hey,
following Scenario:
RB2011 with ROS 6.41 connected via 1 WAN public IP to a Central Firewall Cluster (FortiGate 2x WAN, different ISP and WAN IPs) via IPSec.
So is it possible to make 2 IPSec Connections from RB2011 to both wan IPs for Failover reason?
I’ve configured it, but in ipsec policy 1 of the 2 policies is alwasys invalid, and also the invalid doesn’t Change according to the Phase 1 is established or not.
according to new ipsec policy in 6.40 (https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Policy priority is removed and now top to bottom), when or how do’s the policies getting invalid or not?
Both Peers a configured and working, but only 1 at a time.
above the Output from policy
[admin@fw01.1120] /ip ipsec policy> print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active,
* - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all
proposal=default template=yes
1 A src-address=10.11.20.0/24 src-port=any dst-address=192.168.112.0/24
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=80.121.23.1
sa-dst-address=213.143.1.8 proposal=proposal1 ph2-count=1
2 I src-address=10.11.20.0/24 src-port=any dst-address=192.168.112.0/24
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=80.121.23.1
sa-dst-address=80.123.1.2 proposal=default ph2-count=0
[admin@fw01.1120] /ip ipsec policy>
has anybody an idea?
Kind regards