MikroTik

Hi.. All experts pls advice.

I have set vpn ipsec and working between 2 mikrotik routeros 4.11. OR between mikrotik routeros 4.11 and ipcop 1.4.21. I followed the manual 'Manual:IP/IPsec'. But i have problem on lose connection/disconnection by itself in some occasion, in one day it happened several times. Currently, the workaround is i have to go inside thru winbox to one of the router:
- using cmd.exe to do ping other router site network
- if above still failed, go to 'Policies' and disable it and enable back again
- if above still failed, 'Installed SAs' and press 'Flush'

Because of this problem, the working is always interrupted between 2 sites network. It's troublesomes.
I saw inside the manual said that 'IPsec is very sensitive to time changes'. And i have done setting on NPT client at both routers to set same ip for ntp server. But the problem still exist.

Any idea? Pls help.

As I understand your description, link could be unstable between your IPSec peers.
There is DPD option, that could be enabled to remove all information, when link between peers is unstable (not reachable). Enable dpd on both ends, then SA should be cleared as soon as link is not available.

Thx alot for ur value info.
I have done on changing setting (at both ends) for:
- dpd interval to enable (i put it '1' correct?).
- dpd maximun failures to '5' (before was '1')

and see how later... (will be reported)

Hi guys,

I too am battling with this issue at the moment. I have my DPD interval set to 60s and retries set to 1, however even when the remote peer disappears the SA's are still active and I have to manually flush them. This is on a tunnel from RouterOS5.0rc5 on a RB750G to a Cisco concentrator.

It's as if DPD is not working at all.

Mikrotik, is there a solution to this problem ?

DPD should be enabled on both peers to make it work.

someone is on same boat with me...
I hope this thread will find the best setting to make the vpn ipsec more stable.

Report: after enable DPD, connection seem to be quite ok but not really stable yet. (N.B.: i must keep doing ping to the other end router for triggering to keep maximun alive connection.)

Sorry for my ignorance, i thought that only '1' and '0' for DPD Interval. So i put '1' for enable. Actually, It is time in second.

@sergejs:
- what's the best time (in second) should i put?
- Lifetime: 1d:00:00, then i changed to 00:00:00. What's the important on setting this?

Currently:
1. Between RB750G (192.168.1.0) - IPCop 1.4.21 (192.168.10.0) ==> some occasion disconnected
2. Between RB750G (192.168.1.0) - RB750 (192.168.20.0) ==> even more often disconnected than #1

FYI, net-to-net vpn between 2 IPCop 1.4.21 is really stable.

ben1876,

- dpd time depends on the outages (how frequent outages are possible, how long average time);
- lifetime (time; default: 1d) - phase 1 lifetime: specifies how long the SA will be valid; SA will be discarded after this time;

- Do you have the identical configuration on both ends for /ipsec (as well /system clock)?
What about connection between two routers, is it stable?

- (for #2) cos same product, MT, of course all the exact same setting on \ipsec policies, peers, & proposals. Including same Primary NTP Server ip address. (for #1) cos not same product, MT & IPCop. But for MT is same with these settings.

The RB750G (192.168.1.0) is my central. Other site RB750 (192.168.20.0) link to it and get data. If the connection lost (means ping rto), then currently workaround is just remote by public ip to svr central and do a ping (192.168.20.x) and will back to alive again. Troublesome right?

I heard from my friends feedback that MT weaks on vpn

The RB750G (192.168.1.0) is my central. Other site RB750 (192.168.20.0) link to it and get data. If the connection lost (means ping rto), then currently workaround is just remote by public ip to svr central and do a ping (192.168.20.x) and will back to alive again. Troublesome right?

Maybe it would be good idea to fix the link between both routers firstly.
DPD is working fine for me, when link is down after specific time /installed-sa are cleared.
Note, that DPD does not stabilize the connection, it helps for IPSec to clear installed-sa when link is down.

I heard from my friends feedback that MT weaks on vpn

DId they contacted us and reported all the problems to (support@mikrotik.com)?
As far as I know all supported tunnels are working fine. At least I'm not aware of any serious issue.

DPD is working fine for me, when link is down after specific time /installed-sa are cleared.
Note, that DPD does not stabilize the connection, it helps for IPSec to clear installed-sa when link is down.

Could u advice me on best config on peers? (especially on what the value to put on fields like:
- DPD interval & DPD max failures
- Lifetime & lifebytes
- whether checked/unchecked for 'Generate Policy' on both or 1 of routers
- etc... should be aware of...
Thx

There are no 'best values' for those - they are policy decisions.

Got peers with unknown (dynamic or road warrior) IPs? You'll need generate-policy set to yes to even be operational. Got only static peers? Might as well write out the policies manually and set generate-policy to no. Which one you choose depends on what kind of peers you have.
If there are only static peers it would be better to turn it off and use manual policies only.

Lifetime and lifebytes? What kind of security does your policy require? The longer the SA is in effect, the longer an adversary has to crack it. The more data is encrypted with the same SA the more data an adversary has to work with. Shorter is better, but more resource intensive. How much traffic is traversing the link? That significantly affects lifebytes. How important is that traffic? What kind of impact on your business would someone having the plaintext have? How many resources can you spare? How are your SAs negotiated - certificates or PSKs? An RB133 using certificates should regenotiate far less often an a Xeon x86 or RB1000 with hardware encryption offloading.

DPD is also based on your requirements - how fast do you need to detect link failure? Don't go lower than 15 seconds. Above five minutes is probably also unreasonable. Unless your situation makes more extreme values OK.

If DPD is not working for you (it wasnt for us), try this script:

:if ([:len [/ip ipsec remote-peers print as-value]] = 0) do={/ip ipsec installed-sa flush};

It checks if there are any remote-peers up, if not it just flushes the SA's

We run it once every few minutes using the scheduler, it's a dirty method but it saves us from logging in and clearing them manually.

DPD does not work for me either. My connection is not flakey.

Thanks Monkey, I'm using your script.

We are still having issues with this even on 5.6

The VPN is from a Cisco concentrator to a RB750G. DPD is set to 10seconds, but still the IPSEC will lock up and we will need to "Kill Connections" to get it running again.

I will log a ticket with Mikrotik as this is driving me nuts.

I would appreciate Karma for the script

Same problem on 5.19, setup is two RB750, ipsec between ..

5.16 is OK.