Hello to everybody
I’m trying to set up a load balance to a router of an office with two isp and an ipsec tunnel to a remote office. So far so good but i want to have an automatic failover for ipsec, in case the one isp is down the ipsec goes to other and vice versa. I try to make a mangle connection mark with distance routing but didn’t work.
Can somebody help?
Not enough information. If the “remote” office only has a single uplink (WAN) and you just fail over to another WAN in the “local” office using mangle rules, the “remote” router will ignore the packets as they will arrive from wrong IP address. The packets from the “remote” router will keep being sent to the dead WAN’s address, so they won’t get delivered. Mikrotik’s IPsec implementation doesn’t support MOBIKE yet, and I’m even not sure MOBIKE would work in this case.
So it will take the peers some time to detect the connection got broken (100 seconds by default), and then they may start establishing a new one. If the “remote” office acts as a responder, the initiator at the “local” office will re-establish the connection successfully from the backup WAN address; if the “remote” office acts as an initiator, it will keep trying to connect to the dead WAN’s IP and never succeed.
To get some useful advice, provide more information regarding the number of WANs in the “remote” office, which WANs have public IPs on them and which are behing some external NAT (for both routers), whether the public IPs are static or dynamic, and where external NAT exists, whether you can configure port forwarding on it or not.