How to stabilize IPsec?

S

Sergey nix2021-03-02 08:22:17

VPN

Sergey nix, 2021-03-02 08:22:17

The main piece of iron Kerio Control. Remote Mikrotik(s) (Hap Lite) are connected to it via IPsec.
Sometimes tunnels fall and rise for 7-10 minutes (some longer), and disrupt the operation of internal services, in particular 1C, which is connected via an internal domain.
Encryption using sha1, 3des, sha-128-cbc, sha-256-cbc, modp-1536, modp-2048.
I'm thinking of two options. The first sin is weak iron in mikrotiks, maybe the ozu clogs and drops the tunnel. The second sin on the settings of livetimes, TTL, etc. Maybe the default settings for the lifetime need to be configured in detail?
I'm not very good at this, please help.
Thank you for your attention.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

C

CityCat4, 2021-03-02
@CityCat4

The first thing that comes to mind is DPD. If DPD is enabled, it is necessary that Kerio catches it correctly and does not drop the connection due to inactivity (this is a racoon sin)
the second - when the timeout expires by 75%, phase 2 is re-run, a new SPI appears, devices start to get confused about which SPI to use and this continues until until the old SPI dies (which can take just 7 - 10 minutes).
What can be done is to look at the timeouts by phases and the policy of their assignment, and if you can take their assignment to Mikrotik, maybe add time, disable dpd (of course, this is all if it is possible to do this - otherwise there may be a fixed set of settings)

N

Nikadim Tsatskin, 2021-03-05
@BigDrive

Most likely, it’s not the RAM that clogs, but the processor, Mikrotik has products in its line that can encrypt IPSec in hardware, therefore the processor is not loaded. See hardware specification. Usually IPSec rarely "falls off" itself, I have devices on which it has been working since the last restart.