I've following setup:
Subnets - Router 1 - IPsec - Router2 - Subnets and Internet
Following subnets are directly connected to the router1
and the router routes between them. The Subnet used for connecting router 1 and 2 is
Behind router2 are following subnets
0.0.0.0/0 for the Internet
And for security reasons it is necessary to encrypt the traffic between the routers. Basically the default route on the router1 should go trough the ipsec tunnel, but not the local traffic.
My problem now is that I don't know how I make the ipsec policy entries as it is not the possible to exclude subnets from ipsec, just to include. If I make following policy
/ip ipsec policy
add src-address=10.1.99.0/24 src-port=any dst-address=0.0.0.0/0 dst-port=any \
sa-src-address=10.4.254.10 sa-dst-address=10.4.254.1 \
tunnel=yes action=encrypt proposal=default
It would also encrypt the traffic from the local subnet to an other local subnet, or is the some implicit configuration that local subnets are not passed to ipsec.
ps: It would be nice if the 10.4.254.10/24 ip address of the router1 is reachable from the networks behind router 2 if the ipsec tunnel is not up. Just for monitoring (link down vs. tunnel tunnel) and administration of the router.