In the meantime i configured load-balancing with PCC method, to make shure every packet gets sorted, depending on the outgoing interface. It seems to work fine.
If i traceroute 89.31.7.243 from the Mikrotik ist shows that it is using WAN1, IPSEC SAs seem to be installed.
After establishing the tunnel, a traceroute from the MT device to 100.70.2.18 shows, it tries to send it via WAN2 istead towards the IPSEC tunnel
below. the output while having a ping running from a network client to 100.70.2.18
/ip firewall connection print detail interval=1 where dst-address=“100.70.2.18”
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat
1 C protocol=icmp src-address=192.168.42.42 dst-address=100.70.2.18 reply-src-address=100.70.2.18 reply-dst-address=192.168.42.42 icmp-type=8 icmp-code=0 icmp-id=18064
timeout=9s connection-mark="WAN2" orig-packets=2 532 orig-bytes=212 688 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=0 repl-bytes=0
repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=42.3kbps repl-rate=0bps
Complete config including load balancing
/interface bridge
add admin-mac=C4:AD:34:5F:46:4D auto-mac=no comment="XXX Interne Bridge" name=bridge-XXX
/interface ethernet
set [ find default-name=ether1 ] comment="VDSL uplink Port"
set [ find default-name=ether2 ] comment="Unitymendia uplink Port"
/interface wireless
# managed by CAPsMAN
# channel: 5260/20-Ceee/ac/DP(17dBm)+5210/80/P(20dBm), SSID: SSID, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=germany distance=indoors frequency=auto installation=indoor mode=ap-bridge secondary-channel=\
auto ssid=MikroTik-5F4657 wireless-protocol=802.11
# managed by CAPsMAN
# channel: 2452/20-Ce/gn(17dBm), SSID: SSID, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=germany distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-BE98CD \
wireless-protocol=802.11
/interface pppoe-client
add disabled=no interface=ether1 keepalive-timeout=5 name=TCom_pppoe user=XX@t-online.de
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=SSID
/caps-man configuration
add country=germany mode=ap name=SSID security=SSID ssid=SSID
/caps-man interface
add configuration=SSID datapath.bridge=bridge-XXX disabled=no l2mtu=1600 mac-address=C4:AD:34:12:B3:EE master-interface=none name=cap1 radio-mac=C4:AD:34:12:B3:EE \
radio-name=C4AD3412B3EE
add configuration=SSID datapath.bridge=bridge-XXX disabled=no l2mtu=1600 mac-address=C4:AD:34:12:B3:EF master-interface=none name=cap2 radio-mac=C4:AD:34:12:B3:EF \
radio-name=C4AD3412B3EF
add configuration=SSID datapath.bridge=bridge-XXX disabled=no l2mtu=1600 mac-address=C4:AD:34:5F:46:57 master-interface=none name=cap3 radio-mac=C4:AD:34:5F:46:57 \
radio-name=C4AD345F4657
add configuration=SSID datapath.bridge=bridge-XXX disabled=no l2mtu=1600 mac-address=74:4D:28:BE:98:CD master-interface=none name=cap4 radio-mac=74:4D:28:BE:98:CD \
radio-name=744D28BE98CD
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
set [ find default=yes ] connection-mark=no-mark
/ip ipsec peer
add address=89.31.7.243/32 exchange-mode=ike2 name=swyx port=500
/ip ipsec policy group
set [ find default=yes ] name=1
/ip ipsec profile
set [ find default=yes ] dh-group=modp1536 dpd-interval=1m enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1h nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc lifetime=1h pfs-group=modp1536
/ip pool
add name=dhcp ranges=192.168.42.10-192.168.42.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-XXX lease-time=2w name="XXX-Intern_DHCPD "
/ppp profile
set *0 on-up=":delay 180s\r\
\n/system script run ddserver"
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=bridge-XXX comment=defconf interface=ether5
add bridge=bridge-XXX comment=defconf interface=ether6
add bridge=bridge-XXX comment=defconf interface=ether7
add bridge=bridge-XXX comment=defconf interface=ether8
add bridge=bridge-XXX comment=defconf interface=ether9
add bridge=bridge-XXX comment=defconf interface=ether10
add bridge=bridge-XXX comment=defconf interface=sfp-sfpplus1
add bridge=bridge-XXX interface=ether3
add bridge=bridge-XXX interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge-XXX list=LAN
add interface=ether2 list=WAN
add interface=TCom_pppoe list=WAN
/interface wireless cap
#
set caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1,wlan2
/ip address
add address=130.180.118.114/29 interface=ether2 network=130.180.118.112
add address=192.168.42.1/24 interface=bridge-XXX network=192.168.42.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=bridge-XXX
/ip dhcp-server lease
add address=192.168.42.42 mac-address=00:01:2E:48:CB:30 server="XXX-Intern_DHCPD "
/ip dhcp-server network
add address=192.168.42.0/24 comment=XXXLAN gateway=192.168.42.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=149.112.112.112,2620:fe::fe,9.9.9.9,2620:fe::9
/ip dns static
add address=192.168.42.1 name=router.lan
add address=100.70.2.18 name=swyx.XXX.local
/ip firewall address-list
add address=100.70.2.18 list=SWYX
/ip firewall filter
add action=accept chain=forward comment="accept in ipsec policy" in-interface=TCom_pppoe ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec out-interface=TCom_pppoe
add action=drop chain=input dst-port=53 in-interface=TCom_pppoe protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether2 protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=output dst-address=127.0.0.1 port=5246,5247 protocol=udp src-address=127.0.0.1
add action=accept chain=input dst-address=127.0.0.1 port=5246,5247 protocol=udp src-address=127.0.0.1
add action=passthrough chain=input dst-port=500,4500 in-interface=TCom_pppoe log=yes protocol=udp
add action=accept chain=input in-interface=TCom_pppoe protocol=ipsec-esp
add action=accept chain=input in-interface=ether2 protocol=ipsec-esp
add action=passthrough chain=input dst-port=500,4500 in-interface=ether2 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=FastTrack connection-mark=!ipsec connection-state=established,related
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=input connection-mark=no-mark in-interface=TCom_pppoe new-connection-mark=WAN1 passthrough=no
add action=mark-connection chain=input connection-mark=no-mark in-interface=ether2 new-connection-mark=WAN2 passthrough=no
add action=mark-routing chain=output connection-mark=WAN1 new-routing-mark=WAN1 out-interface=TCom_pppoe passthrough=no
add action=mark-routing chain=output connection-mark=WAN2 new-routing-mark=WAN2 out-interface=ether2 passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-XXX new-connection-mark=WAN1 per-connection-classifier=\
both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-XXX new-connection-mark=WAN2 per-connection-classifier=\
both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1 in-interface=bridge-XXX new-routing-mark=WAN1 passthrough=no
add action=mark-routing chain=prerouting connection-mark=WAN2 in-interface=bridge-XXX new-routing-mark=WAN2 passthrough=no
/ip firewall nat
add action=accept chain=srcnat dst-address=100.70.2.18 src-address=192.168.42.0/24
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=TCom_pppoe
add action=masquerade chain=srcnat out-interface=TCom_pppoe packet-mark=no-mark
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether2
/ip ipsec identity
add my-id=user-fqdn:email@XXX.de notrack-chain=prerouting peer=swyx remote-id=user-fqdn:vpn@swyxon.com
/ip ipsec policy
set 0 disabled=yes
add dst-address=100.70.2.18/32 peer=swyx sa-dst-address=89.31.7.243 sa-src-address=0.0.0.0 src-address=192.168.42.0/24 tunnel=yes
/ip ipsec settings
set accounting=no
/ip route
add check-gateway=ping distance=1 gateway=TCom_pppoe routing-mark=WAN1
add check-gateway=ping distance=1 gateway=130.180.118.113 routing-mark=WAN2
add check-gateway=arp distance=1 gateway=TCom_pppoe
add check-gateway=ping distance=2 gateway=130.180.118.113
add check-gateway=ping distance=1 dst-address=79.133.49.101/32 gateway=TCom_pppoe
add check-gateway=ping comment=swyxon.webconnect distance=1 dst-address=89.31.7.227/32 gateway=TCom_pppoe
add check-gateway=ping comment=swyxon.webconnect distance=2 dst-address=89.31.7.227/32 gateway=ether2
add check-gateway=ping comment="swyx VPN Endpunkt" distance=1 dst-address=89.31.7.243/32 gateway=TCom_pppoe
add check-gateway=ping comment="swyx VPN Endpunkt" distance=2 dst-address=89.31.7.243/32 gateway=ether2
/ipv6 address
add from-pool=TComIPv6 interface=bridge-XXX
/ipv6 dhcp-client
add add-default-route=yes interface=TCom_pppoe pool-name=TComIPv6 request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=drop chain=input comment="incoming dns block" dst-port=53 in-interface=TCom_pppoe protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=XXX_router
/system logging
add prefix="IPSEC: " topics=ipsec,!packet
add prefix=FIREWALL: topics=firewall
/system package update
set channel=long-term
/system script
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=TCom_pppoe only-headers=yes