Following https://wiki.mikrotik.com/wiki/Manual:PCC I have 3 gateways from 3 different ISP’s for load balancing and failover. The mangle rules distribute the traffic.
Now I am adding an IPSEC tunnel to a client’s LAN. If it matters, I have a Mikrotik while the client has a Cisco (some model).
My question is: do I need to add mangle rules to direct packets going from 192.168.1.x (my LAN) to 10.0.0.x (client’s LAN)? Or, once the tunnel is up, would these get added dynamically?
First of all, as you have Cisco as the remote peer: Mikrotik only supports policy-based IPsec, not the Virtual Tunnel Interface approach.
On Mikrotik side, the “traffic selectors” of IPsec policies match the packets after all the steps of routing and firewall handling, just before the packet would be sent out the chosen L3 interface. If the headers of a packet just about to be sent match one of the traffic selectors (source and destination IP address, protocol, and source and destination ports where applicable), such packet gets encrypted and encapsulated and sent using the Security Association created by that policy. If using this method, it is enough that some route exists for packets which should be actually sent using the IPsec SA. A default route is often sufficient, but if your traffic selectors match on particular local subnets and you want also traffic sent by the router itself to be delivered via the SA, you need dedicated routes with a local address from one of these local subnets as pref-src.
Or you may use IPsec to encrypt an IPIP or GRE tunnel and use regular routing via this tunnel.