Community discussions

MikroTik App
 
atakacs
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 91
Joined: Mon Mar 07, 2016 5:39 pm

IPsec Policies with multiple subnets

Sun May 16, 2021 5:34 pm

I have a working IPSec site to site VPN and I now need to make a second subnet available behind one of the routers.

As far as I understand the IPSec Policy only maps 1:1 (ie one source to one destination subnet)

I have tried to duplicate the policy but although the new one would work this kills the old one - ie I can only reach one of the subnet at a given time.

What am I missing ?
 
sindy
Forum Guru
Forum Guru
Posts: 7278
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec Policies with multiple subnets

Sun May 16, 2021 9:53 pm

As far as I understand the IPSec Policy only maps 1:1 (ie one source to one destination subnet)
Correct (except that it rather "links" then "maps" subnets).

I have tried to duplicate the policy but although the new one would work this kills the old one - ie I can only reach one of the subnet at a given time.
If you have "duplicated" it properly, in terms that you've changed the src-address at the peer with two subnets and dst-address at the peer with single subnet and left the rest unchanged, it should work normally.

So try changing level from the default required to unique - if both peers are Mikrotik ones, this should not be necessary, but it's worth trying.

If that doesn't help, try disabling and re-enabling the identity, as adding policies on the fly behaves funny in some RouterOS versions.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: AndyGs, anvjpga1989, Jotne, krisjanisj and 201 guests