Community discussions

MikroTik App
 
leonset
Member Candidate
Member Candidate
Topic Author
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Two IPSec tunnels from the same network

Mon Jul 02, 2012 2:35 pm

Hello,

I'm trying to configure this tunnels:

Tunnel1: 10.0.0.0/24 -> 10.20.0.0/24
Tunnel2: 10.0.0.0/24 -> 10.20.0.32/28

Tunnel1 always work, but I get no traffic through Tunnel2. The SA for Tunnel2 does get stablished, but count bytes stay at 0.

Whow should I set this up on Mikrotik?
Thanks!
 
User avatar
stmx38
Long time Member
Long time Member
Posts: 650
Joined: Thu Feb 14, 2008 4:03 pm
Location: Moldova, Chisinau

Re: Two IPSec tunnels from the same network

Mon Jul 02, 2012 3:04 pm

I had an issue with same setup on RB1200 and Cisco ASA 5510.
 
leonset
Member Candidate
Member Candidate
Topic Author
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: Two IPSec tunnels from the same network

Mon Jul 02, 2012 3:12 pm

Forgot to mention, I'm using Mikrotik on both ends, RB1000 and 450G.
For Cisco I've read that the policy has to be set as "unique" instead of "require".
 
psamsig
Member Candidate
Member Candidate
Posts: 161
Joined: Sun Dec 06, 2009 1:36 pm
Location: Denmark

Re: Two IPSec tunnels from the same network

Mon Jul 02, 2012 9:24 pm

10.20.0.32/28 is covered by 10.20.0.0/24, so if you you haven't added a priority, the first one created wins.
 
leonset
Member Candidate
Member Candidate
Topic Author
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: Two IPSec tunnels from the same network

Mon Jul 02, 2012 10:25 pm

Hello!

I've tried using higher priority (for example 100, 1000, 9999...) for 10.20.0.32/28 bu it still doesn't work.

Thanks for the tip!
 
User avatar
stmx38
Long time Member
Long time Member
Posts: 650
Joined: Thu Feb 14, 2008 4:03 pm
Location: Moldova, Chisinau

Re: Two IPSec tunnels from the same network

Mon Jul 02, 2012 11:38 pm

Forgot to mention, I'm using Mikrotik on both ends, RB1000 and 450G.
For Cisco I've read that the policy has to be set as "unique" instead of "require".
Thank you for help. It works !
 
leonset
Member Candidate
Member Candidate
Topic Author
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: Two IPSec tunnels from the same network

Tue Jul 03, 2012 1:58 pm

Glad to hear that, slech :)

I've manager to get it done by:

- Defining two IPSec policy, each one for the needed tunnel:
Tunnel1: 10.0.0.0/24 -> 10.20.0.0/24
Tunnel2: 10.0.0.0/24 -> 10.20.0.32/28

- Setting them as "unique" instead of "required".

- Setting the priority for Tunnel2: 10.0.0.0/24 -> 10.20.0.32/28 quite higher than that for Tunnel1:
Tunnel1, priority 0
Tunnel2, priority 200

It hasn't worked for me using smaller priority diferentials, say priorities 0 and 1.

- Lastly, change that crappy dsl router for another model which allows IP Protocol 50 (ESP) passthrough and not just UDP 500 Dnat'ing.

Hope this helps!

Who is online

Users browsing this forum: No registered users and 23 guests