I have an IPSEC tunnel between 2 routers, and it works fine.
When I add another peer, for a connection to a different router, it kills the first IPSEC connection. What would cause this to happen?
/ip ipsec peer> print
1 address=xx.yy.35.93/32:500 auth-method=pre-shared-key secret="first-tunnel" generate-policy=no exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1
2 X address=10.1.10.1/32:500 auth-method=pre-shared-key secret="dummy-peer" generate-policy=no exchange-mode=main send-initial-contact=yes
nat-traversal=no proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0
dpd-interval=disable-dpd dpd-maximum-failures=1
/ip ipsec proposal> print
0 name="default" auth-algorithms=md5 enc-algorithms=3des lifetime=1h pfs-group=none
/ip ipsec policy> print
1 src-address=192.168.1.0/24:any dst-address=192.168.0.0/24:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=xx.yy.231.12 sa-dst-address=qq.zz.35.93 proposal=default priority=0
/ip ipsec remote-peers> print
0 local-address=xx.yy.231.12 remote-address=qq.zz.35.93 state=established side=initiator established=25s
/ip ipsec remote-peers> print
It doesn't matter what you use inside of the ipsec tunnel, if the ipsec tunnel ITSELF is the issue that we are talking about.dsobin
Have you tried using IPIP tunnels like in this article http://wiki.mikrotik.com/wiki/IPSec_VPN ... _and_Cisco? Also, have you tried using something other than MD5/3DES? We experienced issues with MD5/3DES (300+ locations) and are testing SHA1/AES256 next week. Just a thought and good luck.
Please contact support [at] mikrotik.com. It looks like a different problem than we reproduced.Thanks Sergejs. I hope you can also try this when the first tunnel is MT to Cisco. In my configuration, enabling a second
tunnel causes the first tunnel (MT to Cisco) to fail and require a flush SA to restore.
I'm unsure what you mean by "the peer". Do you mean the peer at the other end of the tunnel, or do you mean the second peer at my local end?Do you have separate policy for the peer, or both peers share the same policy?
This problem will be fixed in the upcoming version of MikroTik RouterOS.Are you referring to my configuration between MT and MT or MT and Cisco?
You wrote that you have reproduced the problem between MT and MT. Yes, I agree in that case the tunnel does not break, but the peer disappears
from the "Remote Peers" tab. I thought this was significant, since the same thing happens in the MT to Cisco case, but in that case, the tunnel
stops working.
I assume you are referring to my MT to Cisco configuration.
On the MT side, the configuration is the same as I posted in the MT to MT configuration.