Hi,

A strange IPSEC problem involving an RB750 and a linux box with openswan 1:2.6.28+dfsg-5+squeeze1 on Debian Squeeze, between an IPtable-base firewall doing NAT.

The tunnel goes up normally and work some times. But, around 30 minutes later (don't know if it is always the same duration), interresting traffic stop go through the tunnel (no replies seen) but OpenSWAN seems to say that everything is fine and connected.

Each time I've seen lost traffic, I see spurious "installed-sa" on the mikrotik as you could seen in "installed-sa.txt".

I don't know how resolve that... I have dnoe some tcpdumps but no conclusion from that.

Mikrotik has the public A.B.C.D IP address (bridged on internet via an aDSL box).
OpenSwan is behing NAT. Private adress is 10.10.130.10.
Public IP on the NAT'ing firewall is E.F.G.H.
Target network accessible through the mikrotik is I.J.K.L/28.

[mikroadm@MikroTik] /ip ipsec> peer print
Flags: X - disabled
0 address=E.F.G.H/32:500 auth-method=pre-shared-key secret="<obfuscated>"
generate-policy=yes exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey
hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=disable-dpd
dpd-maximum-failures=5

[mikroadm@MikroTik] /ip ipsec> policy print
Flags: X - disabled, D - dynamic, I - inactive
0 D src-address=E.F.G.H/32:any dst-address=I.J.K.L/28:any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=A.B.C.D sa-dst-address=E.F.G.H proposal=default
priority=2

1 D src-address=E.F.G.H/32:any dst-address=I.J.K.L/28:any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=A.B.C.D sa-dst-address=E.F.G.H proposal=default
priority=2

2 D src-address=I.J.K.L/28:any dst-address=E.F.G.H/32:any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=E.F.G.H sa-dst-address=A.B.C.D proposal=default
priority=2

Openswan config :
version 2.0
config setup
plutodebug="control parsing"
plutoopts="--perpeerlog"
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.10.0.0/16
oe=off
protostack=netkey

conn conn1
auto=ignore
left=10.10.130.10
leftid=E.F.G.H
leftsourceip=E.F.G.H
leftsubnet=E.F.G.H/32
right=A.B.C.D
rightid=A.B.C.D
rightsubnet=I.J.K.L/28
auth=esp
authby=secret
esp=3des-sha1
ike=3des-sha1
aggrmode=no
keyexchange=ike
keyingtries=%forever
pfs=yes

Hello. I've had similiar with my setup as you can see here:
http://forum.mikrotik.com/viewtopic.php?f=2&t=64908
I have not yet solved that. A workaround that seems to work for me is to let the router restart each morning. I just made a script that does that.

Thanks for you reply.
With Dead Peer Detection, the problem is less frequent, but I have some situations where the tunnel doesn't work (no traffic can pass through) but each IPSEC deamon is happy. Without manual restart, nothing goes right again.