Two IPSec/IKE2 tunnels to the same target from router & host behind the router

RouterOS General
1

Hello!

I’m puzzled by a scenario which in theory should work, but it doesn’t. In actuality it works but partially. The simplified network diagram looks like below:
Untitled Diagram-2.png
There are three separate networks:

  • Network A: server, two client groups, MT router
  • Network B: bunch of servers, MT router
  • Road Warriors: multiple users directly connected to the Internet

VPN tunnels:

  1. Both Network A & B routers are IPSec IKEv2 server
  2. Clients behind the router in Network A connect to various IPSec IKEv2 servers (e.g. network B MT) as needed
  3. Road warriors connect to MT in Network A & B via IPSec IKEv2
  4. Router in Network A keeps persistent IPSec IKEv2 to router in Network B

What’s broken?
All road warriors & clients behind router in the Network A are able to connect without problems (green & yellow lines). I’m failing to find a way to add the permanent connection from router in Network A to router in Network B.

Current (working) configuration of IPSec on router in Net A (router in Net B has almost the same config, just different hosts/certs):



/ip ipsec mode-config
    add address-pool=vpn name=rw-vpn-modecfg static-dns=10.***.***.*** system-dns=no

/ip ipsec profile
    add dh-group=modp8192,modp4096,modp2048,modp1024 enc-algorithm=aes-256 \
        hash-algorithm=sha256 name=secure-compatibile

/ip ipsec peer
    add exchange-mode=ike2 name=peer1 passive=yes profile=secure-compatibile \
        send-initial-contact=no

/ip ipsec proposal
    add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=rw-proposal-noPFS \
        pfs-group=none

/ip ipsec identity
    add auth-method=digital-signature certificate=network_A_server_cert.pem_0 \
        generate-policy=port-strict match-by=certificate mode-config=rw-vpn-modecfg \
        my-id=fqdn:network-a.***.com peer=peer1 remote-certificate=User1.cer_0 \
        remote-id=auto

I tried adding the following to the router in Net A, but the connection to Net B is never established:

/ip ipsec policy group
add name=net-B-client-grp

/ip ipsec peer
add address=network-b.***.com disabled=no exchange-mode=ike2 name=net-B-client
profile=secure-compatibile

/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-128-cbc name=
rw-client-proposal-noPFS pfs-group=none

/ip ipsec identity
add auth-method=digital-signature certificate=
netA-to-netB-autovpn-bundle.pem_0 disabled=no generate-policy=
port-strict match-by=certificate mode-config=rw-client-vpn-modecfg my-id=
key-id peer=net-B-client policy-template-group=net-B-client-grp
remote-certificate=net-B-pub-cert.cer_0.crt_0

/ip ipsec policy
add disabled=no dst-address=0.0.0.0/0 group=net-B-client-grp proposal=
rw-client-proposal-noPFS src-address=0.0.0.0/0 template=yes



Can anyone give me any hint if this is even possible and if so how to proceed?