I have a working IPSec site to site VPN and I now need to make a second subnet available behind one of the routers.

As far as I understand the IPSec Policy only maps 1:1 (ie one source to one destination subnet)

I have tried to duplicate the policy but although the new one would work this kills the old one - ie I can only reach one of the subnet at a given time.

What am I missing ?

As far as I understand the IPSec Policy only maps 1:1 (ie one source to one destination subnet)

Correct (except that it rather "links" then "maps" subnets).

I have tried to duplicate the policy but although the new one would work this kills the old one - ie I can only reach one of the subnet at a given time.

If you have "duplicated" it properly, in terms that you've changed the src-address at the peer with two subnets and dst-address at the peer with single subnet and left the rest unchanged, it should work normally.

So try changing level from the default required to unique - if both peers are Mikrotik ones, this should not be necessary, but it's worth trying.

If that doesn't help, try disabling and re-enabling the identity, as adding policies on the fly behaves funny in some RouterOS versions.

So try changing level from the default required to unique - if both peers are Mikrotik ones, this should not be necessary, but it's worth trying.

I just wanted to stop by and say thank you! Your solution fixed a problem I have been dealing with, since implementing Perimeter 81 and my MikroTik site to site tunnel. Changing from the each policy to "unique" immediately made them work.