- IPSec is established between Mikrotik and Non-Mikrotik Device (for this case Cisco ASA 55xx series).
- But only 1 src network from mikrotik is able to communicate with 1 dst network.
- Mikrotik can communicate with another network but need to kill remote peer, or flush SA, but still only 1 dst network.
To solve this issue:
- Change level in IPSec policy mikrotik, Mikrotik default is 'require'.
Here is explanation from Wiki
level (require | unique | use; Default: require)
Specifies what to do if some of the SAs for this policy cannot be found:
use - skip this transform, do not drop packet and do not acquire SA from IKE daemon
require - drop packet and acquire SA
unique - drop packet and acquire a unique SA that is only used with this particular policy