I'm currently working up a point to point vpn with Ipsec with Mikrotik RB750G routers.

Site 1
Internal -> External
192.168.0.0/24 -> 192.168.101.171

Site 2
Internal -> External
192.168.30.0/24 -> 192.168.101.172

I utilized these 2 resources for the build following the Site to Site IpSec Tunnel examples.
http://gregsowell.com/wp-content/upload ... k-vpn1.pdf
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec

I have IPSec configured based on the configuration below and if I have traffic flowing between both sites the tunnel comes up and traffic flows well. However my traffic will mostly be coming from Site 2 to Site 1. So I won't have user traffic flowing in both directions and there is where I'm having the issue. If only 1 side of the site to site is generating the traffic I have the following errors:
phase 1 negotiation failed due to time up
phase 2 negotiation failed due time up waiting for phase 1

Is this by design? Are there anyway's around this if so? Or am I missing something in my configuration that would allow 1 site to generate the traffic and bring the tunnel up?

Here is my config.

Site 1
[admin@MikroTik] /ip ipsec peer> print

Flags: X - disabled
0 address=192.168.101.172/32 port=500 auth-method=pre-shared-key
secret="********" generate-policy=no exchange-mode=main
send-initial-contact=yes nat-traversal=no my-id-user-fqdn=""
proposal-check=obey hash-algorithm=md5 enc-algorithm=3des
dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m
dpd-maximum-failures=5

[admin@MikroTik] /ip ipsec policy> print

Flags: X - disabled, D - dynamic, I - inactive
0 src-address=192.168.0.0/24 src-port=any dst-address=192.168.30.0/24
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=192.168.101.171
sa-dst-address=192.168.101.172 proposal=default priority=0

[admin@MikroTik] /ip ipsec proposal> print

Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024

ip firewall nat
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.0.0/24
dst-address=192.168.30.0/24


1 ;;; default configuration
chain=srcnat action=masquerade out-interface=ether1-gateway

Site 2
ip ipsec peer> print
Flags: X - disabled 0 address=192.168.101.171/32 port=500 auth-method=pre-shared-key secret="********" generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no my-id-user-fqdn="" proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5

[admin@MikroTik] /ip ipsec policy> print Flags: X - disabled, D - dynamic, I - inactive 0 src-address=192.168.30.0/24 src-port=any dst-address=192.168.0.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=192.168.101.172 sa-dst-address=192.168.101.171 proposal=default priority=0

[admin@MikroTik] /ip ipsec proposal> print Flags: X - disabled, * - default 0 * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1024

[admin@MikroTik] /ip firewall nat> prin Flags: X - disabled, I - invalid, D - dynamic 0 chain=srcnat action=accept src-address=192.168.30.0/24 dst-address=192.168.0.0/24
1 ;;; default configuration chain=srcnat action=masquerade out-interface=ether1-gateway

Hi,

did you allow port 500 udp and esp on both mikrotiks (input chain)?

Ah I have not. Can I allow it from only the external interfaces of both sites?

I will try it when I get home and let you know how it goes.

Drew

Ah I have not. Can I allow it from only the external interfaces of both sites?

yep

I will try it when I get home and let you know how it goes.

ok

Works perfectly! Thank you very much for the help.

I must have overlooked that portion somewhere. I will never forget though!

Thanks again

Hi mixig,

I have a few issues and this one is one of those. Can you please post the firewall setting? I allowed port 500 but no success.

Im also having trouble.

I have opened port 500 UDP

but i cant find protocol type ESP?

https://en.wikipedia.org/wiki/IPsec

ESP operates directly on top of IP, using IP protocol number 50

I had these symptoms, and my problem is now resolved. This post will hopefully benefit others:

After years of awesome stability, our Point-to-Point IPSEC VPN (mikrotik on both ends) suddenly would not connect and had this "phase 1 failed due to time up" error in the log. Internet was fine at both sites, and the ISP support INITIALLY indicated everything should be fine for communication between our sites. (our ISP provides the connection on both ends)

After a while, I realized that I was not able to ping to the External address of one site to the other, but I could ping from my home. With this information, the ISP finally realized that there was a problem in their hardware preventing traffic from flowing from one EXTERNAL address to the other (they even had to call their hardware vendor for the solution). Once the ISP resolved their problem, the VPN came right up.

I believe this may have been the same issue I saw someone else mention -- where they "switched their IP" to resolve the issue. Instead of switching IP's, our solution addressed the root cause which was an addressing/routing issue on the ISP's hardware.

One final note: REMEMBER TO BACK UP YOUR ROUTER CONFIGURATION before you start troubleshooting.