Hi All,
Hoping for some guidance and help here. We have a Mikrotik CCR1036 running v6.19.
We have two ADSL WAN connections (let’s call them ADSL#1 and ADSL#2) and wish to use the CCR1036 to be our IPSec gateway to our many remote offices (16 remote connections). We are not interested in load balancing the two ADSL Connections nor do we want to setup failover. We only want to be able to specify which IPSec tunnel goes on which ADSL Connection.
Following the various guides and the manual, we setup the IPSec Policies (IP - IPSec - Policies) and Peers (IP - IPSec - Peers) followed by the NAT (IP - Firewall - NAT) rules to allow traffic across the IPSec tunnels. When configuring the CCR1036 with only one ADSL connection (ADSL#1), the VPNs work just fine. A few remote offices have RB2011 routers but most have Billion VPN routers.
When we setup the CCR1036 with both ADSL connections, we had hoped to split our remote connections across the two ADSL connections by geographic regions (they quite neatly fall into 2 main regions - we’ll call them Region1 and Region2).
So, we modified the SA Src Address entry under Policies for Region2 offices and changed the address to the ADSL#2 WAN IP address. We made the required changes at the Region2 office routers to connect to the ADSL#2 WAN address. This allowed the VPNs to reconnect and we now have Region1 offices connecting to ADSL#1 and Region2 offices connecting to ADSL#2. This works but only sometimes. We appear to be missing some configuration as we have issues with this setup which I’ll try and summarise here :-
-
At random times, some, not all VPNs stop passing traffic. The VPNs are still up based on the router status screens at both ends. Affected VPNs can be from either ADSL#1 or ADSL#2 connections (sometimes both). You cannot ping or do anything across the tunnel.
-
Rebooting the remote end routers does not fix the problem. The VPNs re-establish easily enough but no traffic will pass through them. Rebooting the CCR1036 via Winbox or WebFig never fixes the problem - sometimes, this fixes some of the connections but causes formerly working tunnels to now exhibit the problem. A power cycle of the CCR1036 will often fix the issue for a while but not always.
-
Can occur if the CCR1036 was initiator or responder for an affected tunnel.
Are there any configuration settings we need to put in to ensure the CCR1036 isn’t getting confused by the two ADSL connections ? The VPNs work properly when the CCR has only one ADSL connection (can be either ADSL#1 or ADSL#2 as long as there is only one configured at a time). To reiterate, we don’t want load balancing or failover, just a clear cut separation of the remote connections between ADSL#1 and ADSL#2
Any and all help, greatly appreciated. Please feel free to ask if you need any further details.
Thanks.
CK