IPSec Policy overlapping

SiriusP · November 27, 2016, 11:46am

Hello!
We have an Mikrotik CCR router. We have set up two ipsec tunnels between this router and two remote routers.

The thing is that we have two different policies where dst-net of first policy overlaps by dst-net of the second policy. To be clearer, in the first policy’s sa-dst-adress=10.80.193.0/24 and the second policy’s sa-dst-adress=10.0.0.0/8. sa-src-adress is the same for both tunnels - 10.100.0.0/24

We didn’t find how do routeros deal with overlapped policies. Does it use general routing rules where more specific is better? Are we allowed to use configurations such as this? Should we split 10.0.0.0/8 to smaller nets and prevent it from including 10.80.193.0/24?

Thanks!

nescafe2002 · November 27, 2016, 1:46pm

Use higher priority to prefer one policy above another.

http://wiki.mikrotik.com/wiki/Manual:IP/IPsec

Sub-menu: /ip ipsec policy
priority (integer:-2147483646..2147483647; Default: 0)
Policy ordering classificator (signed integer). Larger number means higher priority.

Also, sa-src/sa-dst are for source / destination (single) peer address. Do you mean overlapping src-address and/or dst-address ranges?

SiriusP · November 27, 2016, 4:40pm

I mean src-adress range that form encryption domain. It’s what you configure in /ip ipsec policy> It’s not peer’s outer IP.