One Mikrotik, 2 IPsec VPNs from same public IP (failover VPN)

tryingMikrotik · March 6, 2024, 9:20pm

Hi,
Apologies in case this has already been posted, the search in the forum is a bit complex.

We have one remote Mikrotik that successfuly establishes a VPN to a central Cisco ASA. But when I try yo add a second VPN on that same Mikrotik to another remote Mikrotik or to another interface on the Cisco, only the first VPN works, the second one fails to connect. Both VPNs are using the same public IP on the remote Mikrotik and NAT.

I think I’ve read on several posts that Mikrotik cannot establish 2 IPsec VPNs from the same public IP, ¿but does this apply to when the 2 VPNs point to two different sites?

Please, I would really appreciate a good advice here, I’m kind of lost, in case the Mikrotik cannot have 2 VPNs from a same public IP, ¿what would be a possible workaround?

Thank you so much

P.S.: we attach the configs of 2 Mikrotiks, whiche are the ones I want to establish the 2nd VPN, the second peer, identity and policy are disabled to prevent possible issues with the first VPN
BrandonStevensHouse_20240305_2.txt.rsc (33.4 KB)
OwenHouse_20240305_2.txt.rsc (29.2 KB)

aoakeley · March 7, 2024, 3:08am

There is no issue having as many IPSEC tunnels as you want from the same public IP on the mikrotik, but I think where you are running into trouble is that both of your policies have the same destination address

add action=encrypt disabled=no dst-address=10.200.0.0/24 dst-port=any
ipsec-protocols=esp level=require peer=peer1 proposal=default protocol=
all sa-dst-address=184.181.11.141 sa-src-address=24.234.30.236
src-address=192.168.1.0/24 src-port=any tunnel=yes

add action=encrypt disabled=yes dst-address=10.200.0.0/24 dst-port=any
ipsec-protocols=esp level=require peer=peer2 proposal=default protocol=
all sa-dst-address=:: sa-src-address=:: src-address=192.168.1.0/24
src-port=any tunnel=yes

Now… I think understand why you want to do this, which is (as per your title) to presumably have a failover VPN, but using plain IPSEC tunnel with policy I don’t think is the best way to do this because the policies are in conflict.

I would use some other VPN that you can route over

if you upgrade to v7 you can use Wireguard between the mikrotiks
if you want to stay on v6 then IP-IP secured by IPSEC or EoIP secured by IPSEC between the mikrotiks.
Then the connection to the ASA is a little more complex, maybe a GRE tunnel secured with IPSEC? that should be compatible between both the mikrotik and the Cisco.

And then for the failover just use OSPF as i see you already have that configured.

There may be a way to do it the way you are trying to do it, and someone smarter than I am might be able to help with that.

tryingMikrotik · March 8, 2024, 12:01am

Thank you so much aoakeley.
I’ve been trying to use L2TP over IPsec for the failover VPN but so far no luck. I’m observing the same behavior, even with different destination subnets in the policies.

kkeyser · March 11, 2024, 6:55am

Mikrotik definitely can create two VPN sessions from one IP address. The key point in this case - “Send INITIAL_CONTACT” in the peer definition.
From documentation:

Specifies whether to send “initial contact” IKE packet or wait for remote side, this packet should trigger the removal of old peer SAs for current source address.

In other words, you should disable send initial contact in the peer’s definition from the side of the router which has one IP address.