Hello!
I have router in datacenter with one public ip and branch office with router and two ISP.
First ISP directly connected from provider switch to router and second (backup) connected to another router (4g modem) with NAT. On backup ISP router I have redirected ports 500 and 4500 for ipsec.
There is two ip-ip tunnel with ipsec from branch office to dc, each for main and backup isp.
All works fine until I reboot the router. After it backup tunnel working, but main tunnel doesn’t and on the router in datacenter i’ve got error “parsing packet failed possible cause wrong password”.
Of course passwords didn’t changes. To resolve this I need to disable and then enable ip-ip tunnels on both sides and then it start working.
I wish to know what’s wrong with my routers/config.
datacenter router:
name="ipip-branch-main" mtu=auto actual-mtu=1426 local-address=dc_ip remote-address=branch_main_isp_ip dscp=inherit clamp-tcp-mss=yes dont-fragment=no ipsec-secret="password" allow-fast-path=no
name="ipip-branch-backup" mtu=auto actual-mtu=1418 local-address=dc_ip remote-address=branch_backup_ip dscp=inherit clamp-tcp-mss=yes dont-fragment=no ipsec-secret="password" allow-fast-path=no
branch router:
name="ipip-dc-main" mtu=auto actual-mtu=1426 local-address=main_isp_ip remote-address=dc_ip dscp=inherit clamp-tcp-mss=yes dont-fragment=no ipsec-secret="password" allow-fast-path=no
name="ipip-dc-backup" mtu=auto actual-mtu=1418 local-address=192.168.88.10 remote-address=dc_ip dscp=inherit clamp-tcp-mss=yes dont-fragment=no ipsec-secret="password" allow-fast-path=no
Also mangle for second ISP:
chain=input action=mark-connection new-connection-mark=cm_backup_isp passthrough=no in-interface=eth7-WAN2 log=no log-prefix=""
chain=output action=mark-routing new-routing-mark=rm_backup_isp passthrough=yes connection-mark=cm_backup_isp log=no log-prefix=""
and route
dst-address=dc_ip pref-src=192.168.88.10 gateway=192.168.88.1 distance=1 scope=30 target-scope=10 routing-mark=rm_backup_isp