As far as I understand the IPSec Policy only maps 1:1 (ie one source to one destination subnet)
Correct (except that it rather "links" then "maps" subnets).
I have tried to duplicate the policy but although the new one would work this kills the old one - ie I can only reach one of the subnet at a given time.
If you have "duplicated" it properly, in terms that you've changed the src-address
at the peer with two subnets and dst-address
at the peer with single subnet and left the rest unchanged, it should work normally.
So try changing level
from the default required
- if both peers are Mikrotik ones, this should not be necessary, but it's worth trying.
If that doesn't help, try disabling and re-enabling the identity
, as adding policies on the fly behaves funny in some RouterOS versions.