I am out of ideas regarding this issue. Router01 has 2 internet connections and Router02 only has one.
ipsec0 is working fine via router01's main internet connection(eth2)
ipsec1 will not connect properly (the idea is to have the second tunnel formed on the second internet connection eth3)
I know that in v6 services are not vrf aware(including ipsec) but even with mangle rules or route rule it does not work
Torch on Router01 eth3 will sometimes show me Tx with ip from eth2
If on a router I use the same pre shared key in the identity of both peers(ipsec0 and ipsec1) phase I connects(even without vrf rules)
But on phase II of ipsec, policies will be invalid for the second peer(ipsec1)
I guess it is a peer identity issue before a vrf one. I even tried setting "My ID Type" and/or "Remote ID Type" but to no success (invalid credentials or unknown peer errors)
Does anyone have other ideas?
Code: Select all
# Example mangle rule on Router01
/ip firewall mangle add action=mark-routing chain=output disabled=yes dst-address=192.168.200.254 new-routing-mark=Backup passthrough=yes src-address=192.168.150.254
# Example route rule on Router01
/ip route rule add action=lookup-only-in-table disabled=yes dst-address=192.168.200.254/32 src-address=192.168.150.254/32 table=Backup
# Router01 config
# may/29/2022 07:35:34 by RouterOS 6.48.6
# software id =
#
#
#
/interface bridge
add arp=disabled name=loopback protocol-mode=none
/ip ipsec policy group
add name=ipsec0
add name=ipsec1
/ip ipsec profile
add dh-group=ecp256 enc-algorithm=aes-256 hash-algorithm=sha256 name=ipsec0
add dh-group=ecp256 enc-algorithm=aes-128 hash-algorithm=sha256 name=ipsec1
/ip ipsec peer
add address=192.168.200.254/32 exchange-mode=ike2 local-address=192.168.150.254 name=ipsec1 profile=ipsec1
add address=192.168.200.254/32 exchange-mode=ike2 local-address=192.168.100.254 name=ipsec0 profile=ipsec0
/ip address
add address=192.168.28.1 interface=loopback network=192.168.28.2
/ip dhcp-client
add add-default-route=no disabled=no interface=ether1
add disabled=no interface=ether2
add disabled=no interface=ether3
/ip ipsec identity
add my-id=address:192.168.100.254 peer=ipsec0 policy-template-group=ipsec0 secret=tunnel01
add my-id=address:192.168.150.254 peer=ipsec1 policy-template-group=ipsec1 secret=tunnel02
/ip route vrf
add interfaces=ether3 routing-mark=Backup
/system identity
set name=Router01
# Router02 config
# may/29/2022 07:32:35 by RouterOS 6.48.6
# software id =
#
#
#
/interface bridge
add arp=disabled name=loopback protocol-mode=none
/ip ipsec policy group
add name=ipsec0
add name=ipsec1
/ip ipsec profile
add dh-group=ecp256 enc-algorithm=aes-256 hash-algorithm=sha256 name=ipsec0
add dh-group=ecp256 enc-algorithm=aes-128 hash-algorithm=sha256 name=ipsec1
/ip ipsec peer
add address=192.168.100.254/32 exchange-mode=ike2 local-address=192.168.200.254 name=ipsec0 profile=ipsec0
add exchange-mode=ike2 local-address=192.168.200.254 name=ipsec1 passive=yes profile=ipsec1 send-initial-contact=no
/ip address
add address=192.168.28.2 interface=loopback network=192.168.28.1
/ip dhcp-client
add add-default-route=no disabled=no interface=ether1
add disabled=no interface=ether2
/ip ipsec identity
add peer=ipsec0 policy-template-group=ipsec0 secret=tunnel01
add peer=ipsec1 policy-template-group=ipsec1 secret=tunnel02
/system identity
set name=Router02