Hi All,

I am evaluating a RB411-3G as a possible replacement for a combination of Cisco router + external 3G modem for some remote locations. The router has to build an IPSec VPN connection to a central Cisco ASA and tunnel everything through, that is corporate traffic and internet access. In Cisco world, this is a normal Remote Access VPN connection where the local network is something like 10.106.200.0/24 and the remote network (i.e. on the ASA side) is "any", i.e. 0.0.0.0.

The problem I am having is that whenever the IPSec connection is online, I lose all access to the Mikrotik router itself over IP. Traffic *through* the router works fine, I can reach IPs across the VPN tunnel,no problem there. But the only way to access the Mikrotik is via the console cable. It's not even possible over the MAC address.

After some digging around I identified the problem as being the ipsec policy. Whenever I disable the policy, the IP connectivity to the router comes up and I can access it fine via SSH/Winbox. The policy looks like this:
If I change dst-address from 0.0.0.0 to some other network (i.e. the corporate B-Class) then it works, VPN stays up and works fine, I can still access the router itself from the local network. Internet access through the tunnel does not work anymore, obviously, which means this is not an acceptable solution.

Why am I losing connection to the router when the dst-address is 0.0.0.0/0 ? And how can I prevent that while still tunneling everything through the VPN ?

Best regards,
Sylaan

You need another policy which does not encrypt traffic destined back to 10.106.200.0/24 therefore allowing access to router.

Configuration with these two policies should work:
Note: Remember to set higher priority for the second policy. Higher number - higher priority.

Thanks! I thought the solution should be something along those lines but I was not really sure how it could be implemented. I will give it a try and let you know.

Works fine, thanks again becs.