Hi all,
From my Mikrotik router (virtual appliance running 6.39.2) I have two IPSec tunnels to a Cisco router. I also have BGP configured. The reason for two tunnels to the Cisco router is for redundancy purposes as they traverse different ISPs and terminate on different public IPs BUT the destination network (172.30.0.0/16) for the policies is the same. I am aware that the policy destination network cannot be the same (as one of the policies will be marked as invalid) so for the one tunnel I split the destination network into two (172.30.0.0/17 and 172.30.128.0/17) which addresses the invalid policy issue. I am also aware that for Mikrotik <> Cisco site to site tunnels, the policy level need to be set to unique which I have configured on all policies. I have also set the policy priority of the tunnel to my “primary” ISP to 1 to avoid the other policies for the overlapping network intercepting the traffic.
The issue is that the individual tunnels functions correctly if but as soon as both are up, communications fail. I have seen articles with similar symptoms but none of the fixes I have tried have resolved my issue. I have also tried disabling “send initial contact” on the peer (hoping that initiating the traffic from the Cisco side might help) but it did not make any difference. Does anyone have any idea of why this is happening and how to resolve this problem? I read somewhere about:
“IPSecpolicies are evaluated after post-routing, so you can use src-nat to NAT the two networks against each other and make the IP space unique, and then send the NAT’d traffic via IPSec”
But I’m not sure if this is an option in my use case or how it would be implemented. Configs below. Any help would be appreciated!
[
/ip ipsec peer
add address=21.193.219.24/32
comment="Primary"
dpd-interval=10s
dpd-maximum-failures=3
enc-algorithm=aes-128
lifetime=8h
local-address=172.16.0.5
nat-traversal=no
secret="secret"
add address=21.164.7.14/32
comment="Secondary"
dpd-interval=10s
dpd-maximum-failures=3
enc-algorithm=aes-128
lifetime=8h
local-address=172.16.0.5
nat-traversal=no
secret="secret"
/ip ipsec policy
add comment="Primary" dst-address=172.30.0.0/16 level=unique priority=1 proposal=cisco sa-dst-address=21.193.219.24 sa-src-address=172.16.0.5 src-address=0.0.0.0/0 tunnel=yes
add comment="Primary BGP" dst-address=169.254.0.10/32 level=unique priority=1 proposal=cisco sa-dst-address=21.193.219.24 sa-src-address=172.16.0.5 src-address=0.0.0.0/0 tunnel=yes
add comment="Secondary (1st half)" dst-address=172.30.0.0/17 level=unique proposal=cisco sa-dst-address=21.164.7.14 sa-src-address=172.16.0.5 src-address=0.0.0.0/0 tunnel=yes
add comment="Secondary (2nd half)" dst-address=172.30.128.0/17 level=unique proposal=cisco sa-dst-address=21.164.7.14 sa-src-address=172.16.0.5 src-address=0.0.0.0/0 tunnel=yes
add comment="Secondary BGP" dst-address=169.254.0.6/32 level=unique proposal=cisco sa-dst-address=21.164.7.14 sa-src-address=172.16.0.5 src-address=0.0.0.0/0 tunnel=yes
]