Community discussions

MikroTik App
 
timofey
just joined
Topic Author
Posts: 8
Joined: Mon Jun 21, 2021 11:10 am

One ipsec policy and two peers

Mon Jun 21, 2021 11:19 am

Hi!

What happens if I set two peers for ipsec policy? Does it try to connect second peer if first unavailable (I have two ISP on remote end)?

example:
 peer=peer_main,peer_backup tunnel=yes src-address=192.168.1.0/24 src-port=any dst-address=192.168.2.0/24 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp sa-dst-address=1.1.1.1
 
nagylzs
Member
Member
Posts: 353
Joined: Sun May 26, 2019 2:08 pm

Re: One ipsec policy and two peers

Mon Jun 21, 2021 7:21 pm

I might be wrong but I think policies are not connecting to anyting. Peers are. You can setup initiator / responder side in the peer configuration, that decides who connects to who.

But I don't know what happens when a policy (not a policy template!) is assigned to two peers, and connection is established with both of them. I have never done such thing.
 
timofey
just joined
Topic Author
Posts: 8
Joined: Mon Jun 21, 2021 11:10 am

Re: One ipsec policy and two peers

Tue Jun 22, 2021 10:22 am

I did some tests.
When two peers sets for policy, router try to connect to both. Second peer (backup ISP on remote side) inactive until main ISP works and router can't connect ("phase 1 negotiation failed due to time up" in log). When remote side switch to backup ISP, router established connection with second peer and policy works. There is some interrupt about 2-3min, but it works!
 
presianbg
just joined
Posts: 10
Joined: Mon Jun 02, 2014 7:38 am

Re: One ipsec policy and two peers

Wed Apr 27, 2022 5:47 pm

Can we have official documentation or statement from Mikrotik staff how this configuration actually works?
Cheers,
PY
 
adjd8t
just joined
Posts: 7
Joined: Sun Feb 12, 2023 5:30 pm

Re: One ipsec policy and two peers

Thu Nov 16, 2023 1:08 pm

Hi

bumping up an old post, but can anybody shed some light on the significance of this...
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: One ipsec policy and two peers

Fri Nov 17, 2023 1:17 am

can anybody shed some light on the significance of this...
I cannot provide an official documentation, only practical experience.

The use case is that the router with dual-peer policy (typically acting as an initiator) establishes an IKE/IKEv2 SA with both peers (typically acting as responders) but only asks the first one to establish a data SA according to the policy. If it loses the IKE/IKEv2 SA with the first peer, it establishes the data SA to the second one. Once the IKE/IKE2 SA with the first peer re-establishes, it does NOT move the data SA back to the first peer; it only happens if the IKE/IKEv2 SA with the second peer gets lost. If you want the data SA to return to the first peer when it recovers, you have to use a script for that.

If the remote peers are also Mikrotiks, they have to either create the corresponding policy dynamically and have static routes via each other to the subnet reachable using the traffic selector of that policy, or have the policy configured statically but only advertise themselves to the adjacent routers as the gateway to that subnet if the policy is active.

In the first case (dynamically generated policies), the dynamically generated policy overrides any "normal" routes, so if the router where the policy has been generated receives a packet for the remote subnet, it forwards it using the SA; if the policy is not generated, it forwards such a packet to the other responder as the static route says. In the second case, a periodically scheduled script is necessary to translate the activity of the policy into advertising of the subnet via OSPF or BGP or into raising a priority of a VRRP interface. A mix of both approaches is possible.

Who is online

Users browsing this forum: Bing [Bot] and 57 guests