I have one Mikrotik on DOM module version 2.9.51 and working IPSec configuration. Configuration consists of two IPSec policies. Policies differs only in destination addresses, that point to two remote subnets. Both policies create tunnels to one remote peer (Cisco) in order to gain access to two remote subnets. In 2.9.51 there are always 4 SA created (2 SA for one policy) and configuration is working without any problems.
Today I tried to use similar PC with Mikrotik 3.14 (upgraded from 2.9.51 with working IPSec configuration) with following results:
- Mikrotik correctly connects to remote Cisco BUT ONLY one set of SAs is created. This means that I am able to gain access only to one remote subnet instead of two. I use two remote subnets 192.XXX and 10.XXX.
- Mirotik establishes only one set of SAs, so when I reboot Mikrotik, try to ping subnet 192.XXX, SAs are correctly created, but there is problem to ping to subnet 10.XXX because SAs and tunnel to this subnet is not established. When I use “ip ipsec installed-sa flush” and try to ping subnet 10.XXX, again two SAs are created and I have access to subnet 10.XXX. When I try in this moment to ping 192.XXX subnet, no tunnel is established and ping fails. There are also no IKE and IPSEC log entries about establishing tunnel to second subnet (in 2.9.51 there are log entries for both attempts).
- I tried also to completely delete IPSec configuration and create it from the scratch but without success, so it seems to me like bug in Mikrotik 3.14 implementation of IPSec.
Does anybody have simillar problem?