Hi Muhammad I do consider the ipsec implementation on mikrotik to be broken.
Most other firewalls do implement ipsec on interface level. So all traffic out that specific interface you define is being encrypted. Not so Mikrotik. There ipsec is defined on routing level. This works fine as long as you have one site to site ipsec connection with one defined route. But it breaks your local routing, if you want to be able to use a default route via ipsec. Here is an example: Mtik 1: 192.168.1.1/24 Lan1 192.168.2.1/24 Lan2 default route via ipsec Lan5 (also matches 192.168.3.0/24) Packets to be encrypted match policy routes: 192.168.3.0/24 (obsoleted by route below) 0.0.0.0/0 Mtik 2: 193.168.3.1/24 Lan1 Internet: NAT via Lan5 Packets to be encrypted match policy routes: 192.168.1.1/24 192.168.2.1/24 Now the problem is on the Mikrotik 1: A Packet from 192.168.1.27 to 192.168.2.54 matches the ipsec policy route 0.0.0.0/0. It is being ipsec encrypted and sent out he interface Lan2, where the destination is unable to decrypt as this is an unencrypted lan. 192.168.3.77 on the other hand, can reach any of your local lan segments. Only local routing is broken and you don't want to route your two local lan's via that slow ipsec link remotely. I have asked the Mikrotik Support for a solution. The only solution would be to not use a default route, but specify hundreds of specific routes omitting the routes to your local lan networks. Now this starts getting a real pain if you use this setup with a dozend VLAN networks or so (VoIP, IpTV, various DMZ Ranges etc.). If the packet encryption engine would be bound to Lan5 instead of the route, this would not be any problem at all. -Benoit- _______________________________________________ Mikrotik mailing list Mikrotik@mail.butchevans.com http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
