IPSEC same peer, two networks

Caci99 · March 22, 2019, 11:13am

Hello

I am trying to build an IPSEC IKE1 between two peers. One of the peers has two networks:

/ip ipsec policy
src-address=192.168.1.0/24 src-port=any dst-address=192.168.0.0/24 
       dst-port=any protocol=all action=encrypt level=require 
       ipsec-protocols=esp tunnel=yes sa-src-address=90.90.90.90 
       sa-dst-address=91.91.91.91 proposal=whatever ph2-count=1
/ip ipsec policy
src-address=192.168.1.0/24 src-port=any dst-address=10.10.0.0/16 
       dst-port=any protocol=all action=encrypt level=require 
       ipsec-protocols=esp tunnel=yes sa-src-address=90.90.90.90 
       sa-dst-address=91.91.91.91 proposal=whatever ph2-count=1

As long as I don’t activate the second policy, communication between 192.168.1.0 to 192.168.0.0 is successful.
As soon as I activate the second policy, communication fails between 192.168.1.0 to 192.168.0.0, but is successful between 192.168.1.0 to 10.10.0.0

Can someone help me find out what is going on?

emils · March 22, 2019, 11:24am

What kind of device is on the other side? You can try setting level=unique for both these policies.

Caci99 · March 22, 2019, 9:54pm

The other end is a watchguard firebox.
I can not try this today unfortunately, only from Monday.
Will come back with results.

Caci99 · March 23, 2019, 8:33am

Hello emils,
I did try your suggestion without waiting for Monday to contact the other part and it worked
Thank you
Now back to wiki to understand better what level=unique means