RB750Gr3
FW 6.48.4
Hello, I’m trying to configure 2 IPsec tunnels on my router to have 2 VPN connections to 2 different countries. It works fine with Surfshark VPN but it doesn’t with Smart DNS Proxy VPN - I can only connect to one VPN server.
I followed this tutorial https://support.surfshark.com/hc/en-us/articles/360012906220-Mikrotik-router-tutorial-with-IKEv2, I just did everything twice, using different names and or course I used different peer and itentity settings for the 2 providers.
The difference I notice is that when I connect to SmartDNSProxy VPN, no matter which server, I see in Policies tab that I’m getting Src.Address 10.0.12.2, for every connection, while with Surfshark, the IP address is different. With SmartDNSProxy VPN, only one Policy is generated and only one IPSec tunnel is connected (even though both peers show as active). So this looks like some kind of conflict, maybe bad configuration on the server side, but I can’t change it, so my question is whether there’s something I can do to establish 2 IPSec tunnels from one Mikrotik, even with this limitation.
Thanks
Unfortunately, since the SmartDNSProxy VPN assigns the same IP address to both connections, you cannot use both simultaneously. IPsec policy matching works with IP addresses, protocols and ports alone - no routing-mark, packet-mark or connection-mark values are taken into account. RB750Gr3 doesn’t support the metarouter functionality, so your only option is to use another router. Depending on the throughput you need, mAP lite or hAP mini may be sufficient, but if you need hardware-accelerated encrption, another hEX Gr3 or something arm-based is necessary.
You may try to create your own static policy with a different src-address instead of requesting one using mode-config. There is a slight chance that the server might accept that.
Thanks for your answer, good to know that this might be an issue. When I try static Src. Address, I get “no phase2” state, which might or might not mean that this won’t work - because I always get “no phase2” even when I try L2TP/IPSec with any VPN provider. But it works when I set the static source IP to 10.0.12.2, so more likely that’s the only IP allowed across all servers.
I also notice that with SmartDNSProxy, the Active Peer ID always says “*.serverlocation.co” but with Surfshark it is always unique because it’s the whole server address. So perhaps SmartDNSProxy VPN is not capable working with multiple IPSec tunnels from the same router at all. Their VPN is generally more low cost, just an addon for the DNS Proxy service, so I can live it, I just wanted to make sure I’m not configuring it all wrong.