I need to create and IPIP tunnel to Azure with their VPN connector in routed mode. However, the default Profile and Proposal are used for my other IPIP tunnels. Is there a way to get an IPIP tunnel to use a different profile and proposal than default?
If not is there a way to create an IP tunnel that is simply a routing interface like IPIP to work with third party routers that create routing interfaces over IPSEC (not policy based)?
Sure you can. It is just a convenience that when you set a non-empty value of ipsec-secret parameter of the /interface ipip, an IPsec configuration necessary to transport the IPIP tunnel is dynamically generated, but you can as well configure it manually with parameters of your choice.
To make the process as easy as possible, I’d recommend you to create the /interface ipip with the ipsec-secret parameter set at first, and then create the peer, identity, and policy as modified copies of those which RouterOS auto-creates for you:
Once the above steps are done, you can remove the auto-generated items by removing the ipsec-secret value from the IPIP interface configuration:
/interface ipip unset ipip-tunnel1 ipsec-secret
As now the dynamically created peer doesn’t collide with the manually created one any more, so you can enable the latter and set its address parameter to the actual IP address (or fqdn?) of the Azure peer which you had to substitute with void.com when copying it in order to avoid the collision:
/ip ipsec peer set azure-ipip disabled=no address=ip.of.azure.peer
If the profile and proposal are correct, in a few seconds you should have see a row representing the Azure peer in the output of /ip ipsec active-peer, the policy active, and IPIP tunnel up as well.
Thanks Sindy. That looks great.
I will give it a try soon. In the meantime, I just used a policy VPN gateway in Azure and used the standard IPSEC policy based setup in Mikrotik (with my custom profile and policy settings), which worked perfectly.
Mark