Community discussions

MikroTik App
 
ArShuRaZ
newbie
Topic Author
Posts: 27
Joined: Sat Apr 14, 2018 12:37 pm

Can MikroTik set route metrics for IPSec (Same subnet with multiple peers)

Wed Jun 22, 2022 11:05 am

I've tried to connect IPSec VPN with customer that they have multiple WAN and their device is Fortigate.
They set 3 (phase 1) peers and each peer has 3 policy running active-active.
But in mikrotik I don't know how to set metrics so It can all active at the same time?
(because if it can only active for 1 peer at a time, it will be a lot of error log all the time)
1655883350598.jpg
My Device is MikroTik CHR with ROS 7.1.3
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Can MikroTik set route metrics for IPSec (Same subnet with multiple peers)

Wed Jun 22, 2022 4:54 pm

Currently not. The maximum you can do (as of 7.3) is to set two peers for a policy - RouterOS then establishes an SA with only one of them at a time.
Or you can use IPsec-encrypted IPIP or GRE tunnels and standard routing.
 
ArShuRaZ
newbie
Topic Author
Posts: 27
Joined: Sat Apr 14, 2018 12:37 pm

Re: Can MikroTik set route metrics for IPSec (Same subnet with multiple peers)

Thu Jun 23, 2022 5:35 pm

Thank you.

So I have to ask my customer to enable for only 2 WAN at a time to avoid a lot of error log.
 
ArShuRaZ
newbie
Topic Author
Posts: 27
Joined: Sat Apr 14, 2018 12:37 pm

Re: Can MikroTik set route metrics for IPSec (Same subnet with multiple peers)

Sun Jun 26, 2022 6:57 am

I've put 2 peer in same policy. and status was established. but still got a lot of error message. (Peer xxx_HQ_2 IP is ***.***.***.214)
1656215215143.jpg
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Can MikroTik set route metrics for IPSec (Same subnet with multiple peers)

Sun Jun 26, 2022 6:55 pm

The approach has to be the same at both "ends" - Mikrotik does not support more than one SA for any given policy at a time, so the HQ2 must send packets for the Mikrotik subnets via HQ1 in order to ever deliver them.

With "all Mikrotik" solution, both HQ1 and HQ2 must have routes to the Mikrotik subnets via each other, and create IPsec policies dynamically upon request from the BO side. So when the BO Mikrotik asks HQ1 for the policies, HQ1 creates them and these dynamically created policies override the routes; if connection to HQ1 fails and BO asks HQ2 for the policies, HQ2 starts sending packets for Mikrotik subnets directly via its dynamically created policies, and once the IKE connection between BO and HQ1 times out at HQ1, HQ1 removes the policies and the routes via HQ2 "start working again" (actually, the traffic stops being intercepted by the policies).

In another words, in the current configuration, the errors are just a symptom of a worse problem, i.e. that HQ2 wants to establish a policy to deliver packets to Mikrotik rather than forwarding them to HQ1, so the packets get lost.

Who is online

Users browsing this forum: Google [Bot], lurker888, mickeymouse690 and 71 guests