IPSEC with 2 WAN interfaces

gcser · October 18, 2019, 10:44am

Hello,

I have a router with 2 WAN interfaces (and many LAN interfaces…). WAN1 (1.1.1.2) → ISP1, WAN2 (2.2.2.2) → ISP2.
In the routing table, there are 2 default gateways:
0.0.0.0 Gw=1.1.1.1, 0.0.0.0 (routing-mark=to-ISP2) Gw=2.2.2.1

I have an IPSEC site-to-site tunnel between local address=2.2.2.2 and some remote address (e.g. 10.10.10.1) (at peer definition the local address is set).
The ipsec tunnel does not comes up. When I log the outgoing traffic, I found, that the ipsec local address (2.2.2.2) is src-natted to 1.1.1.2, and the traffic goes out to ISP1…
I do not undersand, why is it so.
I tried to create an output mangle rule for mark routing the traffic witch origin is 2.2.2.2, but no luck.
How can I force that the ipsec tunnel should leave the router to ISP2?

Thank you for your help!

Sob · October 18, 2019, 12:14pm

You can either set routing mark using firewall in output, or it should also work with routing rule:

/ip route rule
add action=lookup src-address=2.2.2.2/32 table=to-ISP2

gcser · October 18, 2019, 12:28pm

I’ve tried both methods. Mangle->Output->if src-address=2.2.2.2 then mark routing to ISP2. No success.
Routing lookup (as you mentioned) no success.
Despite of these settings, the router wants to route the ipsec traffic always to ISP1. Very strange…

Sob · October 18, 2019, 1:05pm

It must be something else in your config interfering. I did quick test with routing rule and it works.

gcser · October 18, 2019, 1:07pm

Ok, I check it again, it is a quite complicated config. Thank you!