what do you mean by first type?
There was a numbered list of destination subnet groups/types/categories right above that. So "first type" means "the ones local to the GCP site".
I would be very grateful if you could show examples
There is a simplified example in this post
. If it still doesn't explain the idea:
Imagine you have two subnets, 172.16.3.0/24 and 172.16.8.0/24, at the GCP end, and your local subnets are 172.16.5.0/24 and 172.16.71.0/24, and that you don't care about internet destinations at all.
There are 256 /24 subnets within 172.16.0.0/16, and you need to prevent just two of them from being matched only by the "any=>any" policy, because those which are neither local to the Mikrotik nor local to the GCP end will never be used (unless you have a more complex topology of your internal network). So for this case, leaving internet aside, the following "exception policies" are sufficient:
/ip ipsec policy
add action=none dst-address=172.16.5.0/24 src-address=0.0.0.0/0
add action=none dst-address=172.16.71.0/24 src-address=0.0.0.0/0
add action=encrypt dst-address=0.0.0.0/0 src-address=0.0.0.0/0
But if you need that hosts in the two local subnets can access internet, you need additional policies with action=none
, covering all the public address ranges, as follows:
dst-address=0.0.0.0/1 (0.0.0.0-127.255.255.255) (actually, this includes also 0.0.0.0/8, 10.0.0.0/8 and 127.0.0.0/8, which are not public address ranges, but it doesn't matter as we do not want the "any=>any" IPsec policy to match these anyway),
<--- here is the gap for the private address range 172.16.0.0/12 (172.16.0.0 - 172.31.255.255) --->
dst-address=192.0.0.0/2 (192.0.0.0-255.255.255.255) (like above, it doesn't matter that 192.168.0.0/16 is not a public address range, as it doesn't matter that we protect it from IPsec as well)
If it is not clear why the above looks the way it looks, you may be missing the concept how subnet mask works. Say, we have a range from 188.8.131.52 to 184.108.40.206. This can be expressed as 220.127.116.11/2, because this means "the most important three bits of the most important byte must be 10, the rest can be anything". So the most important byte may be anything from 1000 0000 (0x80, 128) to 1011 1111 (0xbf, 191). If you want 18.104.22.168/5 (22.214.171.124-126.96.36.199) not to be included, you have to split the above into several ranges. But instead of 8 individual /5 subranges within that /2 range, you can group them where possible:
> 128/4 \
136/5 / \
144/5 \ /
> 144/4 /
So you end up with 128/3, 160/5, and 176/4 as exceptions from the complete 128/2, and only 168/5 is not covered by any of those.