Hello everyone! I have two ISP.
ISP1 connected to Mikrotik CRS125 (ver. 6.37) It's my core switch/router and link to the internet for Users.
ISP2 connected to Cisco PIX515E. It's my edge firewall-router for Servers and IPSec termination point.

I have branch office (Cisco 892) that was connected through Cisco PIX515E through ISP2, but there slow ISP(2) and I decided to build IPSec to branch office through IPS1 (fast internet) directly from Mikrotik. I've made it and IPSec between Cisco 892 (branch) and Mikrotik CRS125 (main office) works.


Now I trying to setup redundency on the case if ISP1 will fail. I configured route tracking on Mikrotik, Cisco PIX and Cisco 892 (branch). When I disconnect IPS1 route tracking works fine, but traffic unable to reach Branch-office until I disable ipsec-policies on Mikrotik =(
How I can disable ipsec-policied on Mikrotik automatically when ISP1 is failed and route tracking to branch is triggered?

Is your IPSec setup at transport or tunnel mode?

I would venture to guess that it's setup in tunnel mode. If so, try changing the config to use gre/ipsec with transport mode (restricted to protocol 47). This will change your policy to only match the packets with source of MT Router and Destination of (external IP) of Branch office, and only for protocol 47. Now your router should stop swallowing traffic destined for the remote LAN, and properly send them along to the secondary route.

Is your IPSec setup at transport or tunnel mode?

I would venture to guess that it's setup in tunnel mode. If so, try changing the config to use gre/ipsec with transport mode (restricted to protocol 47). This will change your policy to only match the packets with source of MT Router and Destination of (external IP) of Branch office, and only for protocol 47. Now your router should stop swallowing traffic destined for the remote LAN, and properly send them along to the secondary route.

Thank you very much for your response, ucs75!
Yes, you are right I used Tunnel mode.
I configired IPIP tunnel with transport mode and remade route tracking. Now everything works fine.

One inconvenience exists. I cannot ping (access) WAN IP of branch Cisco892 and vice versa (From remote side I cannot ping WAN IP of Mikrotik). Is it fixable?

One inconvenience exists. I cannot ping (access) WAN IP of branch Cisco892 and vice versa (From remote side I cannot ping WAN IP of Mikrotik). Is it fixable?

In your IPSec Policy, General Tab -- look for the Protocol Field. Set this to 4.
This will restrict the encryption policy to only match on this protocol (ignoring ICMP). From what I read the IPIP protocol is either 4 or 94. Try 4 first.

[quote]In your IPSec Policy, General Tab -- look for the Protocol Field. [/quote]

Any idea if tunnel security or speed is increased by limiting to a specific protocol?

One inconvenience exists. I cannot ping (access) WAN IP of branch Cisco892 and vice versa (From remote side I cannot ping WAN IP of Mikrotik). Is it fixable?

In your IPSec Policy, General Tab -- look for the Protocol Field. Set this to 4.
This will restrict the encryption policy to only match on this protocol (ignoring ICMP). From what I read the IPIP protocol is either 4 or 94. Try 4 first.

Yeah! Setting Protocol to "4 (ip-encap)" instead "255 (all)" fixed it trouble. Thank you, ucs75!

Jaytscd,

Think of IP-->IPSEC-->Policy-->General as a matching filter. Only packets that match the Source Address, Destination Address, and Protocol will be matched and acted upon. Everything else will be processed as normal. If you leave this too broad, you can shoot yourself in the foot by blocking ICMP or Remote Management to the public IP of the remote endpoint.

It's really more of a functional issue.