Hi all,
It’s great to be here.
I am trying to setup 2 ipsec connections with a client which uses cisco ASA. The thing is that in our router we have 2 public ip addresses on the same wan interface with which we need to connect twice to the same end point and nat different subnets on each peer. Here is my ipsec current setup:
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
add auth-algorithms=md5,sha1 enc-algorithms=3des lifetime=8h name=EncryptionProposal
add auth-algorithms=md5 enc-algorithms=3des lifetime=8h name=vpn_ab
add auth-algorithms=md5 enc-algorithms=3des lifetime=8h name=vpn_ae
/ip ipsec peer
add address=82.xxx.xxx.xx3/32 comment=IPSEC_AB enc-algorithm=3des hash-algorithm=md5 lifetime=8h local-address=77.xxx.xxx.xx1 nat-traversal=no secret=mysharedsecretforab
add address=82.xxx.xxx.xx3/32 comment=IPSEC_AE enc-algorithm=3des hash-algorithm=md5 lifetime=8h local-address=77.xxx.xxx.xx2 nat-traversal=no secret=mysharedsecretforae
/ip ipsec policy
add disabled=yes template=yes
#IPS_POLICIES WITH AB
add comment=IPS_POLICY_AB_36_65 dst-address=1xx.xxx.36.65/32 level=unique proposal=vpn_ab sa-dst-address=82.xxx.xxx.xx3 sa-src-address=77.xxx.xxx.xx1 src-address=1xx.xxx.1.0/24 tunnel=yes
add comment=IPS_POLICY_AB_37_65 dst-address=1xx.xxx.37.65/32 level=unique proposal=vpn_ab sa-dst-address=82.xxx.xxx.xx3 sa-src-address=77.xxx.xxx.xx1 src-address=1xx.xxx.1.0/24 tunnel=yes
add comment=IPS_POLICY_AB_38_65 dst-address=1xx.xxx.38.65/32 level=unique proposal=vpn_ab sa-dst-address=82.xxx.xxx.xx3 sa-src-address=77.xxx.xxx.xx1 src-address=1xx.xxx.1.0/24 tunnel=yes
add comment=IPS_POLICY_AB_39_65 dst-address=1xx.xxx.39.65/32 level=unique proposal=vpn_ab sa-dst-address=82.xxx.xxx.xx3 sa-src-address=77.xxx.xxx.xx1 src-address=1xx.xxx.1.0/24 tunnel=yes
#IPS_POLICIES WITH AE
add comment=IPS_POLICY_AE_36_36 dst-address=1xx.xxx.36.36/32 level=unique proposal=vpn_ae sa-dst-address=82.xxx.xxx.xx3 sa-src-address=77.xxx.xxx.xx2 src-address=1xx.xxx.0.0/24 tunnel=yes
add comment=IPS_POLICY_AE_37_36 dst-address=1xx.xxx.37.36/32 level=unique proposal=vpn_ae sa-dst-address=82.xxx.xxx.xx3 sa-src-address=77.xxx.xxx.xx2 src-address=1xx.xxx.0.0/24 tunnel=yes
add comment=IPS_POLICY_AE_38_36 dst-address=1xx.xxx.38.36/32 level=unique proposal=vpn_ae sa-dst-address=82.xxx.xxx.xx3 sa-src-address=77.xxx.xxx.xx2 src-address=1xx.xxx.0.0/24 tunnel=yes
add comment=IPS_POLICY_AE_39_36 dst-address=1xx.xxx.39.36/32 level=unique proposal=vpn_ae sa-dst-address=82.xxx.xxx.xx3 sa-src-address=77.xxx.xxx.xx2 src-address=1xx.xxx.0.0/24 tunnel=yes
The thing from what i understand is that mikrotik does not use the correct ip to reach the endpoint from each peer, (peer src address not working?) don’t know why…
Anyone who can help?
Thanks.
Edit: One of the peer is working and the other only works only if i disable the other one. weird.