Hey
I have inherited a customer site, who has configured a number of branch offices connected to the head office in a hub/spoke configuration (all with Mikrotiks). All branches can see the head office. The requirement is to now change this to allow all branches to see each other. The head office has an IP range of 10.5.0.x/24, and the branches have 10.5.y.x/24 where y is a number of the branch (in this case 1-8). All seems to be OK, until I change the IPSEC Policy dst address to be a 16 bit subnet mask from a 24 bit subnet mask to force allow traffic to flow up to the head office for other branches. In the faulting state, on the customer site, only some traffic goes through the IPSEC tunnel (random stuff) although I can ping through to all branches.
I have set this all up in a virtual lab, and getting something even more strange (what this post is about but ultimately wanting to resolve customer issue)…
In the lab environment, this is the configuration:
client side: 10.5.2.2/24 [Router OS] Internet Interface (192.168.250.187) ---------------------- (192.168.250.185) Internet Interface [Router OS] 10.5.0.0/24
If I have a IPSEC VPN policy on the client site: Src: 10.5.2.0/24 Dst. Address: 10.5.0.0/24 all works fine. That is, I can ping from a machine 10.5.2.10 to the client side router and other side.
If I change the IPSEC VPN policy on the client to be SRC: 10.5.2.0/24 DST Address: 10.5.0.0/16 I cannot ping the client side router and get time outs etc. It also works if I set the DST ADDRESS to be 10.5.0.0/23 (ie largest subnet mask I can have while excluding the local ethernet interface)
It would appear than any IPSEC Policies override any physical interface settings. Is this by design, or have a missed a configuration somewhere?