I have a working IPSec site to site VPN and I now need to make a second subnet available behind one of the routers.
As far as I understand the IPSec Policy only maps 1:1 (ie one source to one destination subnet)
I have tried to duplicate the policy but although the new one would work this kills the old one - ie I can only reach one of the subnet at a given time.
What am I missing ?
Correct (except that it rather “links” then “maps” subnets).
If you have “duplicated” it properly, in terms that you’ve changed the src-address at the peer with two subnets and dst-address at the peer with single subnet and left the rest unchanged, it should work normally.
So try changing level from the default required to unique - if both peers are Mikrotik ones, this should not be necessary, but it’s worth trying.
If that doesn’t help, try disabling and re-enabling the identity, as adding policies on the fly behaves funny in some RouterOS versions.
I just wanted to stop by and say thank you! Your solution fixed a problem I have been dealing with, since implementing Perimeter 81 and my MikroTik site to site tunnel. Changing from the each policy to “unique” immediately made them work.