Hello,
I want to configure 2 IPsec tunnel on the same Mikrotik CHR that it has one public IP address, with 2 VPN server that have 2 public Ip address. It should be like an active/ active scenario or active stanbdby scenario. Is that possible? It is like on Cisco ASA where you can configure two peer on the same Cisco ASA ( Cisco Asa has 1 public IP establishing 2 VPN tunnels , where just one is active and in case that one fails, it will come up the standby one).
Best Regards,
Sandro
Your picture suggests that the remote peers are Fortigate devices, so your choice of options may be restricted.
When using bare IPsec, only one policy may be active at a time for any given traffic selector (a combination of local and remote prefixes), so only an active+standby setup is possible in this case. On the CHR end, you configure a peer for each Fortigate, but only a single policy which has a list of both these peers as the peer parameter. On startup, the CHR establishes a security association linked to that policy with the first peer on the list. If the peer to which the security association is currently established stops working, the CHR establishes the security association with the other peer. There is no auto-revert mechanism, the CHR only re-establishes the SA if the currently active peer stops responding.
If the reponders would be Mikrotik routers too, either each of them would have to have a route to the CHR’s target subnet via the other one, or the one on which the SA would be established would have to advertise itself into the internal network as the gateway to that subnet using some dynamic routing protocol; the latter would require a periodically scheduled script. In the former case, the policy towards the CHR would have to be generated from a template dynamically so that a statically configured policy would not keep shadowing the route via the other one.
If you opt to only use IPsec to encrypt a traditional tunnel, you can use any redundancy setup, including active+active. However, Mikrotik does not support VTI - my personal guess is that it is because it breaks the philosophy of the IPsec security concept, but it has never been stated officially. So you are left with an IP over IP (or IPencap, or IPIP as Mikrotik calls it) tunnel encrypted using an IPsec security association in transport mode, which has the same overhead like a VTI or bare IPsec in tunnel mode, but is configured in a different way. If Fortigate supports that, OK; if it does not, you can use IP over GRE (called just GRE in the Mikrotik configuration), which has a bit more overhead. How you configure the redundancy atop the two encrypted tunnels is up to you.