It works perfectly fine the first network I communicate across. The second network doesn't work until I disable and enable the policy. But then the first policy quits working. It shows active but quits passing traffic. It seems only one policy is operational at a time. I've even ripped out the firewall config to try to eliminate as much extraneous config as possible.
This is on a CCR1036-12G-4S running 7.14.3
Code: Select all
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128 name=XXXX-Profile
/ip ipsec peer
add address=xx.xx.xx.xx/32 local-address=xx.xx.xx.xx name=XXXX-Peer profile=XXXX-Profile
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add lifetime=1h name=XXXX-Proposal pfs-group=none
/ip firewall raw
add action=notrack chain=prerouting ipsec-policy=in,ipsec
add action=notrack chain=output ipsec-policy=out,ipsec
/ip ipsec identity
add peer=XXXX-Peer
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.185.3.0/27 peer=XXXX-Peer proposal=XXXX-Proposal src-address=10.128.51.8/30 tunnel=yes
add dst-address=10.185.4.0/27 peer=XXXX-Peer proposal=XXXX-Proposal src-address=10.128.51.8/30 tunnel=yes
add dst-address=10.128.10.0/25 peer=XXXX-Peer proposal=XXXX-Proposal src-address=10.128.61.8/30 tunnel=yes
add dst-address=10.185.3.0/27 peer=XXXX-Peer proposal=XXXX-Proposal src-address=10.128.51.12/30 tunnel=yes
add dst-address=10.185.4.0/27 peer=XXXX-Peer proposal=XXXX-Proposal src-address=10.128.51.12/30 tunnel=yes
add dst-address=10.128.10.0/25 peer=XXXX-Peer proposal=XXXX-Proposal src-address=10.128.61.12/30 tunnel=yes
add dst-address=10.185.3.0/27 peer=XXXX-Peer proposal=XXXX-Proposal src-address=10.128.51.20/30 tunnel=yes
add dst-address=10.185.4.0/27 peer=XXXX-Peer proposal=XXXX-Proposal src-address=10.128.51.20/30 tunnel=yes
add dst-address=10.128.10.0/25 peer=XXXX-Peer proposal=XXXX-Proposal src-address=10.128.61.20/30 tunnel=yes
add dst-address=10.185.3.0/27 peer=XXXX-Peer proposal=XXXX-Proposal src-address=10.128.51.24/30 tunnel=yes
add dst-address=10.185.4.0/27 peer=XXXX-Peer proposal=XXXX-Proposal src-address=10.128.51.24/30 tunnel=yes
add dst-address=10.128.10.0/25 peer=XXXX-Peer proposal=XXXX-Proposal src-address=10.128.61.24/30 tunnel=yes
... (57 policies in total)
