Created the IPSec Tunnel accordingly with the other side (that I don’t manage)
All works fine, but the speed is slow..
So another company added a WirelessLink between the Local and Remote Site.
The link is available directly via the “172.16.143.254” gateway when we try to reach the network 172.20.0.0/24
My wish is to have the IPSec to act as a backup link…
but no luck… th IPSec tunnel seems to catch all traffic prior to the basic route.
Is there a way to specify priority : so try to reach the remote address in the range 172.20.0.0/24 by 172.16.143.254 and if unreachable, try via the IPSec Tunnel…
Thanks for your answers…
And sorry if I made mistakes.. my english is not perfect
If you disable your IPSec policy, the packets go over the primary link?
The IP Sec policy actually catches the packets after the basic route, but the packets still match the IPSec Policy so they’ll go over the IPSec connection.
Options:
Remote site chooses a different VPN type, one that gives you an interface so you can route accordingly.
172.16 network handles the decision on link choice, you’d always use IPSec and the 172.16 network routes the entire IPSec connection over primary/backup.
If you have no control at all over the others, disable IP Sec Policy and create a script that’ll ping the 172.20 network, if no response then enable the IP Sec policy. But then to ping the 172.20 network over primary link, you’d have to disable IP Sec Policy, ping, if it’s still not working, re-enable IPSec Policy. This script would not be too hard to create..
Wait for someone else to reply with a better solution
You’re right, if I disable IPSec Ploicies, after a small amount of time, packets go through the defined route (primary access).
I don’t have any control on remote sites choices… otherwise, I would have proposed an IPIP tunnel to replace the IPSec tunnel…
you said :
The IP Sec policy actually catches the packets after the basic route, but the packets still match the IPSec Policy so they’ll go over the IPSec connection.
Is there a way (via mangle rules) to mark packets in order to tell the IPSec policy, these packets doesn’t match the policy route ?
For the moment, I disabled the IPSec policies AND masquerading for subnet 172.17.10.0/24 when packets go to 172.20.0.0/24, otherwise the remote site (172.20.0.0) isn’t able to connect to local machines sucha as printers…
I looked for a way to use packet marks to route, but I don’t see any of those options in the IPSec policy.
You need an interface to route on, the only way I can think of how is to use another Mikrotik (a small cheap one) and offload the IPSec to it.
So in the diagram your Mikrotik would have two routes for packets destined to 172.20.0.0/24. The first route with distance=0 will route through 172.16.143.25. Your default route 0.0.0.0 would handle this so you don’t actually need to create this route.
The second route, the backup route with distance=1 would send 172.20 packets to 172.15.0.1. That second mikrotik would then route back to 172.17.10.254 but these packets would be wrapped in the IPSec ESP packet destined to public IP of 172.20 network.
You’d have to port forward UDP 4500 and 500 on your first Mikrotik to 172.17.10.253.
