I have a problem as described below:
- I have two regions in gcloud with two different addresses (192.xx.xx.0/24 and 192.yy.yy.0/24)
- a tunnel (IKE2) is created for each of these addresses
- each of the tunnels works on my router, however, when I want to run two at the same time, traffic stops going through one of them
- in the /ipsec/policy tab all tunnels have the status "established"
- this is not likely a problem on the gcloud side, as I have the same tunnels set up on fortigate in another location
- it is also not a problem of RouterOS version (originally 6.47.x, then 6.49.x, now 7.6)
Code: Select all
# nov/10/2022 12:02:22 by RouterOS 7.6
# software id = QCX6-3PXK
#
# model = RB750Gr3
# serial number = xxxxxxxxxxxx
/ip firewall nat
add action=accept chain=srcnat comment="Accept traffic to Gcloud tunnel" dst-address-list=GCLOUD-LAN \
src-address-list="LAN NETWORKS"
add action=accept chain=srcnat comment="Accept traffic from Gcloud tunnel" dst-address-list="LAN NETWORKS" \
src-address-list=GCLOUD-LAN
/ip ipsec profile
set [ find default=yes ] dh-group=ecp256,modp2048,modp1024 enc-algorithm=\
aes-256,aes-192,aes-128,3des
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
gcloud_profile
/ip ipsec peer
add address=xx.xx.xx.xx/xx exchange-mode=ike2 local-address=ll.ll.ll.ll/ll \
name=gcloud_peer_fra profile=gcloud_profile send-initial-contact=no
add address=yy.yy.yy.yy/yy exchange-mode=ike2 local-address=ll.ll.ll.ll/ll \
name=gcloud_peer profile=gcloud_profile send-initial-contact=no
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=8h name=\
gcloud_proposal pfs-group=modp2048
/ip ipsec identity
add peer=gcloud_peer auth-method=pre-shared-key generate-policy=no #commented
add peer=gcloud_peer_fra auth-method=pre-shared-key generate-policy=no #commented
/ip ipsec policy
add dst-address=192.xx.xx.00/24 peer=\
gcloud_peer proposal=gcloud_proposal src-address=192.ll.ll.ll/24 tunnel=\
yes
add dst-address=192.yy.yy.0/24 peer=\
gcloud_peer_fra proposal=gcloud_proposal src-address=192.ll.ll.ll/24 \
tunnel=yes