Attempting to enable redundancy or at lease dynamic failover with my limited infrastructure (lab mock-up of actual environment in pic below).
Goal:
I would like my single router at Site-A (4011) to form IPSec tunnels with my two 2 routers at Site-B (R1 & R4) simultaneously .
I would also like to encrypt 2 of my networks at Site-A (192.168.3/24 & 10/22) when Site-B is the destination (172.16/23).
My Question:
Is this a valid implementation with MikroTik RouterOS? And if so, is there a solution?
Site-A (4011)
Single MikroTik router RB4011
LAN 192.168.3.0 /24
LAN 10.0.0.0 /22
WAN 192.168.1.0 /28
Site-B (R1 & R4)
2 MikroTik routers, both connect and share same LAN and WAN network segments; see pic.
Site-A (4011)
IPSec Policy
Peer R1 192.168.0.1
Policies
Src. Address 192.168.3.0/24 Dst. Address 172.16.0.0/23
Src. Address 10.0.0.0/24 Dst. Address 172.16.0.0/23
Peer R4 192.168.0.3
Policies
Src. Address 192.168.3.0/24 Dst. Address 172.16.0.0/23
Src. Address 10.0.0.0/24 Dst. Address 172.16.0.0/23
On Site-A (4011)
IPSec Policy for peer R1 192.168.0.1 becomes established and passes traffic.
IPSec Policy for peer R4 192.168.0.3 fails to become established.
If remote peer R1 goes off-line, 4011 peer R4 Policy remains red and doesn't pass any traffic although there are SAs for R4 but no SPI for this peer.
Flushing SAs multiple times doesn't help.
If I manually disable R1 policies on 4011, R4 and 4011 become established immediately and are able to pass traffic.
I can provide an /export if needed.
Thank you for any assistance.
Frank