Hello,
I’m working on a lab for a customer. The idea is to have 2 ISP :
- The first one is directly connected to the datacenter (equivalent to MPLS/L2VPN)
- The second one can be considered as public ISP and we need to create an IPSEC tunnel over it and bring it back to the datacenter.
The global objective is to have 2 default routes, with gateway check ; prefering the first WAN ; and as second the IPSEC tunnel.
I’m working on the IPSEC part ; which have to be IPIP because we need to give an address the tunnel to make it routable for the LAN.
I managed to make it run on IKEv2. Facing the Mikrotik, we have a Fortigate with SD-WAN handling both MPLS and IPSEC in the same Zone (but that’s not the point here)
You’ll find attached the config file.
Issue is the following :
- Tunnel phase 1 → OK
- Tunnel phase 2 → Not running up unless I create a IPSEC policy using the concerned peer. In our case : 0.0.0.0/0 as source and destination.
By doing so, a computer on the LAN cannot ping its gateway anymore. That forced me to create an IPSEC policy saying “LAN to LAN” do not encrypt & do not tunnel.
When looking about this, I can’t stop thinking that this policy section override every routing mechanism in the router.
Now, a computer still cannot reach a LAN behind the IPSEC TUNNEL ; but when i’M using the “ping tool” directly on the router by specifying the source address AND the interface (lan for example) ; it works.
How is that even possible ?
And how can I make it work for the computer to reach the lan ?
Thanks.
MKT-LAB.rsc (3.81 KB)