Hi guys,
i’ve configured a siteTosite vpn between a Cisco ASA and Mikrotik.
Tunnel VPN with ikev1 sha dh5 aes256 and preshared key. Behind Mikrotik two vlan under an interface.
A vlan will be routed in the vpn tunnel while the other one no.
Tunnel UP not problem but my problem is this:
with VPN tunnel UP i dont ping the default gateway of vlan routed in the tunnel, i can ping all IPs in the same vlan, i can ping remote IPs behind ASA, but from
the ASA i dont ping network behind mikrotik.
Any support? Any advices?
Thanks
Andrea
My telepath is not available right now, sorry. 
Please post your current configuration (/ip ipsec export hide-sensitive), otherwise nobody will be able to help you.
vlan is tagged or untagged?
i’ve attached entire configuration
Andrea
config_mikrotik.rsc (1.72 KB)
The source and destination networks in your IPsec policy overlap. That does not look good to me, and also explains why you cannot ping gateway. The easiest solution will be to exclude your local network from the tunnel with the following command (make sure this new policy is placed above your existing one):
/ip ipsec policy add action=none dst-address=172.31.85.0/24 src-address=172.31.85.0/24
i’m configuring a vpn tunnel from a warehouse to corporate network. Inside my entire corporate network /16 is subnetted in many /24.
This is the reason to configure a policy in this way.
Andriys i’ve tried your advice but it doesn’t anything. I share my network design. Maybe it can be useful.
Thanks Andrea
Please confirm you placed your new policy before/above the old one. The order of policies is important.
Hi Andriys,
i’m sorry, i’ve shifted policy instance and now is ok.
Thank you so much!
For my next project with Mikrotik router i will take in my mind this step.
Andrea