![[Zobrazit/Skrýt nabídky vlevo]](img/icons/oleftcol.png "[Zobrazit/Skrýt nabídky vlevo]"){kind=icon}
![[Zobrazit/Skrýt nabídky vpravo]](img/icons/orightcol.png "[Zobrazit/Skrýt nabídky vpravo]"){kind=icon}
Mikrotik ipsec SPI mismatch with multiple subnets
When you have multiple subnets in ipsec tunel and you can see bad SPI for given subnet like this (pinging to 10.49.41.0/24 subnet, which has eroute #97, but incoming ESP has SPI from eroute #96:
[root@router.ista.cz ipsec.d]# ip xfrm monitor | grep 109.238
src 109.238.209.50 dst 178.17.0.241 reqid 0x4095 protocol esp SPI 0x3d282872
src 109.238.209.50 dst 178.17.0.241 reqid 0x4095 protocol esp SPI 0x3d282872
[root@router.ista.cz ipsec.d]# ipsec auto --status | grep praha | grep 3d282872
000 #96: "praha/2x0" esp.a9f0ce2@109.238.209.50 esp.3d282872@178.17.0.241 tun.0@109.238.209.50 tun.0@178.17.0.241 ref=0 refhim=4294901761 Traffic: ESPin=0B ESPout=4KB! ESPmax=4194303B
[root@router.ista.cz ipsec.d]# ipsec auto --status | grep praha
000 "praha/1x0": 10.49.41.0/24===178.17.0.241<178.17.0.241>...109.238.209.50<109.238.209.50>===10.49.224.40/29; erouted; eroute owner: #97
You have to set level to "unique" instead default "require", see screenshot
![[přepni]](javascript:icntoggle('mod-Application_Menuleft1','module.png'); "[přepni]"){kind=small}