The first IPSec connection is to my parents' house, and it's doing hideous NAT because the remote RouterOS is behind IPv4 NAT so I've built a GRE tunnel there to use for routing purposes. This appears to work satisfactorily, but I include it for context.
The second VPN connection also works, but I want to use it for routing only clients in a specific VLAN (i.e. if clients join my normal network, they're routed out normally, if they join the "other" network, they go via the VPN).
In order to route only specific clients, I thought I wanted to use ipsec policies, and matching source addresses. However, when I change the src-address to match the range of the clients, this prevents the IPSec connection from matching and then being created. If I use IPSec mode-config and address-lists to match the clients, then this fails because *every* client will get routed via the VPN when I bounce the PPP and VPN connections.
Any ideas what I've done wrong please?
RouterOS is 6.47.9, and below is the relevant looking config (I've disabled the VPN for now because I don't want PPP bouncing and then all connections going via the US!):
Code: Select all
admin@router] > /ip ipsec policy print
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default
# PEER TUNNEL SRC-ADDRESS DST-ADDRESS PROTOCOL ACTION LEVEL PH2-COUNT
0 T 192.168.177.0/24 192.168.177.2/32 all
1 DA ike2 yes 192.168.177.0/24 192.168.177.2/32 all encrypt unique 1
2 T * ::/0 ::/0 all
3 T X 0.0.0.0/0 0.0.0.0/0 all
[admin@router] > /ip ipsec mode-config print
Flags: * - default, R - responder
0 * name="request-only" responder=no use-responder-dns=exclusively
1 R name="ike2-trusted" system-dns=no static-dns="" address=192.168.177.2 address-prefix-length=24 split-include=192.168.177.0/24 split-dns=""
2 R name="ike2" system-dns=no static-dns="" address-pool=dhcp-vpn-normal address-prefix-length=32 split-dns=""
3 name="surfshark-us-nyc" responder=no src-address-list=us-users use-responder-dns=exclusively
[admin@router] > /ip firewall address-list print where list="us-users"
Flags: X - disabled, D - dynamic
# LIST ADDRESS CREATION-TIME TIMEOUT
0 us-users 192.168.10.0/24 sep/08/2020 17:15:26
[admin@router] >