IPSec at WAN2 VPN Multi WAN Routing Mark skips for WAN1

Hi everyone,

Thanks in advance for your help.

I have a setup as described below. The issue has been resolved by exempting

"ipsec policy in ipsec in chain prerouting (image attached)


but I’m still unsure why it happened. I’d really appreciate it if someone could help clarify the reason behind it.

We have two WAN interfaces at both our regional office and head office:

WAN1 (VT)

WAN2 (TW)

Some users are policy-routed to access the internet via WAN1 (VT), while others use WAN2 (TW).

An IPSec VPN tunnel has been successfully established between WAN2 (TW) of the head office and WAN2 (TW) of the regional office.

The Issue:
Users routed through WAN1 (VT) can access internal servers at the head office over the VPN without any problems.

However, users routed through WAN2 (TW) (which is where the IPSec tunnel is actually established) cannot access internal servers at the head office.

We are using mangle rules based on source address lists to differentiate between traffic going out via VT and TW.

Interestingly, if a user from the TW group is switched to the VT address list, they are then able to access the head office internal server successfully.

There is no specific route in the routing table with a destination address matching the public IP of the head office’s WAN2, yet VT users can still reach the internal server.

The only way TW users can access the internal server is if I manually add a static route in the main routing table with:

Destination: Head office’s public TW IP

Gateway: Local TW interface

Finding:

Seems VT users Traffic is not being marked, hence using main Table.
while TW user Traffic is marked, and not finding route in to_TW table causes packet to drop.

Questions:

Why do VT users not need a static route to access the internal head office server?

Why do TW users require a manual static route, even though the IPSec VPN is established on TW?

A full export is needed due to the multiple interconnections between the settings of the router:

/export file=anynameyouwish

(minus sensitive info like serial number, public IPs, passwords, etc.)

# by RouterOS 7.18
# software id = 
#
# model = RB5009UG+S+
# serial number = 

/interface ethernet
set [ find default-name=ether1 ] name=ether1-DMZ-102
set [ find default-name=ether2 ] name=ether2-WAN1-PTCL
set [ find default-name=ether3 ] name=ether3-WAN2-VT
set [ find default-name=ether4 ] name=ether4-WAN3-TW
set [ find default-name=ether5 ] name=ether5-MGMT
set [ find default-name=ether6 ] name=ether6-DHCP-G-100-104
set [ find default-name=ether7 ] name=ether7-CCTV-103
set [ find default-name=ether8 ] name=ether8-GRH-105
set [ find default-name=sfp-sfpplus1 ] disabled=yes

/interface list
add name=WAN_List
add name=LAN_List

/ip dhcp-server option
add code=43 name=Unifi value=0x01040A000805

/ip hotspot profile
set [ find default=yes ] html-directory=hotspot

/ip ipsec profile
add dh-group=modp1536 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=\
    aes-256 hash-algorithm=sha256 lifetime=8h name=fortigate-remote-profile nat-traversal=no

/ip ipsec peer
add address=117.20.x.x/32 exchange-mode=ike2 local-address=110.93.x.x \
    name=fortigate-remote profile=fortigate-remote-profile

/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=8h name=\
    fortigate-remote-profile pfs-group=modp1536

/ip kid-control
add name=kid1

/ip pool
add name=dhcp_pool0 ranges=10.0.8.50-10.0.9.254

/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether6-DHCP-G-100-104 lease-time=2w \
    name=dhcp1

/queue simple


/routing table
add disabled=no fib name=to_PTCL
add disabled=no fib name=to_TW
add disabled=no fib name=to_VT
add disabled=no fib name=to_PTCL_Work
add disabled=no fib name=ipsec_to_TW

/ip neighbor discovery-settings
set discover-interface-list=none

/ip settings
set tcp-syncookies=yes

/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
    forward=no

/interface list member
add interface=ether2-WAN1-PTCL list=WAN_List
add interface=ether3-WAN2-VT list=WAN_List
add interface=ether4-WAN3-TW list=WAN_List
add interface=ether5-MGMT list=LAN_List
add interface=ether6-DHCP-G-100-104 list=LAN_List
add interface=ether7-CCTV-103 list=LAN_List
add interface=ether8-GRH-105 list=LAN_List
add interface=ether1-DMZ-102 list=LAN_List

/ip address
add address=172.16.4.1/30 interface=ether5-MGMT network=172.16.4.0
add address=10.0.8.1/23 interface=ether6-DHCP-G-100-104 network=10.0.8.0
add address=10.0.n.n/n interface=ether1-DMZ-102 network=10.0.n.n
add address=10.0.11.1/25 interface=ether7-CCTV-103 network=10.0.11.0
add address=10.0.11.193/26 interface=ether8-GRH-105 network=10.0.11.192
add address=162.12.x.x/x interface=ether3-WAN2-VT network=162.12.x.x
add address=110.93.x.x/xinterface=ether4-WAN3-TW network=110.93.x.x

/ip arp
add address=10.0.9.30 interface=ether6-DHCP-G-100-104 mac-address=\
    B0:54:76:C8:A3:EB

/ip cloud
set update-time=no

/ip dhcp-client
add interface=ether2-WAN1-PTCL use-peer-dns=no

/ip dhcp-server lease

/ip dhcp-server network
add address=10.0.8.0/23 dhcp-option=Unifi dns-server=10.0.8.1 gateway=\
    10.0.8.1

/ip dns
set allow-remote-requests=yes cache-size=12000KiB max-concurrent-queries=6000 \
    max-concurrent-tcp-sessions=4000 servers=208.67.222.222,208.67.220.220

/ip firewall address-list
add address=0.0.0.0/8 comment=" RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment=" RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment=" multicast" list=no_forward_ipv4
add address=255.255.255.255 comment=" RFC6890" list=no_forward_ipv4
add address=www.youtube.com list=Youtube
add address=10.0.8.20 list="Static IP Internet Access Devices"
add address=10.0.8.21 list="Static IP Internet Access Devices"
add address=10.0.8.16 list="Static IP Internet Access Devices"
add address=10.0.8.10 list="Static IP Internet Access Devices"
add list=ddos-attackers
add list=ddos-targets

/ip firewall filter
add action=add-src-to-address-list address-list="IP Sec OUT Src Address List" \
    address-list-timeout=none-dynamic chain=forward comment=\
    "IP Sec OUT Src Address List" ipsec-policy=out,ipsec
add action=add-dst-to-address-list address-list="IP Sec OUT DstAddress List" \
    address-list-timeout=none-dynamic chain=forward comment=\
    "IP Sec OUT DstAddress List" ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    " accept all that matches IPSec Out policy" ipsec-policy=out,ipsec
add action=add-src-to-address-list address-list="IP Sec IN Src Address List" \
    address-list-timeout=none-dynamic chain=forward comment=\
    "IP Sec IN Src Address List" ipsec-policy=in,ipsec
add action=add-dst-to-address-list address-list="IP Sec IN Dst Address List" \
    address-list-timeout=none-dynamic chain=forward comment=\
    "IP Sec IN Dst Address List" ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
    " accept all that matches IPSec IN policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept Forward Remote LAN IPsec" \
    connection-state=established,related dst-address=192.0.0.0/x \
    src-address=10.0.8.0/23

add action=drop chain=forward comment="Accept Forward Remote LAN IPsec" \
    dst-address-list=Youtube src-address-list="GP CRM Users Workstations"
add action=drop chain=forward comment="Accept Forward Remote LAN IPsec" \
    dst-address-list=Youtube src-address-list="GP CRM Workstations to VT"
add action=drop chain=forward comment="Accept Forward Remote LAN IPsec" \
    dst-address-list=Youtube src-address-list="Internet Only Workstations"
add action=accept chain=forward comment=\
    "Accept established,related, untracked" connection-state=\
    established,related,untracked
add action=add-src-to-address-list address-list="Drop Invalid Chain Forward" \
    address-list-timeout=none-dynamic chain=forward comment=\
    " Drop invalid Forward Chain Address List" connection-state=invalid
add action=add-dst-to-address-list address-list=\
    "Drop Invalid Chain Forward dst address" address-list-timeout=\
    none-dynamic chain=forward comment=\
    " Drop invalid Forward Chain dst Address List" connection-state=invalid
add action=drop chain=forward comment="Drop Invalid on Forward Chain" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "Drop New Connections From Black List IP Addresses Chain Forward" \
    connection-state=new in-interface-list=WAN_List src-address-list=\
    blacklist
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-targets \
    address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers \
    address-list-timeout=10m chain=detect-ddos
add action=accept chain=forward comment=\
    "Accept Forward Port Forwarding IP Devices List" connection-nat-state=\
    dstnat connection-state=new dst-address-list=\
    "Inbound Port Forwarded Local Servers" in-interface-list=WAN_List
add action=accept chain=forward comment="Accept Forward Management IP" \
    in-interface=ether5-MGMT src-address=172.16.4.0/30

add action=accept chain=forward comment=\
    "Accept Forward Manager Workstations List" in-interface=\
    ether6-DHCP-G-100-104 src-address-list="Manager Workstations"
add action=accept chain=forward comment="Accept Forward Manager Mobiles List" \
    in-interface=ether6-DHCP-G-100-104 src-address-list="Manager Mobiles"
add action=accept chain=forward comment=\
    "Accept Forward GP CRM Users Workstations List" in-interface=\
    ether6-DHCP-G-100-104 src-address-list="GP CRM Users Workstations"
add action=accept chain=forward comment=\
    "Accept Forward GP CRM to VT Users Workstations List" in-interface=\
    ether6-DHCP-G-100-104 src-address-list="GP CRM Workstations to VT"
add action=accept chain=forward comment=\
    "Accept Forward Internet Only Workstations List" in-interface=\
    ether6-DHCP-G-100-104 src-address-list="Internet Only Workstations"
add action=accept chain=forward comment=\
    "Accept Forward Users Mobiles for Work List" in-interface=\
    ether6-DHCP-G-100-104 src-address-list="Users Mobiles for Work"
add action=accept chain=forward comment=\
    "Accept Forward Users Mobiles to PTCL List" in-interface=\
    ether6-DHCP-G-100-104 src-address-list="Users Mobiles to PTCL"
add action=accept chain=forward comment=\
    "Accept Forward Static IP Internet Access Devices List" in-interface=\
    ether6-DHCP-G-100-104 src-address-list=\
    "Static IP Internet Access Devices"
add action=accept chain=forward comment="Accept Forward Local Field Device" \
    in-interface=ether6-DHCP-G-100-104 src-address-list="Local Field Devices"
add action=accept chain=forward comment="Accept Forward Test Rule" disabled=\
    yes in-interface=ether6-DHCP-G-100-104 src-address-list=\
    "Public DNS Users"

add action=accept chain=forward comment=\
    "Accept Forward Static DMZ IP Internet Access Devices List" in-interface=\
    ether1-DMZ-102
add action=drop chain=forward comment="Drop Forward CCTV Access to DMZ" \
    in-interface=ether7-CCTV-103 out-interface=ether1-DMZ-102
add action=drop chain=forward comment=\
    "Drop Forward Guest House Access to DMZ" in-interface=ether8-GRH-105 \
    out-interface=ether1-DMZ-102
add action=drop chain=forward comment=\
    "Drop Forward Guest House Access to Local LAN DHCP" in-interface=\
    ether8-GRH-105 out-interface=ether6-DHCP-G-100-104
add action=drop chain=forward comment=\
    "Drop Forward Guest House Access to CCTV" in-interface=ether8-GRH-105 \
    out-interface=ether7-CCTV-103
add action=accept chain=forward comment=\
    "Accept Forward Static CCTV IP Internet Access Devices List" \
    in-interface=ether7-CCTV-103
add action=accept chain=forward comment=\
    "Accept Forward Static GH Resthouse IP Internet Access Devices List" \
    in-interface=ether8-GRH-105
add action=accept chain=forward comment=\
    "Accept All Forward from LAN List to WAN List" disabled=yes in-interface=\
    ether6-DHCP-G-100-104
add action=drop chain=forward comment="Drop all from WAN_LIST  not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=\
    WAN_List
add action=drop chain=forward comment="Drop bad forward IPs" \
    src-address-list=no_forward_ipv4
add action=add-src-to-address-list address-list=\
    "Drop Bad Forward IP Src IP Addresses" address-list-timeout=none-dynamic \
    chain=forward comment="Add Scr IP to drop bad forward IPs Address List" \
    dst-address-list=no_forward_ipv4
add action=drop chain=forward comment="Drop bad forward IPs" \
    dst-address-list=no_forward_ipv4
add action=add-src-to-address-list address-list=\
    "All Forward Remaining Src. IP being Dropped." address-list-timeout=\
    none-dynamic chain=forward comment=\
    "Add to All Forward Remaining Src. IP being Dropped. List"
add action=add-dst-to-address-list address-list=\
    "All Forward Remaining Dst. IP being Dropped." address-list-timeout=\
    none-dynamic chain=forward comment=\
    "Add to All Forward Remaining Dst. IP being Dropped. List"
add action=drop chain=forward comment="Drop All Forward Remaining"
add action=accept chain=input comment="Accept established,related, untracked" \
    connection-state=established,related,untracked
add action=accept chain=input comment="Accept established,related, untracked" \
    disabled=yes dst-port=8088 protocol=tcp
add action=drop chain=input comment=\
    "Drop New Connections From Black List IP Addresses Chain Input" \
    connection-state=new in-interface-list=WAN_List src-address-list=\
    blacklist
add action=drop chain=input comment="Drop Chain Input Invalid Packets" \
    connection-state=invalid
add action=accept chain=input comment="Accept Input IPSec ESP 50" protocol=\
    ipsec-esp
add action=accept chain=input comment="Accept Input 50, 4500 IPSec Udp" \
    dst-port=500,4500 protocol=udp
add action=accept chain=input comment="Allow SSH on MGMT Port" in-interface=\
    ether5-MGMT port=2201 protocol=tcp
add action=accept chain=input comment="Allow SSH on LAN Port" in-interface=\
    ether6-DHCP-G-100-104 port=2201 protocol=tcp
add action=accept chain=input comment="Allow Winbox on Mgmt Port" \
    in-interface=ether5-MGMT port=3163 protocol=tcp
add action=accept chain=input comment="Allow Winbox on Mgmt Port" \
    in-interface=ether6-DHCP-G-100-104 port=3163 protocol=tcp
add action=add-src-to-address-list address-list=\
    "Accept All Chain Input Coming From LAN List" address-list-timeout=\
    none-dynamic chain=input comment=\
    "Add Src IP to List for Traffic Input Chain LAN DHCP" in-interface=\
    ether6-DHCP-G-100-104
add action=accept chain=input comment="Accept Traffic Input Chain LAN DHCP" \
    in-interface=ether6-DHCP-G-100-104
add action=accept chain=input comment="Accept Traffic Input Chain LAN DMZ" \
    in-interface=ether1-DMZ-102
add action=accept chain=input comment="Accept Traffic Input Chain LAN MGMT" \
    in-interface=ether5-MGMT
add action=accept chain=input comment="Accept Traffic Input Chain LAN CCTV" \
    in-interface=ether7-CCTV-103
add action=accept chain=input comment=\
    "Accept Traffic Input Chain LAN Guest House" in-interface=ether8-GRH-105
add action=drop chain=input comment=\
    "Drop DNS Request on TCP53 from WAN Lists" dst-port=53 in-interface-list=\
    WAN_List protocol=tcp
add action=drop chain=input comment=\
    "Drop DNS Request on UDP 53 from WAN Lists" dst-port=53 \
    in-interface-list=WAN_List protocol=udp
add action=add-src-to-address-list address-list=\
    "Drop Not Coming from Lan List input Chain" address-list-timeout=\
    none-dynamic chain=input comment="Drop all not coming from LAN_LIST" \
    in-interface-list=!LAN_List
add action=drop chain=input comment="Drop all not coming from LAN_LIST" \
    in-interface-list=!LAN_List
add action=add-src-to-address-list address-list="Drop all Input Src IP List" \
    address-list-timeout=none-dynamic chain=input comment=\
    "Drop all Input Chain"
add action=drop chain=input comment="Drop All Input Chain"
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=192.0.0.0/x \
    new-routing-mark=ipsec_to_TW
add action=mark-routing chain=prerouting dst-address-type=!local \
    in-interface=ether6-DHCP-G-100-104 new-routing-mark=to_PTCL \
    src-address-list="Users Mobiles to PTCL"
add action=mark-routing chain=prerouting dst-address-type=!local \
    in-interface=ether6-DHCP-G-100-104 new-routing-mark=to_PTCL_Work \
    src-address-list="Users Mobiles for Work"
add action=mark-routing chain=prerouting dst-address-type=!local \
    in-interface=ether6-DHCP-G-100-104 new-routing-mark=to_PTCL \
    src-address-list="Local Field Devices"
add action=mark-routing chain=prerouting dst-address=!10.0.10.128/25 \
    dst-address-type=!local in-interface=ether6-DHCP-G-100-104 \
    new-routing-mark=to_VT src-address-list="Manager Workstations"
add action=mark-routing chain=prerouting dst-address=!10.0.10.128/25 \
    dst-address-type=!local in-interface=ether6-DHCP-G-100-104 \
    new-routing-mark=to_VT src-address-list="GP CRM Workstations to VT"
add action=mark-routing chain=prerouting dst-address=!10.0.10.128/25 \
    dst-address-type=!local in-interface=ether6-DHCP-G-100-104 \
    new-routing-mark=to_TW src-address-list="GP CRM Users Workstations"
add action=mark-routing chain=prerouting dst-address=!10.0.10.128/25 \
    dst-address-type=!local in-interface=ether6-DHCP-G-100-104 \
    new-routing-mark=to_TW src-address-list="Manager Mobiles"
add action=mark-routing chain=prerouting dst-address=!10.0.10.128/25 \
    dst-address-type=!local in-interface=ether6-DHCP-G-100-104 \
    new-routing-mark=to_PTCL src-address-list="Internet Only Workstations"
add action=mark-routing chain=prerouting dst-address=!10.0.10.128/25 \
    dst-address-type=!local in-interface=ether8-GRH-105 new-routing-mark=\
    to_PTCL src-address=10.0.11.192/26
add action=mark-routing chain=prerouting dst-address=!10.0.8.0/23 \
    dst-address-type=!local in-interface=ether1-DMZ-102 new-routing-mark=\
    to_TW src-address=10.0.10.133
add action=mark-connection chain=output connection-mark=no-mark dst-address=\
    117.20.17.20 dst-address-type=!local dst-port=500,4500 \
    new-connection-mark=ipsec_conn protocol=udp
add action=mark-connection chain=output connection-mark=no-mark dst-address=\
    117.20.17.20 dst-address-type=!local new-connection-mark=ipsec_conn \
    protocol=ipsec-esp
add action=mark-routing chain=output connection-mark=ipsec_conn \
    dst-address-type=!local new-routing-mark=to_TW passthrough=no
/ip firewall nat
add action=accept chain=srcnat comment="accept all that matches IPSec policy" \
    disabled=yes dst-address=10.0.10.128/25 log=yes src-address=10.0.8.0/23
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=\
    ether4-WAN3-TW
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=\
    ether3-WAN2-VT
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=\
    ether2-WAN1-PTCL
add action=dst-nat chain=dstnat dst-port=cc in-interface-list=LAN_List \
    protocol=tcp to-addresses=10.0.8.1 to-ports=cc
add action=dst-nat chain=dstnat dst-port=cc in-interface-list=LAN_List \
    protocol=udp to-addresses=10.0.8.1 to-ports=cc
add action=dst-nat chain=dstnat comment="Hanvon Reception" disabled=yes \
    dst-port=cccc in-interface=ether4-WAN3-TW protocol=tcp to-addresses=\
    10.0.8.20 to-ports=cccc
add action=dst-nat chain=dstnat comment="Hanvon Service" disabled=yes \
    dst-port=cccc in-interface=ether3-WAN2-VT protocol=tcp to-addresses=\
    10.0.8.21 to-ports=cccc
add action=dst-nat chain=dstnat comment="Domino ccc2" dst-port=ccc2 \
    in-interface=ether4-WAN3-TW protocol=tcp to-addresses=10.0.10.133 \
    to-ports=ccc2
add action=dst-nat chain=dstnat comment="Domino 80" dst-port=ccc in-interface=\
    ether4-WAN3-TW protocol=tcp to-addresses=10.0.10.133 to-ports=ccc
add action=dst-nat chain=dstnat comment="Domino ccc" dst-port=ccc \
    in-interface=ether4-WAN3-TW protocol=tcp to-addresses=10.0.10.133 \
    to-ports=ccc
add action=dst-nat chain=dstnat comment="Domino cc" dst-port=cc in-interface=\
    ether4-WAN3-TW protocol=tcp to-addresses=10.0.10.133 to-ports=cc
add action=dst-nat chain=dstnat dst-port=ccc in-interface=\
    ether6-DHCP-G-100-104 protocol=tcp to-addresses=10.0.11.2 to-ports=ccc
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-targets \
    src-address-list=ddos-attackers
add action=notrack chain=prerouting dst-address=192.0.0.0/x src-address=\
    10.0.8.0/23
add action=notrack chain=prerouting dst-address=10.0.8.0/23 src-address=\
    192.0.0.0/x
add action=add-src-to-address-list address-list="Youtube GP CRM Users " \
    address-list-timeout=none-dynamic chain=prerouting dst-address-list=\
    Youtube src-address-list="GP CRM Workstations to VT"
add action=drop chain=prerouting dst-address-list=Youtube src-address-list=\
    "GP CRM Workstations to VT"
add action=add-src-to-address-list address-list="Youtube GP CRM Users " \
    address-list-timeout=none-dynamic chain=prerouting dst-address-list=\
    Youtube src-address-list="GP CRM Users Workstations"
add action=drop chain=prerouting dst-address-list=Youtube src-address-list=\
    "GP CRM Users Workstations"
add action=add-src-to-address-list address-list="Youtube GP CRM Users " \
    address-list-timeout=none-dynamic chain=prerouting dst-address-list=\
    Youtube src-address-list="Internet Only Workstations"
add action=drop chain=prerouting dst-address-list=Youtube src-address-list=\
    "Internet Only Workstations"
add action=drop chain=bad_tcp comment=defconf disabled=yes protocol=tcp \
    tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf disabled=yes protocol=tcp \
    tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" disabled=yes \
    port=0 protocol=tcp
/ip ipsec identity
add peer=fortigate-remote
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.0.0.0/x peer=fortigate-remote proposal=fortigate-remote-profile \
    src-address=10.0.8.0/23 tunnel=yes
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    162.12.y.y pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    110.93.y.y pref-src="" routing-table=main scope=30 suppress-hw-offload=\
    no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.1.1 routing-table=to_PTCL scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    110.93.y.y routing-table=to_TW scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    162.12.y.y routing-table=to_TW scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=\
    192.168.1.1 routing-table=to_TW scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=162.12.y.y\
    routing-table=to_PTCL scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    162.12.y.y routing-table=to_VT scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=\
    110.93.y.y routing-table=to_VT scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    192.168.1.1 routing-table=to_VT scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    110.93.y.y routing-table=ipsec_to_TW scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=110.93.y.y\
    routing-table=to_PTCL scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=x disabled=yes port=x
set ssh address=x port=x
set api disabled=yes
set winbox address=x port=x
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=pub
/ip ssh
set strong-crypto=yes
/ip traffic-flow
set interfaces=ether6-DHCP-G-100-104
/ipv6 nd
set [ find default=yes ] advertise-mac-address=no
/system clock
set time-zone-name=Asia/Karachi
/system identity
set name=AESL-LHR
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
/system scheduler
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool netwatch
/tool sniffer
set filter-ip-protocol=ipsec-esp

Your configuration export does not play well with your description - there are three default routes in table to_TW, so I don’t get how a packet could “not find a route” in that table except if all 3 of the gateways were down. Is that the case?

Other than that, matching packets to IPsec traffic selectors (in policies) does not substitute the “normal” routing, it is a subsequent step that possibly overrides its result. Matching of outbound packets to traffic selectors takes place as the very last step of packet processing, after “normal” routing and all the firewall processing including srcnat, just before the packet would be sent out the interface chosen using the “normal” routing. If the normal routing or the firewall drops the packet for any reason, it never reaches the traffic selector matching stage. If srcnat changes the source address of the outbound packet, so it does not match the traffic selector it woud have matched before, IPsec ignores that packet.