The proposal to improve the VPN possibilities.

skibi82 · Thu Jan 30, 2014 8:05 pm

My suggestion is to finally add the src ip for:
- SSTP Client
- PPTP Client
- L2TP Client
- OVPN Client
- IPSEC PHASE 1

After adding the src ip options for VPN clients could finally establish two simultaneous connections to a VPN concentrator.
It gave balance to the links

And not only used second link as a spare.

Fri Jan 31, 2014 12:05 am

+1

On FortiGate you can specify "local-gw" and "remote-gw" for the IPSEC phase1, this gives you quite a bit of flexibility on devices with multiple IP addresses allowing you to terminate/originate a tunnel to a specific IP but not others.

Example config from Fortigate:

config vpn ipsec phase1
edit "P1-SupplierVPN"
set interface "port1"
set local-gw 10.98.50.1
set dhgrp 2
set keylife 86400
set proposal 3des-sha1
set remote-gw 26.43.2.70
set psksecret ENC #######
next

Also, I know the Mikrotik guys laugh about how many times I have requested this, but PLEASE add Virtual Tunnel Interfaces to IPSEC, and finish off xauth-RADIUS support so its actually useful

i4jordan · Fri Jan 31, 2014 12:28 am

+1 for Virtual IPsec Tunnel interfaces.

I implement IPsec tunnel interface in SonicWall SRA solutions and those tunnels work superb with a load of (OSPF) routing options.

It would be perfect if RouterOS would support a kind of ipsec virtual interface just like IPIP and GRE tunnels but then standard with ipsec security. With the performance of IPIP+ipsec and the nice MTU independent usage of GRE+ipsec.

Also source IP for any kind of tunnel is very important especially if you have multiple WAN and per WAN a load of usable IP addresses.

i4jordan · Fri Jan 31, 2014 12:30 am

Also support for IPsec IKEV2 should be very nice.

Fri Jan 31, 2014 9:10 am

finish off xauth-RADIUS support so its actually useful

+1

And also make NAT-T do its primary job- allow multiple clients from behind the same NAT device connect concurrently to the same VPN concentrator.

Fri Jan 31, 2014 10:59 am

I think a big part of the problem with IPSEC on RouterOS is that Mikrotik are still using Racoon for IPSEC, to support most of the requested features they will need to move to StrongSwan.

Not a huge undertaking, but not a small one either.

i4jordan · Fri Jan 31, 2014 12:27 pm

StrongSwan looks OK. They implemented IKEv2 and a load of other usable features.

http://www.strongswan.org

Mikrotik R&D please take a look at this.

i4jordan · Mon Mar 24, 2014 4:37 pm

StrongSwan looks OK. They implemented IKEv2 and a load of other usable features.

http://www.strongswan.org

Mikrotik R&D please take a look at this.

No response on this subject from Mikrotik development?

In short, it would be nice to have IKEv2 implementation in RouterOS.
Is this planned for RoutersOS v7?

Mon Mar 24, 2014 4:43 pm

Yes there are plans to add IKEv2, most likely in v7.

i4jordan · Mon Mar 24, 2014 5:24 pm

@mrz, thank you for your quick answer.

I will be patiently waiting for v7.

The proposal to improve the VPN possibilities.

The proposal to improve the VPN possibilities.

Re: The proposal to improve the VPN possibilities.

Re: The proposal to improve the VPN possibilities.

Re: The proposal to improve the VPN possibilities.

Re: The proposal to improve the VPN possibilities.

Re: The proposal to improve the VPN possibilities.

Re: The proposal to improve the VPN possibilities.

Re: The proposal to improve the VPN possibilities.

Re: The proposal to improve the VPN possibilities.

Re: The proposal to improve the VPN possibilities.

Who is online