MikroTik

How the RouterOS decides, where to forward a traffic if exists two connections into a one private subnet via an ipip and via a ipsec.

What happening? Nobody knows?!!

guessing because the little information provided:

i suppose your ipsec tunnel goes to wan interface

i suppose your wan interface has a default route

because that if the ipip tunnel has a more specific route than default the traffic will go for it

i suppose your ipsec tunnel goes to wan interface - YES

i suppose your wan interface has a default route - YES

because that if the ipip tunnel has a more specific route than default the traffic will go for it - BUT NO!!!

It is my headache, time to time routeros forwarding the traffic choosing randomly an interface. I don't see ipsec routes in the main routing table, and obviously I can't assign a right priority.

How and where can I to see more information about routes via ipsec?

In the ipsec policy I can set the metric to route, but the documentation says that more number is a highest priority and on the other hand ipip routes where highest number is a lower priority.

Why in the main routing table didn't see an ipsec routes?
Is affected the main routing table by the ipsec pilicy metric ?

IPsec does not use routing table at all. Whatever traffic satisfies your IPsec policy will be encrypted and sent out the IPsec tunnel. You have to have default route of a dummy specific route for your inner-tunnel IPsec traffic (if you fail to provide this your inner-tunnel packets will be dropped before even reaching the IPsec processing stage), but otherwise routing table entries are completely ignored when it comes to the outgoing IPsec-encrypted packets processing.

......ok. if I right understood it means that if I set a metric 20 to the default route and on other hand I set a metric 10 to ipip route , the traffic go via ipip, is it right?

......ok. if I right understood it means that if I set a metric 20 to the default route and on other hand I set a metric 10 to ipip route , the traffic go via ipip, is it right?

No. It is not possible to get traffic flowing another way when you have an IPsec policy. It will always take priority.

When you need to have different routes and IPsec is one of them, setup an IPIP or GRE tunnel with IPsec transport,
and route the traffic over that tunnel.

Thanks for your help, it is more cleary. A main problem is a dynamic ip and one thing which I can use now, on my view point -it is ipsec. Or may you advice something else?

IPsec itself is not a problem but you must drop the requirement to use it in a priority scheme.

Ok, thanks to all and to pe1chl separetly!!!
But as says one of minders, all genious is simple/ And in my case I just should used a l2tp with ipsec instead a clean ipsec )))))