HQ router (CCR1009)
WAN IP: 1.1.1.1
LAN IP: 10.1.1.1/23
PTP-to-RT2: 10.255.255.1/30
Branch office router (RB3011)
WAN IP: 2.2.2.2
LAN IP: 10.2.1.1/23
HQ router is connected to another router (IP 10.255.255.2/30) from which I know the subnet 10.0.0.0/8 (with a static).
I have the same problem that you can find here: viewtopic.php?t=118224
I've seen that the priority field was removed from v6.40 (and I have v6.42 installed), I've tried creating a policy BEFORE the one that encrypts but the effect is the same seen in the other topic: I cannot reach the branch office subnet even locally (it gives me a TTL expired error if I ping an host directly connected to the LAN).
Here is the policy export of the branch office:
Code: Select all
/ip ipsec policy
add action=none dst-address=10.2.0.0/23 src-address=10.2.0.0/23
add dst-address=10.0.0.0/8 sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=10.2.0.0/23 tunnel=yes
Could you please help me?
Thank you.
Beppe