IPsec VPN STS routing to extra remote subnets

[AndreKeen]

Hi everybody.

I'm trying to setup Site-to-Site Ipsec vpn between Keenetic Hopper SE (KN-3812) and Juniper SRX device. Same location working well Draytek Vigor dual wan. Now it changes to Keenetic.

Setup has done and tunnel is online. The problem is routing from Keenetic side (branch) to SRX (center point). There are extra network to be routed, but something is going not well.

What I've found.

No matter what remote lan will be first or second or third.

Routing performs only for one subnets fixed in association (center)

Examples:

When tunnel is offline route for 172.21.0.0/24 going to ISP. 

This issue is similar to this topic.  So I'm not lonely.

Firewall rules have nothing about vpn tunnels. How-tos not mentioned about several subnets vpn.
Other types of vpn not suitable solution. Draytek performs very well for years same configuration with extra subnets.

Maybe it could be solved  by Static Route Parameters, but what gateway ip and interface must be used?

I hope for a clue and thank you in advance.

 

[SySOPik]

Hello. I also configured it this way and there is a problem with additional subnets in IP-sec.
Just like the problem with wireguard endpoints, when there are 2 providers on the main router, and when switching them, the tunnel remains on the secondary provider.
Just like the additional WiSP does not always connect to the mobile access point on the phone,  if the access point is turned on after some time.

I think that developers pay more attention to drawing the interface than to fixing bugs.