IPSec not working multiple policies -same subnets

esorin0 · October 21, 2012, 8:34pm

Hello!

I am trying to setup 3 RB750s like that:

one site A - as L2TP/IPSec server
the other site B1 and B2 as clients to A.

The network behind B1 and B2 is the same.
The problem I have is that when I setup the IPSec policies with same subnets but different endpoints, it disables one of the rules, so all the traffic between subnets is lost (as it seems to like the one that I consider to be main, but that is not that important). If I disable the backup policy, it works perfect.

Any solution for that? I don’t really want to disable/enable the policies manually, as the purpose of this setup is to automatically replace one of the B routers if it goes down.

Thanks!

esorin0 · October 23, 2012, 2:08pm

I’ve found a link from a guy that experienced a similar problem: http://rant.gulbrandsen.priv.no/mikrotik/ipsec-policy-bugs

esorin0 · October 29, 2012, 7:25am

Anyone?

ditonet · October 29, 2012, 10:05pm

If two policies are same (SRC- and DST-Address) it is not possible for ROS to distinguish which one is ‘main’ and which one is ‘backup’.
So one becomes ‘invalid’…
Use netwatch tool to test endpoint availability and enable/disable appropriate policies.

HTH,

esorin0 · November 12, 2012, 6:12am

Thanks!