MikroTik

Hi,

I have Mikrotik (RouterOS V5.4) working with a cisco router via IPSEC VPN (Tunnel), how we need redundancy, we use two peers for connection, but When I enable the peer policies, only one becomes active, the other becomes invalid. I really don´t know what happend.
Other problem I've noted is when I disable (manually) the active policy the other remains invalid.
I really apreciate help for this issue because, without this I have not redundancy on my VPN.

Thanks a lot.

Best Regards,
Rômulo Lima

Please post /ip ipsec policy configuration, when policy uses the same src/dst-address, it will become invalid.

Hi Sergejs,

In fact, the source and destination addresses are the same on both policies, but if the two peers serve for the same networks , how could I use diferent addresses?
My idea is work with two peers, where one is active and the other is in standby.

You undesrtand?

Follows the policy configuration:

/ip ipsec policy
add action=encrypt comment="Embratel Peer - 189.x.x.117" disabled=no dst-address=192.168.0.0/24 dst-port=any ipsec-protocols=esp level=require priority=10 \
proposal=proposal_killing protocol=all sa-dst-address=189.x.x.117 sa-src-address=201.x.x.114 src-address=192.168.4.0/24 src-port=any tunnel=yes
add action=encrypt comment="Embratel Peer - 189.X.x.141" disabled=no dst-address=192.168.0.0/24 dst-port=any ipsec-protocols=esp level=require priority=15 \
proposal=proposal_killing protocol=all sa-dst-address=189.x.x.141 sa-src-address=201.x.x.114 src-address=192.168.4.0/24 src-port=any tunnel=yes


Thank you.

Yes, it was clear from your description in the original post. Currently there is no such option, first policy should be disabled before second will start work without "i" letters.

Ok Sergejs,

Thank you for the explanation. I will to try make redundancy with scripts, anyway.

Best Regards,

Rômulo Lima

Currently this is the only way. We are working on option to change this behavior in the future.

Hi Rômulo Lima,

I'm also stuck with this problem.
Did you come up with a script-based solution in the meantime and mind to share it?

I'd highly appreciate it.

Thanks and best regards,
-pylon

Iam also stuck with the exact same problem
Can you please advise if you manage to get it resolved and if you can share your solution
regards

Hi Is this problem solved ?
Iam also stuck with the same issue.
Unfortunately I cannot have redundancy because of this

I have the same problem. What is the priority option for, if the policy is stuck in invalid?