

Hmm Interesting... can i infer from your post that you're still using ROS 6.x? I have basically the same setup - hEX as an IKEv2 client to Nord - and it was working pretty flawlessly until I upgraded the firmware from 6.49 to 7.6 the other day. Since then I have been experiencing what sounds like the same symptoms as you:

Tunnel establishes fine
traffic seems to stop passing after an arbitrary period of time,
tunnel will successfully rekey at expiration of SA and traffic starts passing again
flushing the active SA also temporarily fixes the problem
Nothing in the IPSec debug logs to indicate there is any problem

I was thinking of downgrading the firmware because the most likely explanation i could come up with was some bug in 7.x IPSec which wasn't in 6.x, but maybe the timing is just coincidental, and Nord have changed something.... I wonder if there are any other Nord users out there having similar problems.

EDIT: I have also tried dropping the DPD interval from 120 to 60 seconds, which seems to have improved the situation (less frequent drop outs), but not entirely resolved it.

doorcandycane · Thu Dec 22, 2022 4:33 am

As far as I know (please correct me if I'm wrong), the IP addresses of the validation servers are kept secret on purpose.

jdub88 · Thu Dec 22, 2022 10:16 am

Yes that's correct - I am still on v6 - v6.49.7 to be precise. I only went to this version recently, previously I was on a previous stable 6.49.x so not too old. The problem has presented itself for a while, but has felt a lot worse lately. Interesting to see you have a similar issue.

The symptoms you describe match mine. However I can't fully attest to 'tunnel will successfully rekey at expiration of SA and traffic starts passing again' - I don't usually wait, but do often return to find its hung, so I can't be sure if this particular point fits with my experience.

I actually have tried upgrading to v7.6 but rather quickly realised it wasn't just upgrade and go - how did you deal with the changes in v7 for the marking? Would you mind sharing your IPSEC/NAT/FIrewall/Route config for your Nord tunnel? I had considered migrating over to Wireguard to fix this but that's got it's own set of new challenges, not least of which is the learning curve

It would be good to compare profile and proposal settings too

By way of another update, the tunnel sailed on past the 8h lifetime I set and is still up now

[admin@MikroTik] > /ip ipsec active-peers print detail
Flags: R - responder, N - natt-peer
 0 RN id="xxxx.nordvpn.com" local-address=xxxx port=4500 remote-address=xxx port=4500
      state=established side=responder uptime=19h46m13s last-seen=1m55s ph2-total=1 spii="xxxx"
      spir="yyyy"

[admin@MikroTik] > /ip ipsec installed-sa print
Flags: 
H - hw-aead, A - AH, E - ESP
 0 HE spi=0xxxxsrc-address=xxxx:4500 dst-address=xxx:4500 state=mature auth-algorithm=sha256
      enc-algorithm=aes-cbc enc-key-size=256
      auth-key="xxxxxx"
      enc-key="yyyyyyy" addtime=dec/22/2022 07:32:33
      expires-in=7h12m1s add-lifetime=6h24m4s/8h6s current-bytes=1215061684 current-packets=912819 replay=128

This is definitely the longest period of stability I can recall in a long time

shogunx · Fri Dec 23, 2022 6:33 am

Yes that's correct - I am still on v6 - v6.49.7 to be precise. I only went to this version recently, previously I was on a previous stable 6.49.x so not too old. The problem has presented itself for a while, but has felt a lot worse lately. Interesting to see you have a similar issue.

The symptoms you describe match mine. However I can't fully attest to 'tunnel will successfully rekey at expiration of SA and traffic starts passing again' - I don't usually wait, but do often return to find its hung, so I can't be sure if this particular point fits with my experience.

I actually have tried upgrading to v7.6 but rather quickly realised it wasn't just upgrade and go - how did you deal with the changes in v7 for the marking? Would you mind sharing your IPSEC/NAT/FIrewall/Route config for your Nord tunnel? I had considered migrating over to Wireguard to fix this but that's got it's own set of new challenges, not least of which is the learning curve

It would be good to compare profile and proposal settings too

I ended up downgrading back to 6.49.7... the problem hasn't gone away but it doesn't seem as bad as it was on 7.6 - I might give your proposal changes a go and see if it helps. I definitely come back to the find the tunnel is unresponsive - I definitely think idle time is a contributing factor - but sometimes it seems like is dies just minutes after flushing, other times i will last almost the whole 30 minute lifetime.

Regarding my IPSec config, I didn't change it at all when I upgraded, I didn't realise it was necessary TBH, the tunnel was established and when it worked it worked, until it didnt, then it was broken for everything.

Here is my config FYI:

/ip ipsec mode-config
add connection-mark=vpn name=NordVPN responder=no src-address-list=local
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add dpd-interval=1m dpd-maximum-failures=3 name=NordVPN
/ip ipsec peer
add address=au652.nordvpn.com exchange-mode=ike2 name=NordVPN-au652 profile=NordVPN
add address=au764.nordvpn.com disabled=yes exchange-mode=ike2 name=NordVPN-au764 profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN-au652 policy-template-group=\
    NordVPN username="XXXXXX"
/ip ipsec policy
add action=none dst-address=<LOCAL SUBNET> src-address=0.0.0.0/0
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes

/ip firewall filter
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-mark=!ipsec connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward connection-mark=!vpn in-interface-list=LAN log=yes out-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-list=!<DIRECT HOSTS> new-connection-mark=vpn passthrough=yes src-address-list=local
add action=change-mss chain=forward new-mss=1395 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!1-1395
/ip firewall nat
add action=masquerade chain=srcnat dst-address-list=<DIRECT HOSTS> ipsec-policy=out,none out-interface-list=WAN src-address-list=local
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=srcnat

jdub88 · Fri Dec 23, 2022 11:13 am

Regarding Nord on v7.6 I started a separate thread here: viewtopic.php?p=973347&hilit=migrating+ ... rd#p973347 - this then has some really handy comments, one of which explains the differences. Our configs appear slightly different, so perhaps did not impact you. This migration is however a project for a rainy day for me!

I just had a freeze in my connection, hopped onto the Mikrotik UI and a rekey had just happened and there were brand new SAs...so can't be a coincidence. However, the connectivity did resolve itself soon after without a manual clearout..which is also a bit of a first

Really stuck trying to understand why this can be so ungracious at times, however, it's way more reliable in the last 48 hours - wether or not that is just by chance remains to be seen

mrshaba · Sat Dec 24, 2022 7:35 pm

I'm also still running v6.49.7 on my CCR1009 router, and out of sudden started to experience the same issue. Nothing was changed on the router for months, so can't be the setup because it used to work absolutely fine for quite some while.

I fear something might have changed at NordVPN end, but I'm not an expert and hence not able to prove that suspicion.

jdub88 · Thu Dec 29, 2022 12:44 pm

Can you share your IPSEC settings?

I have had a very stable connection since changing lifetimes & crypto settings, but not enough hard evidence to say it's definitely a fix

mrshaba · Fri Dec 30, 2022 12:05 pm

Below is my config. What settings are you using now for lifetimes & crypto?

/ip ipsec mode-config
add connection-mark=to_nordvpn name="modeconf NordVPN" responder=no use-responder-dns=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add dh-group=modp2048 dpd-interval=5m enc-algorithm=aes-256 hash-algorithm=sha512 name=profileNordVPN nat-traversal=no
/ip ipsec peer
add address=us9329.nordvpn.com exchange-mode=ike2 name="peer NordVPN" profile=profileNordVPN
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=52w1d name="proposal NordVPN" pfs-group=none
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=\
    "modeconf NordVPN" password=xxxx peer="peer NordVPN" policy-template-group=NordVPN username=yyyy
/ip ipsec policy
set 0 disabled=yes
add dst-address=0.0.0.0/0 group=NordVPN proposal="proposal NordVPN" src-address=0.0.0.0/0 template=yes


/ip ipsec active-peers print detail
Flags: R - responder, N - natt-peer
 0 R  id="us9329.nordvpn.com" local-address=1xx.1xx.1xx.xx port=4500 remote-address=217.138.208.171 port=4500
      state=established side=responder uptime=19h36m10s last-seen=17s ph2-total=1 spii="aaaa"
      spir="bbbb"


/ip ipsec installed-sa print
Flags: H - hw-aead, A - AH, E - ESP
 0 HE spi=0x487F8A2 src-address=217.138.208.171 dst-address=1xx.1xx.1xx.xx state=mature auth-algorithm=sha256
      enc-algorithm=aes-cbc enc-key-size=256
      auth-key="aaaa"
      enc-key="bbbb" addtime=dec/29/2022 14:39:42
      expires-in=52w3h45m47s add-lifetime=41w5d18s/52w1d23s current-bytes=8003438 current-packets=5999 replay=128

 1 HE spi=0xCEC983D6 src-address=1xx.1xx.1xx.xx dst-address=217.138.208.171 state=mature auth-algorithm=sha256
      enc-algorithm=aes-cbc enc-key-size=256
      auth-key="aaaa"
      enc-key="bbbb" addtime=dec/29/2022 14:39:42
      expires-in=52w3h45m47s add-lifetime=41w5d18s/52w1d23s current-bytes=835672 current-packets=12696 replay=128

jdub88 · Fri Dec 30, 2022 1:33 pm

My settings:

/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=local
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add enc-algorithm=aes-256 hash-algorithm=sha256 name=NordVPN
/ip ipsec peer
add address=xxxx.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=8h name=NordVPN pfs-group=none
/ip ipsec identity
add auth-method=eap certificate=root.der_0 eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN \
    peer=NordVPN policy-template-group=NordVPN username=xxxxxx
/ip ipsec policy
set 0 disabled=yes
add action=none dst-address=192.168.88.0/24 src-address=0.0.0.0/0
add disabled=yes dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes

[admin@MikroTik] /ip ipsec> /ip ipsec active-peers print detail
Flags: R - responder, N - natt-peer
 0 RN id="xxxx.nordvpn.com" local-address=xxxxx.197 port=4500 remote-address=x.x.x.x port=4500
      state=established side=responder uptime=1w1d23h9m32s last-seen=1m48s ph2-total=1 spii="1111"
      spir="2222"

Flags: H - hw-aead, A - AH, E - ESP
 0 HE spi=0x59D8184 src-address=x.x.x.x:4500 dst-address=y.y.y.y:4500 state=mature auth-algorithm=sha256
      enc-algorithm=aes-cbc enc-key-size=256
      auth-key="xxxxx"
      enc-key="xxxxx" addtime=dec/30/2022 07:34:33
      expires-in=4h4m14s add-lifetime=6h24m4s/8h6s current-bytes=2680640489 current-packets=1918692 replay=128

[admin@MikroTik] /ip ipsec> profile print detail
Flags: * - default
 1   name="NordVPN" hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp2048,modp1024 lifetime=1d
     proposal-check=obey nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5

[admin@MikroTik] /ip ipsec> proposal print detail
Flags: X - disabled, * - default

 1    name="NordVPN" auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=8h pfs-group=none

mrshaba · Fri Dec 30, 2022 3:21 pm

thank you, will try slightly changed settings.

shogunx · Fri Jan 13, 2023 4:24 am

Anyone had any luck solving this or at least pin pointing the cause. I have tried tweaking my crypto settings and reverting firmware back to 6.48 LTS- but the problem persists. Or rather, it has returned. The past few weeks the VPN connection has been pretty stable and I havent had to flush the SA, but in the last day or so the symptoms have re-appeared and I'm back to having to keep a terminal session open to flush them when the tunnel stops working.

jdub88 · Sat Jan 14, 2023 1:41 pm

I've had very little problems since I made the tweaks I documented at the start of this thread. One thing that I do find I need to do from time to time is to change the server I'm connected to.

What I'd love to be able to do is point my config to some kind of VIP or CNAME, but I don't think NordVPN have such an endpoint (the logic here is that it would connect to a different server every time it starts a new connection based on whatever the VIP/CNAME resolves to. For example, <country>.nordvpn.com. This is of course more of a feature request than a config issue but it could help.

As an aside, does anyone have any suggestions for scripts to run to flush the SA's when connectivity drops? The examples I mentioned above don't seem to work, and the tools which would be useful don't let you specify a source. Would also be cool to have logic where if the connection drops, clear it down and connect to a new server entirely like in the above scenario,

jdub88 · Wed Feb 01, 2023 10:56 am

I've been using the following script to good effect to deal with drops automatically (I saved it as 'SA-script'):

:local IPWatchServer 8.8.8.8
:local OutInterface bridge
:if ([/ping interface=$OutInterface $IPWatchServer count=5]<3) do={
  /ip ipsec installed-sa flush 
  :log info "IPSEC tunnel is down: Flushing Installed SA !!!"
} else={
#  :log info "IPSEC tunnel is OK !"
}

Adapted from the example from stmx38 here viewtopic.php?p=587528

I noticed that the flush command in this example wasn't working:

/ip ipsec installed-sa flush sa-type=all

Changed to:

/ip ipsec installed-sa flush

Then set a schedule:

/system scheduler add name=checkSA on-event="SA-script" interval=1m

You can adapt the schedule and/or ping count to suit you, but be careful not to set it such that occasional regular ICMP packet loss isn't flapping your tunnel too much

nickba · Thu Mar 09, 2023 10:20 pm

Hello,

Thanks for all your information. I am having the same problems. I am willing to use your script, but in my case, the Mikrotik is not under the VPN because I need it that way. So how I can I ping through the VPN to test it?

nickba · Sat Mar 11, 2023 2:58 am

Anyone?

jdub88 · Wed Oct 18, 2023 3:10 pm

Sorry did not see this reply

It's been a while so I guess you sorted it, but not really sure what you meant in your question

Incidetally, I have not looked at this problem since I last updated the thread, everything has remained super stable.

NordVPN IKEv2 connection hanging - how to fix?

NordVPN IKEv2 connection hanging - how to fix?

Re: NordVPN IKEv2 connection hanging - how to fix?

Re: NordVPN IKEv2 connection hanging - how to fix?

Re: NordVPN IKEv2 connection hanging - how to fix?

Re: NordVPN IKEv2 connection hanging - how to fix?

Re: NordVPN IKEv2 connection hanging - how to fix?

Re: NordVPN IKEv2 connection hanging - how to fix?

Re: NordVPN IKEv2 connection hanging - how to fix?

Re: NordVPN IKEv2 connection hanging - how to fix?

Re: NordVPN IKEv2 connection hanging - how to fix?

Re: NordVPN IKEv2 connection hanging - how to fix?

Re: NordVPN IKEv2 connection hanging - how to fix?

Re: NordVPN IKEv2 connection hanging - how to fix?

Re: NordVPN IKEv2 connection hanging - how to fix?

Re: NordVPN IKEv2 connection hanging - how to fix?

Re: NordVPN IKEv2 connection hanging - how to fix?

Re: NordVPN IKEv2 connection hanging - how to fix?

Re: NordVPN IKEv2 connection hanging - how to fix?

Re: NordVPN IKEv2 connection hanging - how to fix?