If we use the same certificate for different Internet-links, then the router cannot establish an Ipsec connection.
Code: Select all
/ip ipsec proposal add name="phase2-proposal1" auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=modp1024 disabled=no
/ip ipsec profile add name="phase1-profile1" hash-algorithm=sha256 prf-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp1024 lifetime=1d dpd-interval=1m nat-traversal=no
/ip ipsec peer add name="peer2-1" address=<peer2-ip1> local-address=<peer1-ip1> exchange-mode=ike2 profile="phase1-profile1" send-initial-contact=yes passive=no disabled=no
/ip ipsec peer add name="peer2-2" address=<peer2-ip2> local-address=<peer1-ip2> exchange-mode=ike2 profile="phase1-profile1" send-initial-contact=yes passive=no disabled=no
/ip ipsec identity add peer="peer2-1" auth-method=digital-signature certificate="PEER1" remote-certificate="PEER2" match-by=certificate generate-policy=no disabled=no
/ip ipsec identity add peer="peer2-2" auth-method=digital-signature certificate="PEER1" remote-certificate="PEER2" match-by=certificate generate-policy=no disabled=no