Hello,
I am having a problem bridging a net over the Internet using 2 ADSL connections. Here’s my setup:
-
Mikrotik RB450g, RouterOS 5.6
-
Static IP on both ends. DSL router does the NAT to the Internet. UDP500 is Dnated to each Mikrotik LAN IP for IPSec. No NAT or firewall on the mk routers.
-
IPSec in transport mode (not tunnel)
sa-src-address == src-address == 192.168.x.254
sa-dst-address == dst-address == WAN IP of the remote site
If I ping within the routers to the remote WAN IP, IPSec SA gets up and traffic flows ok. -
There is and EoIP iface with TunnelID=0 and RemoteIP=WAN IP of the remote site over that IPSec tunnel.
-
Finally, that EoIP iface is briged to the eth iface which links each Mikrotik to the local switch.
It works OK (great!!) until I restart any or both Mikrotiks (not so great… damm!
((
When I restart any of the routers, I can see bytes of the outgoing IPSec SA, but the incoming SA remains at 0. Disabling the EoIP iface and enabling makes it work again (with the same IPSec SA’s). The only workaround i’ve found it’s using a script at startup which waits some seconds and disables/enables the EoIP iface. I’ve tried using RTSP instead of none, but no difference.
Am I doing something wrong or this may be a bug?
Thanks a lot!!