The current IPSEC implementation in RouterOS is very basic, to the point that for us it is unusable. Instead of selling a Mikrotik device or licence we sell a Juniper, Cisco or Fortinet device to terminate IPSEC.
The features I see that are missing, and would like Mikrotik to implement are:
XAuth - Extended Authentication
Allows for user/pass style authentication of IPSEC connections. This would allow RouterOS to be used as an access concentrator for “Road Warriors”
Mode-cfg
Allows access concentrator to specify various parameters for “Road Warrior” clients e.g. DNS and routes
VTI - Virtual Tunnel Interfaces
This has now been added to Linux so should be trivial for Mikrotik to support see http://www.spinics.net/lists/netdev/msg200673.html
Description: Virtual tunnel interface is a way to represent policy based IPsec tunnels as virtual interfaces in linux. This is similar to Cisco’s VTI (virtual tunnel interface) and Juniper’s representaion of secure tunnel (st.xx). The advantage of representing an IPsec tunnel as an interface is that it is possible to plug Ipsec tunnels into the routing protocol infrastructure of a router. Therefore it becomes possible to influence the packet path by toggling the link state of the tunnel or based on routing metrics.
I have seen all of these requested on the forums and wiki in the past, but IPSEC in RouterOS has changed very little in the past 3-4 years. It seems like Mikrotik has forgotten about IPSEC.
What are your thoughts on the RouterOS IPSEC implementation and what would you like to see changed ?
Would you buy more RouterOS devices/licences if these features were added ?
I will occasionally have a customer do an IPSec tunnel using a Mikrotik if it is the remote device, but seldom if it is the hub.
I’ve hit oddities that despite every effort I can’t trouble shoot. Even the debugging messages aren’t always enough…they can be somewhat lacking.
Cisco has always been my go-to due to stability and debug output. They have a vast array of features, but it really comes down to reliability.
I would LOVE to see some xauth come in also. The virtual tunnels are a welcome addition too.
I was under the impression that MTK sudo wrote their own IPSec implementation…have the packages out there not caught up yet?
With more stability I would run MTKs for tunneling all day, just not at this time.
Ouch. That is sad to hear. We have had generally very good experiences with RouterOS, certainly we find no more bugs than we find on other vendors platforms.
It is mainly the poor IPSEC support that cause us to use other products, and I still hold hope that one day soon Mikrotik will improve it.
We do A LOT of IPSec site-to-site tunneling on Mikrotik, and I must say that I am happy. IPSec in Mikrotik just requires you to learn it and to do it by its rules
That said, Road Warrior has a lot of problems, and the features above would help out a lot. VTI would be awesome.
I know you guys are super busy, but any idea when this feature will be implemented ?
We will do some testing on the current implementation, but I would say xauth → RADIUS is pretty important to anyone wanting to deploy RouterOS as an IPSEC concentrator.
