Dual WAN with 2 IPSEC IKEv2

RouterOS General
1

Hi there, i have a problem with configuration of making two ipsec tunnels from dual wan mikrotik to another “ipsec server” mikrotik.
Schema:
Mikrotik.png
The main goal for this configuration is VPN failover with minimal outage latency if one from ISP providers goes down on R2. The next problem is that R2 have double NAT so i cant just make two EOIP or GRE tunnels. To solve this problem i decided to make two IPSEC IKEv2 tunnels from different ISPs and inside this tunnels i can make for example EOIP tunnels, aggregate them in bondong and make active backup. The main problem that i cant establish two ipsec connections simultaneously from different WANs. If one ipsec connection established - everything working perfect but when second connected and after one minute or so first connection is dropped. But after another minute first connection is connected but second is dropped. All this setup i’m making on my testlab for now, here is my mikrtoik configs:
R2:

/interface bridge
add name=bridge1
add disabled=yes name=loopback
/interface lte
# sim not present
set [ find default-name=lte1 ] allow-roaming=no band=""
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface gre
add local-address=172.16.100.16 name=gre-tunnel1 remote-address=\
    172.16.100.100
/interface list
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec mode-config
add name=CHR_Gigacloud responder=no use-responder-dns=no
/ip ipsec policy group
add name=CHR_gigacloud
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
    CHR_gigacloud
/ip ipsec peer
add address=R1 public_IP exchange-mode=ike2 local-address=192.168.10.160 \
    name=CHR_Gigacloud_solver profile=CHR_gigacloud
add address=R1 public_IP exchange-mode=ike2 local-address=192.168.60.160 \
    name=CHR_Gigacloud_vak profile=CHR_gigacloud
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=CHR_gigacloud \
    pfs-group=none
/ip vrf
add interfaces=none name=rtab_vak
add interfaces=none name=rtab_solver
/routing table
add disabled=no fib name=rtab_solver
add disabled=no fib name=rtab_vak
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=WAN
/ip address
add address=192.168.10.160/24 interface=ether1 network=192.168.10.0
add address=192.168.60.160/24 interface=ether2 network=192.168.60.0
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
add address=172.16.100.15/24 disabled=yes interface=loopback network=\
    172.16.100.0
add address=172.16.100.16/24 disabled=yes interface=loopback network=\
    172.16.100.0
add address=172.16.99.2/30 interface=gre-tunnel1 network=172.16.99.0
/ip dns
set servers=1.1.1.1,8.8.8.8
/ip firewall filter
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether1 new-connection-mark="conn _solver" passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether2 new-connection-mark="conn _vak" passthrough=no
add action=mark-routing chain=prerouting connection-mark="conn _solver" \
    in-interface-list=!WAN new-routing-mark=rtab_solver passthrough=no
add action=mark-routing chain=prerouting connection-mark="conn _vak" \
    in-interface-list=!WAN new-routing-mark=rtab_vak passthrough=no
add action=mark-routing chain=output connection-mark="conn _solver" \
    new-routing-mark=rtab_solver passthrough=no
add action=mark-routing chain=output connection-mark="conn _vak" \
    new-routing-mark=rtab_vak passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
    WAN
/ip ipsec identity
add generate-policy=port-override mode-config=CHR_Gigacloud my-id=\
    key-id:ho_solver peer=CHR_Gigacloud_solver policy-template-group=\
    CHR_gigacloud remote-id=key-id:ho_solver_1
add generate-policy=port-override mode-config=CHR_Gigacloud my-id=\
    key-id:ho_vak peer=CHR_Gigacloud_vak policy-template-group=CHR_gigacloud \
    remote-id=key-id:ho_vak_1
/ip ipsec policy
add dst-address=172.16.100.100/32 level=unique peer=CHR_Gigacloud_solver \
    proposal=CHR_gigacloud src-address=172.16.100.16/32 tunnel=yes
add dst-address=172.16.100.101/32 level=unique peer=CHR_Gigacloud_vak \
    proposal=CHR_gigacloud src-address=172.16.100.15/32 tunnel=yes
/ip route
add comment=VAK disabled=no distance=251 dst-address=0.0.0.0/0 gateway=\
    192.168.60.25 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=Solver disabled=no distance=249 dst-address=0.0.0.0/0 gateway=\
    192.168.10.25 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.60.25 \
    pref-src=192.168.60.160 routing-table=rtab_vak scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.10.25 \
    pref-src=192.168.10.160 routing-table=rtab_solver scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no dst-address=192.168.20.0/24 gateway=172.16.99.1 \
    routing-table=main suppress-hw-offload=no
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.10.160/32 \
    table=rtab_solver
add action=lookup-only-in-table disabled=no src-address=192.168.60.160/32 \
    table=rtab_vak
/system clock
set time-zone-name=Europe/Kyiv

R1:

/interface bridge
add name=loopback
/interface ethernet
set [ find default-name=ether1 ] comment=Internet disable-running-check=no
set [ find default-name=ether2 ] comment=Local disable-running-check=no
/interface l2tp-server
add name=CHR_Vodafone user=CHR_Vodafone
add name=Goronda_GW user=Goronda_GW
add name=Goronda_GW_starlink user=Goronda_GW_starlink
add name=HO_GW_solver user=HO_GW_solver
add name=HO_GW_vak user=HO_GW_vak
/interface gre
add local-address=172.16.100.100 name=gre-tunnel1 remote-address=\
    172.16.100.16
/interface list
add name=VPN_tunnels
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add address=172.16.100.16 name=HO_solver split-include=172.16.100.100/32 \
    system-dns=no
add address=172.16.100.15 name=HO_vak split-include=172.16.100.101/32 \
    system-dns=no
/ip ipsec policy group
add name=PTP
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
    PTP_profile
/ip ipsec peer
add exchange-mode=ike2 name=CHR_Gigacloud passive=yes profile=PTP_profile
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=PTP_proposal \
    pfs-group=none
/ip pool
add name=ike2-pool ranges=172.16.100.2-172.16.100.254
/port
set 0 name=serial0
set 1 name=serial1
/dude
set enabled=yes
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set authentication=mschap2 default-profile=managment one-session-per-host=yes \
    use-ipsec=required
/interface list member
add interface=HO_GW_solver list=VPN_tunnels
add interface=HO_GW_vak list=VPN_tunnels
add interface=CHR_Vodafone list=VPN_tunnels
add interface=Goronda_GW list=VPN_tunnels
/ip address
add address=R1_public_IP/24 interface=ether1 network=R1_public_network
add address=192.168.20.25/24 interface=ether2 network=192.168.20.0
add address=172.16.100.100/24 interface=loopback network=172.16.100.0
add address=172.16.99.1/30 interface=gre-tunnel1 network=172.16.99.0
add address=172.16.100.101/24 interface=loopback network=172.16.100.0
/ip cloud
set ddns-enabled=yes update-time=yes
/ip dhcp-client
add interface=*1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add address=x.x.x.x list=managment
add address=x.x.x.x list=managment
add address=172.16.100.10 list=mng_devices
add address=172.16.100.11 list=mng_devices
add address=172.16.100.13 list=mng_devices
add address=172.16.100.14 list=mng_devices
/ip firewall filter
add action=accept chain=forward comment=established/related connection-state=\
    established,related,untracked
add action=accept chain=input comment=established/related connection-state=\
    established,related,untracked
add action=accept chain=input comment=Managment in-interface=ether1 \
    src-address-list=managment
add action=accept chain=input comment=L2TP port=1701,500,4500 protocol=udp
add action=accept chain=input comment=Ipsec protocol=ipsec-esp
add action=accept chain=forward comment="IPSEC forward" ipsec-policy=in,ipsec
add action=accept chain=input comment="IPSEC forward" ipsec-policy=in,ipsec
add action=accept chain=forward comment="IPSEC forward" ipsec-policy=\
    out,ipsec
add action=drop chain=input connection-state=invalid
add action=drop chain=forward connection-state=invalid in-interface=ether1
add action=drop chain=input comment="drop input all" in-interface=ether1
add action=drop chain=input comment="drop all from vpn interfaces" \
    connection-state=new in-interface-list=VPN_tunnels
add action=drop chain=forward comment="drop all from vpn interfaces" \
    connection-state=new in-interface-list=VPN_tunnels
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether1
/ip ipsec identity
add generate-policy=port-strict mode-config=HO_solver my-id=\
    key-id:ho_solver_1 peer=CHR_Gigacloud remote-id=key-id:ho_solver
add generate-policy=port-strict mode-config=HO_vak my-id=key-id:ho_vak_1 \
    peer=CHR_Gigacloud remote-id=key-id:ho_vak
/ip ipsec policy
add dst-address=172.16.100.15/32 level=unique peer=CHR_Gigacloud proposal=\
    PTP_proposal src-address=172.16.100.101/32 tunnel=yes
add dst-address=172.16.100.16/32 level=unique peer=CHR_Gigacloud proposal=\
    PTP_proposal src-address=172.16.100.100/32 tunnel=yes
/ip ipsec settings
set accounting=no interim-update=1m
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=R1_public_GW
add check-gateway=ping comment=HO_GW_solver disabled=no distance=2 \
    dst-address=192.168.10.0/24 gateway=172.16.100.10 pref-src=172.16.100.1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=HO_GW_vak disabled=no distance=1 dst-address=\
    192.168.10.0/24 gateway=172.16.100.11 pref-src=172.16.100.1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=CHR_Vodafone disabled=no distance=1 \
    dst-address=192.168.23.0/24 gateway=172.16.100.13 pref-src=172.16.100.1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=CHR_Vodafone disabled=no distance=1 \
    dst-address=192.168.21.0/24 gateway=172.16.100.13 pref-src=172.16.100.1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Goronda_GW disabled=no distance=1 dst-address=192.168.131.0/24 \
    gateway=172.16.100.14 pref-src=172.16.100.1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no dst-address=192.168.88.0/24 gateway=172.16.99.2 \
    routing-table=main suppress-hw-offload=no
/ppp secret
add name=HO_GW_solver profile=managment remote-address=172.16.100.10 service=\
    l2tp
add name=HO_GW_vak profile=managment remote-address=172.16.100.11 service=\
    l2tp
add name=CHR_Vodafone profile=managment remote-address=172.16.100.13 service=\
    l2tp
add name=Goronda_GW profile=managment remote-address=172.16.100.14 service=\
    l2tp
add name=Goronda_GW_starlink profile=managment remote-address=172.16.100.12 \
    service=l2tp
/radius
add address=127.0.0.1 disabled=yes service=ipsec
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Kiev
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.google.com

Also heres what log showing:
R2:
R2_1.png
R2.png
R1:
R1.png
Thank you for any help!

2

So i solved my problem. The main problem was that on the server side R1. I created policies by myself and not used template. For some reason mikrotik cant match correct policie with correct peer (as i understand). When i created policies through template on R1 everything works fine and two tunnels established through different wans.

3

I have another question :smiley: So as not to make another topic, I will write here. Is it possible to force Wireguard client to use specific WAN like in l2tp/eoip/ipsec etc. where i can enter source address ? If we take my schema where R1 will be WG “Server” and R2 will be client with dual wan. I want to establish two WG tunnels from R1 to R2 through 2 different WANs. Is it possible ? Thank you for your reply.