Community discussions

MikroTik App
just joined
Topic Author
Posts: 22
Joined: Tue Jul 02, 2013 5:05 pm

IPsec failover

Mon May 19, 2014 11:30 am

Hello, I'm a newbie with Mikrotik devices and have a question about IPsec with Cisco.

When I setting up an IPsec Site-to-Site tunnel between two Cisco devices, I can use two tunnel endpoints which is will be working as failover, i.e.:
crypto map blabla 1 set peer
crypto map blabla 1 set peer
How can I setup the same rules between Cisco and Mikrotik? Do I need to create an addition IPsec policy with different tunnel endpoint IP and add an addition peer? Is it will be working as failover?
User avatar
Member Candidate
Member Candidate
Posts: 230
Joined: Fri Feb 22, 2013 7:16 pm
Location: Jackson, MS

Re: IPsec failover

Mon May 19, 2014 10:44 pm

Is just as simple in RouterOS to peer to two external devices, just go to IP -IPSEC -Peers and create two instances. As far as failover is concerned, that may look at little different depending on how you are setting this up and how you want it to failover. If you can do it with route distance, that will work great. Sometimes, we will pass an EOIP tunnel through an IPSEC tunnel and then use the routing to handle the failover peice.
Posts: 28
Joined: Fri Jan 04, 2013 5:46 am
Location: Portland, OR USA

Re: IPsec failover

Sun Nov 06, 2016 12:27 am

Does anyone have a better answer for the original poster's question? Specifically in a Cisco to mikrotik tunnel with redundant wan links. Simply adding a second peer with a different local address doesn't do anything, its the /ipsec policy entry that needs to have the backup SA Src address.

The only solution I can think of is having two copies of the policies and using a netwatch script to disable/enable them, but I'm hoping there is a better way.

Who is online

Users browsing this forum: Amazon [Bot], okw and 25 guests