Hi all,

I have quick question:
I am configuring s2s ipsec vpn to connect single local host(MK) to 6 remote hosts(asa).
So,
1. do i have to create 6 policies in MK?
2. Can I disable pfs in MK or is it enable by default?
3. and also how to configure nat bypass in MK.
For ex.

MK local host : a.a.a.a
asa remote hosts : b.b.b.b, c.c.c.c, d.d.d.d, e.e.e.e, f.f.f.f, g.g.g.g

So is this going to be right?:
/ip firewall nat
add chain=srcnat action=accept place-before=0 \
src-address=a.a.a.a/32 dst-address=b.b.b.b/32
src-address=a.a.a.a/32 dst-address=c.c.c.c/32
src-address=a.a.a.a/32 dst-address=d.d.d.d/32
src-address=a.a.a.a/32 dst-address=e.e.e.e/32
src-address=a.a.a.a/32 dst-address=f.f.f.f/32
src-address=a.a.a.a/32 dst-address=g.g.g.g/32

OR

/ip firewall nat
add chain=srcnat action=accept place-before=0 \
src-address=a.a.a.a/32 dst-address=b.b.b.b/32

/ip firewall nat
add chain=srcnat action=accept place-before=0 \
src-address=a.a.a.a/32 dst-address=c.c.c.c/32
.
.
. and so on.
???????????????

I'll appreciate if anyone share similar working scenario or Example............Thanks.

What are those 6 hosts? What is asa and are there only 1 wrkstn or more and behind NAT?

1. do i have to create 6 policies in MK?
2. Can I disable pfs in MK or is it enable by default?
3. and also how to configure nat bypass in MK.

1. Yes
2. I don't know what the default is, but you would set "pfs-group=none" under "/ip ipsec proposals"
3. Your second example. One accept rule at the top of the srcnat chain for each VPN tunnel - unless you can summarize the space into fewer statements. If the hub is 172.16/16 and the spokes are each in 10/8 space with that space present nowhere at the hub you can just accept (NAT zero, or identity NAT) 172.16/16 to 10/8.