Hi all

manual (http://wiki.mikrotik.com/wiki/Manual:IP/IPsec) tell that a priority - Policy ordering classificator (signed integer). Larger number means higher priority.
Is it correct, considering than the general behaviour of priority is oppositely ?

And next question?

What kind a connection has a higher priority for a routing
IPSEC or IPIP ????

bump

about routing with ipsec trafic is routed toward wan

with ipip is routed as another interface

If I have one route using IPIP interface to 192.168.0.0/16 subnet and second route using IPSec to 192.168.0.0/16.

Which of route will be highest priority if metrics the same for both?

And in this case what should I do If general route has a metric : the least number - that the high priority on other hand an IPsec
policy route - the highest number - that the high priority. I see a paradox

Please help

It is not very clear to me what you want to ask and what problem you encounter.
But let me tell you that IPsec policies for tunnels cut in at a different place in the network than routing tables and relative priorities of routes.
So when you define an IPsec policy for those two subnets, that IPsec tunnel will be taken no matter what you do with routing.
The priorities of policies are only relative between IPsec policies, not relative to route priorities.

When you don't like that, setup an IP or GRE tunnel interface with IPsec secret, this will result in an IPsec policy for only GRE traffic between the external addresses of the routers. Then route the traffic for the subnets over that IP or GRE tunnel using normal routes or an autorouting protocol (like BGP).
Then, you can determine what to route using the normal route priorities.

Ok. This is what I want.

I have a HQ with two ISPs(public ip addresses ) and I have a branch with one ISP ( cable and a public ip address ) and second ISP ( 3g modem and a DYNAMIC ip assress ) for a reserve.

I want that the branch, if no connect via the main connection ( cable ) switch to 3g modem. Can I reach this without scripting?

AND main problem is that 3g modem ISP has dynamic IP and Nat Traversal obviously I can't create GRE,IPIP or EoIP

IPSec Polices give me a possibility use a dynamic source ip but I can't understand when go a traffic if in the same time will be work both ISPs ( cabel's ISP and 3G ISP )

Bump

Help! I need sombody
Help! Not just anybody
Help! You know I need someone
Heeelp

good song! but topic itself doesn't make any sense, at least to me.

Make a basic diagram of your network, explain the what would be ideal end result (what you are trying to achieve, and then describe the problem.

P.S. If you use latest version, IPIP tunnels now can have IPSec encryption on them, so maybe you can just use that)

[img]Problem.jpg[/img]

Scheme of networks

At the moment.

HQ
[ ISP1-HQ + ISP1-Branch ] - EoIP1-hq
[ ISP2-HQ + ISP1-Branch ] - EoIP2-hq
[ EoIP1-hq + EoIP2-hq ] - Bonding hq

Branch
[ ISP1-Branch + ISP1-HQ ] - EoIP1-branch
[ ISP1-Branch + ISP2-HQ ] - EoIP2-branch
[ EoIP1-branch + EoIP2-branch ] - Bonding branch


All works excelent !!!! BUT, if ISP1-Branch , what I should to do?

How to implement a failover using ISP2-Branch and do not use a scripts

Bonding? EoIP? IPIP? IPsec? - why each time you write there are new set of features mentioned?

What is your task? Ensure connectivity? load-balancing?.

I would personally use policy routing based load balancing on both devices:
http://wiki.mikrotik.com/wiki/Manual:PC ... _Balancing
For all traffic that is leaving devices to internet.

Or do you need direct communications between private network devices?

In this case I don't see a big difference between the ipip and the eoip connection.
Main question is if in the same time works bonding and ipsec ( in the shown case via 3g modem ) , what of these connections will get a highest priority ? On the branch side, obviously I have two routes (via bonding-branch and via ipsec throug 3g modem ) into the same network(192.168.0.0/24) but I don't understand where will flow the traffic, how mikrotik decides what of the connections use ? Because ipsec polices's routes not shown in a share routes table

And yes, I need a direct communication between private networks

How the RouterOS decides, where to forward a traffic if exists two connections into a one subnet via an ipip and via a ipsec. ?

Answer :

IPSEC has highest priority than any other tunnels, ignoring main routing table

Answer :

IPSEC has highest priority than any other tunnels, ignoring main routing table

That is what I wrote on October 21.
Maybe you should read more and post less!

Yes. I missed your post