Hello.

I would like to ask you a question about the Mikrotik CRS125, in that I have two IPSECS settings for the same SA Dst. Address. I can get only one of them established and the other one I can not.
Here you can see my config file:



The one which stabilishs is the 10.50




-----
;;;Rede 171 - OK
src-address=192.168.13.0/24 src-port=any dst-address=171.0.0.0/8 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes sa-src-address=aaa.aaa.aaa.aaa sa-dst-address=yyy.yyy.yyy.yyy proposal=client - Phase2 priority=0

----
;;;Rede 10.50 - OK
src-address=192.168.12.0/24 src-port=any dst-address=10.52.0.0/16 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes sa-src-address=bbb.bbb.bbb.bbb sa-dst-address=yyy.yyy.yyy.yyy proposal=client - Phase2 priority=0


-----
;;;IKE Phase 1
address=yyy.yyy.yyy.yyy local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key secret="passwd" generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=strict hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d8h lifebytes=0 dpd-interval=2m dpd-maximum-failures=5

-----
name="client - Phase2" auth-algorithms=md5 enc-algorithms=3des lifetime=8h pfs-group=modp1024



Route

Rede 10.52 - Site-to-site
yyy.yyy.yyy.yyy/yy bbb.bbb.bbb.bb 1

Rede 171 - Site-to-site
yyy.yyy.yyy.yyy aaa.aaa.aaa.aaa 1

In such more complicated cases I recommend to make a IPIP or GRE tunnel with IPsec and route the traffic over that tunnel.

Hello, fandreus!

I'm not sure if I understand correctly your setup. May be you can post an simple plan?

We have done setup on RB1100AH with one LAN to another point where is Cisco ASA with two LANs.
Both IPSec VPN established and works simultaneously.

1. RB-LAN(192.168.0.0/24) - Cisco LAN(10.0.0.0/24).
2. RB-LAN(192.168.0.0/24) - Cisco DMZ(10.0.1.0/24).

Thank you!

In such more complicated cases I recommend to make a IPIP or GRE tunnel with IPsec and route the traffic over that tunnel.

Hello pelchl

I am going to look for the documentation to set this configuration, if you have it to provide to me i would be very grateful.
trank you

Hello, fandreus!

I'm not sure if I understand correctly your setup. May be you can post an simple plan?

We have done setup on RB1100AH with one LAN to another point where is Cisco ASA with two LANs.
Both IPSec VPN established and works simultaneously.

1. RB-LAN(192.168.0.0/24) - Cisco LAN(10.0.0.0/24).
2. RB-LAN(192.168.0.0/24) - Cisco DMZ(10.0.1.0/24).

Thank you!

Hello Slech

We can consider this way:
I have two Ipsecs for the same destination, but they are set for different networks, as you can see:


Ipsec 01
RB-LAN (192.168.12.0/24) Cisco LAN-1 (10.50.0.0/24)
RB-Source (200.200.2.2) Cisco Destination (200.200.1.1)

Ipsec02
RB-LAN (192.168.13.0/24) Cisco LAN-2 (171.0.0.0/24)
RB-Source (189.11.3.3) Cisco Destination (200.200.1.1)

The peer is the same for the two ipsec.

thank you