Scenario :

- IPSec is established between Mikrotik and Non-Mikrotik Device (for this case Cisco ASA 55xx series).

- But only 1 src network from mikrotik is able to communicate with 1 dst network.

- Mikrotik can communicate with another network but need to kill remote peer, or flush SA, but still only 1 dst network.


To solve this issue:

- Change level in IPSec policy mikrotik, Mikrotik default is 'require'.


Here is explanation from Wiki


level (require | unique | use; Default: require)


Specifies what to do if some of the SAs for this policy cannot be found:

use - skip this transform, do not drop packet and do not acquire SA from IKE daemon

require - drop packet and acquire SA

unique - drop packet and acquire a unique SA that is only used with this particular policy