Community discussions

MikroTik App
 
icefred
just joined
Topic Author
Posts: 5
Joined: Tue Jul 13, 2010 3:12 pm
Location: Vienna/Austria

IPSec Tunnel - office multiple WAN IPs

Sun Jan 21, 2018 9:16 pm

hey,

following Scenario:

RB2011 with ROS 6.41 connected via 1 WAN public IP to a Central Firewall Cluster (FortiGate 2x WAN, different ISP and WAN IPs) via IPSec.
So is it possible to make 2 IPSec Connections from RB2011 to both wan IPs for Failover reason?

I've configured it, but in ipsec policy 1 of the 2 policies is alwasys invalid, and also the invalid doesn't Change according to the Phase 1 is established or not.
according to new ipsec policy in 6.40 (https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Policy priority is removed and now top to bottom), when or how do's the policies getting invalid or not?

Both Peers a configured and working, but only 1 at a time.

above the Output from policy
[admin@fw01.1120] /ip ipsec policy> print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, 
* - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all 
       proposal=default template=yes 

 1  A  src-address=10.11.20.0/24 src-port=any dst-address=192.168.112.0/24 
       dst-port=any protocol=all action=encrypt level=require 
       ipsec-protocols=esp tunnel=yes sa-src-address=80.121.23.1 
       sa-dst-address=213.143.1.8 proposal=proposal1 ph2-count=1 

 2  I  src-address=10.11.20.0/24 src-port=any dst-address=192.168.112.0/24 
       dst-port=any protocol=all action=encrypt level=require 
       ipsec-protocols=esp tunnel=yes sa-src-address=80.121.23.1
       sa-dst-address=80.123.1.2 proposal=default ph2-count=0 
[admin@fw01.1120] /ip ipsec policy> 
has anybody an idea?

Kind regards
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 574
Joined: Thu Dec 11, 2014 8:53 am

Re: IPSec Tunnel - office multiple WAN IPs

Mon Jan 22, 2018 9:02 am

There can only be one active policy with the same source and destination address. Currently, Netwatch is the best way to achieve failover by disabling and enabling required policies.

Who is online

Users browsing this forum: mikroru and 71 guests