I just thought I would quickly point something out... In this line: /ip ipsec policy add dst-address=172.28.0.0/16 peer=VPN_PMR_Nettet proposal="IKEv1 Proposal" src-address=172.28.10.0/24 tunnel=yes You list TWO subnets: 172.28.0.0/16 172.28.10.0/24 The first subnet is from IP 172.28.0.1 ...

Mikrotik only implements bare IPsec with policies and traffic selectors, so you must have a separate policy for each dst-address (192.168.50.0/24 and 172.28.0.0/16). Whether one or two pairs of SAs will actually be negotiated depends on the level parameter of the policy - if it is set to require , ...

I think you're looking for: /ip ipsec policy add action=none src-address=172.28.x.0/24 dst-address=172.28.x.0/24 And order of policies matters. Thank you very much! Now it works within the 172.28.0.0./16 net as I wanted it to :-) Now I have two tunnels instead of one for each spoke. But I will prob...

Anyone ?

Hello, I am configuring a VPN setup with a Fortigate firewall as the hub (With dynamic DNS) and several Mikrotik mAP's as spokes. (DialUp) Spokes are configured with subnet 172.28.10.0/24, 172.28.11.0/24 and so on. LAN on the Fortigate is 192.168.50.0/24 mAP's 172.28.x.1 VPN tunnels are up and runni...