Hello,
we use Mikrotik Hex S Routers on multiple Sites to connect the local network to a network in our datacenter via IPSec. This works fine. But now we need an LTE Fallback on one of these Sites. We plugged in a Huawei USB LTE adapter and internet access works. When the Eth1 Interface loses access to the network it automatically creates a route to route 0.0.0.0/0 via lte1 which seems fine to me. The IPSec-Tunnel has to be restarted because of the new IP adress, but that is ok, i will find a way to do this via a script. The only thing i haven’t managed to get to work is the outbound IPSec Routing. When the IPSec reconnects via LTE i can ping the router from the remote network, so there is an active connection. But when i try to reach this network with a connected device it times out. When i use the ping tool on the router it report timeout twice and then a message “Host 192.168.8.100 host unreachable”. The 192.168.8.100 is the IP the Router has on its lte1 interface, the lte adapter is 192.168.8.1 . When i first read this i interpreted it as the router trying to reach the VPN Network via lte1 which doesn’t work. The VPN Network is only accessible via bridge. Using the “interface=bridge” option when pinging didn’t help either. I assume it is a routing problem. There is the dynamic route to 0.0.0.0/0 via lte1 which works for internet access and then i created a static route to the VPN Network via bridge. My static route has the Distance 1 so i would assume, it would use that route before the dynamic lte route which has a distance of 2. I searched the internet for tutorials on how to do this and everything seems right, but it doesn’t work. I don’t think there is an error with my IPSec configuration, since it works fine on Eth1 and inbound traffic works through lte.
I attached some screenshots of my config. I am thankful for every tip you might have.
