Hi,
We’ve got a Mikrotik hosting a bunch of subnets, and a remote customer with a Cisco who has an IPSEC VPN to us for one subnet already. We’re trying to add an additional subnet into this VPN but aren’t having any luck.
Mikrotik End
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-256-cbc pfs-group=none
add enc-algorithms=3des name=3des-sha1-modp1024
/ip ipsec peer
add address=xxx.xxx.xxx.113/32 comment="Remote Office" secret=xxx
/ip ipsec policy
add comment="Remote Office access to Network 1" dst-address=192.168.92.0/24 level=unique sa-dst-address=xxx.xxx.xxx.113 sa-src-address=xxx.xxx.xxx.3 src-address=xxx.xxx.xxx.32/27 tunnel=yes
add comment="Remote Office access to Network 2" dst-address=192.168.92.0/24 level=unique sa-dst-address=xxx.xxx.xxx.113 sa-src-address=xxx.xxx.xxx.3 src-address=xxx.xxx.xxx.128/26 tunnel=yes
Cisco End
crypto map IPSEC-TRAFFIC 11 ipsec-isakmp
set peer xxx.xxx.xxx.3
set transform-set AES-SHA 3DES-SHA
set pfs group2
match address OFFICE-VPN
ip access-list extended OFFICE-VPN
permit ip 192.168.92.0 0.0.0.255 xxx.xxx.xxx.32 0.0.0.31
permit ip 192.168.92.0 0.0.0.255 xxx.xxx.xxx.128 0.0.0.63
I had read that setting the two policies on the Mikrotik to “level=unique” should let this work, but it doesn’t seem to be the case. Only the /27 network is coming up, as we can see from the Cisco:
Interface: Dialer0
Session status: UP-ACTIVE
Peer: xxx.xxx.xxx.3 port 500
IKEv1 SA: local xxx.xxx.xxx.113/500 remote xxx.xxx.xxx.3/500 Active
IPSEC FLOW: permit ip 192.168.92.0/255.255.255.0 xxx.xxx.xxx.128/255.255.255.192
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 192.168.92.0/255.255.255.0 xxx.xxx.xxx.32/255.255.255.224
Active SAs: 2, origin: crypto map
Is there anything I’ve missed?