IPSEC from MT to Sophos UTM 2nd SA Kills 1st SA

Svenp · July 17, 2020, 10:35am

Hello, i have configure a ipsec tunnel from MT to Sophos UTM.
1 tunnel works.
But if I activate a 2nd tunnel SA, the first SA no longer works.
Both connections are shown to me as established in Mikrotik.
The same setup works fine with a Draytek router.

The local Network in Sophos location for the 1. SA is 128.39.0.0/16 and the 2. SA is 10.39.54.0/24
The Mikrotik Network for the IPSEC Network is an vlan 46 in a bridge with Networkaddress 10.43.46.0/24

My second problem is that DHCP relay does not work either.
I checked on the Sophos with tcpdump and there is no DHCP packet arriving.
All other packets go through.

Svenp · July 20, 2020, 2:34pm

no one here who builds more than one SA from Mikrotik to another server?

Svenp · July 29, 2020, 11:28am

Hi, the support helps me.
The solution for the problem with more then 1 SA is to change in the Policy on Tab Action the level from require to unique, see screenshot.

QuantumAalfa · August 18, 2020, 7:18pm

Hi,

I have the same problem. I can not connect the 2nd ikey2 VPN.

However, in IPSec Policy → action tab - I do not have level. Only 3 items Action, IPsec Protocols & Proposal.

I’m on v6.45.6

Where it could be?

mirisek · March 23, 2021, 2:43pm

Hello Svenp, would you be so kind and share your setting of UTM and Mikrotik to get IPsec tunnel working? I have still issue that tunnel does not come up and no phase2 in PH2 state which change later to ‘ready to send’