IPsec tunnel wan failover

RouterOS Beginner Basics
1

I want to know if it is possible to configure IPsec tunnel in the following way:

In the office I have 2 WAN (main and backup failover) and I want to connect with Azure and IPsec. I have managed to establish IPsec without problem through the main WAN but I do not know how to failover when the main connection fails.

To test, I have mounted a virtualized environment with multiple CHR, simulating the connectivity to Azure in a very simple way:

………………..-ISP1-----
Local Router -|……………|- Azure_ISP – Azure_Gateway
………………..–ISP2-----

I get to establish IPsec without problem through ISP1 or through ISP2, but not both at the same time.
When I create a second policy to establish IPsec through WAN2 (different SA src address) it stays in red and I have to manually enable or disable it.

The configuration is as follows:

#################
#
# Local Router Simulation:
#
#################
/ip ipsec peer profile
set [ find default=yes ] nat-traversal=no
/ip ipsec peer
add address=3.1.1.2/32 exchange-mode=ike2 local-address=1.1.1.2 port=500 secret=Test
add address=3.1.1.2/32 exchange-mode=ike2 local-address=2.1.1.2 port=500 secret=Test
/ip ipsec policy
add dst-address=172.16.0.0/24 sa-dst-address=3.1.1.2 sa-src-address=1.1.1.2 src-address=192.168.2.0/24 tunnel=yes
add dst-address=172.16.0.0/24 sa-dst-address=3.1.1.2 sa-src-address=2.1.1.2 src-address=192.168.2.0/24 tunnel=yes  #stays in red


#################
#
# Azure Gateway Simulation:
#
#################
/ip ipsec peer profile
set [ find default=yes ] nat-traversal=no
/ip ipsec peer
add address=1.1.1.2/32 exchange-mode=ike2 local-address=3.1.1.2 passive=yes secret=Test
add address=2.1.1.2/32 exchange-mode=ike2 local-address=3.1.1.2 passive=yes secret=Test
/ip ipsec policy
add dst-address=192.168.2.0/24 sa-dst-address=1.1.1.2 sa-src-address=3.1.1.2 src-address=172.16.0.0/24 tunnel=yes
add dst-address=192.168.2.0/24 sa-dst-address=2.1.1.2 sa-src-address=3.1.1.2 src-address=172.16.0.0/24 tunnel=yes  #stays in red

In Azure it is not possible to establish an IPIP / GRE tunnel and use IPsec in transport mode. You have to use strict IPsec tunnel.

2

What is your ROS version?

3

Sorry for taking a long time to answer.
ROS versión: 6.43.4
The problem is not the peer, it is established correctly. The problem is the duplicate policy with different SA src address, one of them become invalid.

[admin@C1] /ip ipsec> remote-peers print detail
Flags: R - responder, N - natt-peer 
 0    id="3.1.1.2" local-address=1.1.1.2 remote-address=3.1.1.2 state=established side=initiator uptime=3h43m56s last-seen=1m20s 

 1    id="3.1.1.2" local-address=2.1.1.2 remote-address=3.1.1.2 state=established side=initiator uptime=3h43m54s last-seen=1m53s 
[admin@C1] /ip ipsec> policy print detail      
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 

 1  A  src-address=192.168.2.0/24 src-port=any dst-address=172.16.0.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=1.1.1.2 sa-dst-address=3.1.1.2 proposal=default ph2-count=1 

 2  I  src-address=192.168.2.0/24 src-port=any dst-address=172.16.0.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=2.1.1.2 sa-dst-address=3.1.1.2 proposal=default ph2-count=0 
[admin@C1] /ip ipsec>
4

I think the problem is that you are trying to have two policies between the same src and dst addresses - one of them will never be used.
Try to create one policy that will cover both links, without sa-src-address specified (sa-dst-address on the other end) and Level set to unique.