Community discussions

MikroTik App
 
atakacs
Member Candidate
Member Candidate
Topic Author
Posts: 121
Joined: Mon Mar 07, 2016 5:39 pm

IPsec Policies with multiple subnets

Sun May 16, 2021 5:34 pm

I have a working IPSec site to site VPN and I now need to make a second subnet available behind one of the routers.

As far as I understand the IPSec Policy only maps 1:1 (ie one source to one destination subnet)

I have tried to duplicate the policy but although the new one would work this kills the old one - ie I can only reach one of the subnet at a given time.

What am I missing ?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec Policies with multiple subnets

Sun May 16, 2021 9:53 pm

As far as I understand the IPSec Policy only maps 1:1 (ie one source to one destination subnet)
Correct (except that it rather "links" then "maps" subnets).

I have tried to duplicate the policy but although the new one would work this kills the old one - ie I can only reach one of the subnet at a given time.
If you have "duplicated" it properly, in terms that you've changed the src-address at the peer with two subnets and dst-address at the peer with single subnet and left the rest unchanged, it should work normally.

So try changing level from the default required to unique - if both peers are Mikrotik ones, this should not be necessary, but it's worth trying.

If that doesn't help, try disabling and re-enabling the identity, as adding policies on the fly behaves funny in some RouterOS versions.
 
bruins0437
newbie
Posts: 33
Joined: Thu Jul 13, 2017 4:30 am
Location: New Hampshire

Re: IPsec Policies with multiple subnets

Tue Feb 06, 2024 4:28 am


So try changing level from the default required to unique - if both peers are Mikrotik ones, this should not be necessary, but it's worth trying.
I just wanted to stop by and say thank you! Your solution fixed a problem I have been dealing with, since implementing Perimeter 81 and my MikroTik site to site tunnel. Changing from the each policy to "unique" immediately made them work.

Who is online

Users browsing this forum: Bing [Bot], holvoetn and 85 guests