Community discussions

MikroTik App
 
ufukguler
just joined
Topic Author
Posts: 3
Joined: Thu Oct 23, 2008 12:41 pm

IPSec Flushing SA

Sat Jul 17, 2010 6:23 am

Hi All,

Maybe this issue had been discussed before. Can't find any related topic about it. Is there any possibility to flush individual installed SA instead of flush all of them. During troubleshooting many times i need to flush individual SA with manually. Thanks a lot.


Ufuk Guler
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7185
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: IPSec Flushing SA

Mon Jul 19, 2010 9:33 am

Unfortunately it is not possible. You can flush only all SAs
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: IPSec Flushing SA

Mon Jul 19, 2010 2:23 pm

Enabling Dead Peer Detection (DPD) really helped me when testing IPSec with Mikrotik. Restarting the remote router will flush just the SA of that peer.

Regards,
 
ufukguler
just joined
Topic Author
Posts: 3
Joined: Thu Oct 23, 2008 12:41 pm

Re: IPSec Flushing SA

Tue Jul 20, 2010 4:11 pm

Hi,

Thank you all for your replies. Flushing all SA will effect other working vpn connections on the device. On the other hand all other vpn peers will be forced to start to policy negotiation from the beginning then device cpu usage will increase momentarily. DPD is a good solution but rebooting far end router only for this purpose will effect customer services which are not related to VPN. I hope, newer RouterOS release will have this valuable feature.

Ufuk Guler
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7185
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: IPSec Flushing SA

Wed Jul 21, 2010 9:21 am

DPD is a good solution but rebooting far end router only for this purpose will effect customer services
Why do you need to reboot the router when DPD is enabled?
 
ufukguler
just joined
Topic Author
Posts: 3
Joined: Thu Oct 23, 2008 12:41 pm

Re: IPSec Flushing SA

Wed Jul 21, 2010 10:24 am

Hi,

Thanks for clarification. You are right. We don't need reboot far end device. I wrote it as a reply for "Enabling Dead Peer Detection (DPD) really helped me when testing IPSec with Mikrotik. Restarting the remote router will flush just the SA of that peer.". I have misstated my opinion. Thank you.

Ufuk Guler
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: IPSec Flushing SA

Thu Jul 22, 2010 11:58 am

Enabling DPD and rebooting the remote router is the only way I know to flush an specify SA in RouterOS... Is any other way to do it?

Thanks!
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2975
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: IPSec Flushing SA

Fri Aug 01, 2014 7:28 pm

Hi,

Tools/Netwatch and on both sides of tunnel:

Set ping to the IP of other VPN tunnel end for 10 sec. or any other value which suits your needs.
in down script put: /ip ipsec installed-sa flush

It helps a lot :)

Remeber that ".. If you previously tried to establish tunnel before NAT bypass rule was added, you have to clear connection table from existing connection or restart the routers ...." (from Wiki) so I manually kill peers after changing firewall rules to clear connections to make new rules working.
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: IPSec Flushing SA

Wed Aug 06, 2014 12:28 pm

Thanks for the info, but this is an ancient post!

At that moment, I wasn't aware of those tricks... nowadays I use them and sometimes also use some scripts and the scheduler (i.e. when the VPN has to be up for some hours a day).
 
HB1
just joined
Posts: 5
Joined: Wed Mar 08, 2017 5:28 pm

Re: IPSec Flushing SA

Thu Mar 09, 2017 5:35 pm

Hi,

"Hi,

Tools/Netwatch and on both sides of tunnel:

Set ping to the IP of other VPN tunnel end for 10 sec. or any other value which suits your needs.
in down script put: /ip ipsec installed-sa flush"

it seems to work thank you BartoszP

I tried a script which ping ip

:if ([/ping 192.168.15.254 count=4]<3) do={
  /ip ipsec installed-sa flush;
  :log info "IPSEC tunnel is down: Flushing Installed SA !!!"
} else={
  :log info "IPSEC tunnel is OK !"
}

but it only works from terminal, while I try to running via scheduler it doesn't work somehow

Who is online

Users browsing this forum: No registered users and 20 guests