Hello all,

tried to search formu for this, but got no luck, so opening new post, if someone can dirrect me to right post about this, please do.

So, in nutshell - I have to make tunnel between two sites, problem is that one site has two different subnets (both should go through tunnel). On one site there is Mikrotik router, on other different Vendor. Problem is that I seem to fail teaching Mikrotik to forward both subnets via tunnel. If I make two policies, first one works on first ping, then if I ping from other subnet (to other subnet) it wors, but afterwards first subnet fails.

configuration on Mikrotik is as follows:

/ip ipsec proposal
set default auth-algorithms=md5,sha1 disabled=no \
enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024

/ip ipsec peer
add address=10.0.98.1/32 auth-method=pre-shared-key \
dh-group=modp1024 disabled=no dpd-interval=2m dpd-maximum-failures=5 \
enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=\
md5 lifebytes=0 lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 \
proposal-check=obey secret=12345 send-initial-contact=yes

/ip ipsec policy
add action=encrypt disabled=no dst-address=10.2.0.0/24 dst-port=any \
ipsec-protocols=esp level=require priority=1 proposal=default protocol=all \
sa-dst-address=10.0.98.1 sa-src-address=10.0.99.1 \
src-address=10.1.0.0/24 src-port=any tunnel=yes
add action=encrypt disabled=no dst-address=10.2.1.0/24 dst-port=any \
ipsec-protocols=esp level=require priority=1 proposal=default protocol=all \
sa-dst-address=10.0.98.1 sa-src-address=10.0.99.1 \
src-address=10.1.0.0/24 src-port=any tunnel=yes

Network 10.1.0.0/24 is behind Mikrotik, networks 10.2.0.0/24 and 10.2.1.0/24 are behind other end (I know that they can be summerazed, that is not an option in real life as those are not summerazable)
NAT rules:
/ip firewall nat
add action=accept chain=srcnat disabled=no dst-address=10.2.0.0/24 src-address=10.1.0.0/24
add action=accept chain=srcnat disabled=no dst-address=10.2.1.0/24 src-address=10.1.0.0/24
add action=masquerade chain=srcnat disabled=no out-interface=ether2-master-local

When I flush all SAs, and try to ping 10.2.0.2 from 10.1.0.2 tunnel comes up and ping is ok, afterwarsd when I ping 10.2.1.2 from same host, with one packet lost, it pings, but then first ping never works (until flushing of SAs)

Maybe I'm trying to do things wrong, or it cannot be done on MT, any suggestion will do.
btw using: RB750G RouterOS V5.11 (I can upgrade to v6.x, but realy thing this isn't a sw bug, it's more like MT works, or doesn't)


br
andriss

NVM, found solution:

http://forum.mikrotik.com/viewtopic.php?f=2&t=25302

http://wiki.mikrotik.com/wiki/Manual:IP/IPsec

Wasn't realy stright forward, but in short - Level of every policy should be set "unique" instead of "required"

br
andriss

NVM, found solution:
http://forum.mikrotik.com/viewtopic.php?f=2&t=25302
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec
Wasn't realy stright forward, but in short - Level of every policy should be set "unique" instead of "required"

br
andriss

Same here. If someone could come with a solution we would really appreciate, thank you.

NVM, found solution:
http://forum.mikrotik.com/viewtopic.php?f=2&t=25302
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec
Wasn't realy stright forward, but in short - Level of every policy should be set "unique" instead of "required"

br
andriss

Have you tested it ? In my case it didn't helped.