Hi!
MikroTik could help by permitting multiple IPsec policies to cover the same ranges, but apparently that's remained a bug (or a limitation at best) since at least 2011 :-(
Not sure I would agree with characterisation of this as a 'bug' - I'd call it more of a 'limitation' since support of multiple tunnels between the same two endpoint addresses is probably more of an /extension/ to base IPSEC functionality than an explicit part of the protocol itself :-}
I'm trying to use a MikroTik as the local end of an AWS Hardware VPN: See this link for what I'm talking about:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html
So I looked at the docs, and the issue is different than what I initially understood - I thought that you needed to make two tunnels between the same peer endpoints, but really it's two remote peers, but you need the same /policy/ on each. So routerOS 'priority' attribute is supposed to be the way to support that, and YES, it doesn't seem to work like expected ;) However, I think I found a work-around. When I made the policies slightly different, they appeared to both come up OK. I did it by making two minor changes to the 'duplicate' policy: 1. made the source subnet on one policy larger (i.e. instead of just 192.168.0.0/24, I made it 192.168.0.0/23) and 2. made the IPSEC protocols on one of them 'esp' and 'ah&esp' on the other. Both peers came online, and SAs all set up OK. I could ping between the subnets, and when I kill one of them, 'backup' seemed to carry on the vpn. Needs some further testing, but initial checks came up OK. Have you raised this question with MT direct yet? If not, I'm going to ask them about it myself as I'm interested to know whether they consider it expected behaviour! ;) Cheers! Mike.
Basically you can extend your network directly into AWS - in my case into a VPC that has no public IP addresses at all (except on the outside of a VPG of course). And no NAT.
I'll go cogitate on the rest of your answer (re routes) now.
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
GPG fingerprint: 6D59 8AE6 810D 44E3 7626 7040 4DD6 F89F 3053 4774 Old fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au