hi,
I have this network setup where I want to connect to a remote site using IPsec site-to-site VPN.
I want the head office server(172.16.2.1) to be able to access resources at the remote office server(172.16.1.1).
The Mikrotik Routerboard at the remote office have 2 uplinks to two different ISPs, each port have their own public IP address from each ISP.
I set up 2 ipsec policies like this:
/ip ipsec policy
add comment=“PRIMARY LINK OF REMOTE OFFICE” dst-address=172.16.1.0/24
proposal=default sa-dst-address=“ISP1 address” sa-src-address=“Head office Public IP”
src-address=172.16.2.0/24 tunnel=yes
add comment=“BACKUP LINK OF REMOTE OFFICE” disabled=yes dst-address=172.25.0.0/24 priority=1
proposal=default sa-dst-address=“ISP2 address” sa-src-address=“Head office Public IP”
src-address=172.16.2.0/24 tunnel=yes
so basically the 2 ipsec policies have the same src-address and dst-address only the sa-dst-address are different.
The remote site only uses ISP1 as primary and ISP2 as backup.
My problem is that my first IPsec policy(Primary) becomes inactive if I dont disable the 2nd policy.
Any explanation?