MikroTik

Community discussions
https://forum.mikrotik.com/

IPsec Site-to-Site VPN, Mikrotik/Cisco

https://forum.mikrotik.com/viewtopic.php?t=68343

Page 1 of 1

IPsec Site-to-Site VPN, Mikrotik/Cisco

Posted: Thu Dec 20, 2012 2:11 pm
by georgechyo
Hello,
I'm new here and hope my topic is in right place :)
Now about my problem: i have a working tunnel between Cisco ASA and Mikrotik, everything's fine until internet connection is stable, but when it's not tunnel hangs up. I think that DPD (Dead Peer Detection) not works.
When i disconnect router from the internet, remote peers and installed SA s are not deleted, after a specified time (10 secconds, 2 failures)
I hope i can find a solution here :)

Re: IPsec Site-to-Site VPN, Mikrotik/Cisco

Posted: Sun Dec 23, 2012 9:28 am
by georgechyo
anybody? :(

Re: IPsec Site-to-Site VPN, Mikrotik/Cisco

Posted: Sun Dec 23, 2012 11:19 pm
by NicholasMag
Need a bit more detail about your network topology and the settings on the mikrotik.

To clarify, when Internet is stable, the vpn works great? But when internet is unstable you have connection errors?

Are these clients creating the vpn connection through the wan or lan side?

Re: IPsec Site-to-Site VPN, Mikrotik/Cisco

Posted: Tue Dec 25, 2012 10:05 am
by georgechyo
NicholasMag
here is the configuration:
Code: Select all
# dec/25/2012 11:44:25 by RouterOS 6.0rc5
# software id = 74EE-08TE
#
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=aes-128 lifetime=\
    1d pfs-group=none

/ip ipsec peer
add address=x.x.x.x/32 dpd-interval=10s dpd-maximum-failures=2 \
    enc-algorithm=aes-128 secret="#####"

/ip ipsec policy
add dst-address=192.168.0.0/16 level=unique sa-dst-address=x.x.x.x \
    sa-src-address=x.x.x.x src-address=192.168.254.2/32 tunnel=yes
Problem is in DPD (dead peer detection), when internet goes off, remote peer (cisco site) removes the connection and deletes installed SA s, but on Mikrotik side doesn't delete connection and SA's, they still exsist. So when internet connection is restored Mikrotik is trying to use old SA s, which already does not exists on remote site.

I turned off keepalives on Cisco, so tunnel stays in up state, even when there is no internet connection, but it's not a solution.

Re: IPsec Site-to-Site VPN, Mikrotik/Cisco

Posted: Tue Dec 25, 2012 11:25 am
by tomaskir
Look at this topic, so I dont have to rewrite all that I've wrote there :)
http://forum.mikrotik.com/viewtopic.php?f=2&t=66178

Re: IPsec Site-to-Site VPN, Mikrotik/Cisco

Posted: Tue Dec 25, 2012 6:58 pm
by georgechyo
Look at this topic, so I dont have to rewrite all that I've wrote there :)
http://forum.mikrotik.com/viewtopic.php?f=2&t=66178
It didn't worked :(
I have DPD on (Interval-2, Maximum Failures-3) and IPsec policy level=unique, but when internet connection goes off, SA and remote peers are still there. Did i missed something?

Re: IPsec Site-to-Site VPN, Mikrotik/Cisco

Posted: Tue Dec 25, 2012 7:21 pm
by tomaskir
Might be something wrong in rc5. Have you tried with 5.22?

Re: IPsec Site-to-Site VPN, Mikrotik/Cisco

Posted: Wed Dec 26, 2012 9:51 am
by georgechyo
Might be something wrong in rc5. Have you tried with 5.22?
I tryed many different versions: 5.11, 5.22, 6rc5, 6rc6, each of them does the same.
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/