We are looking to replace or supplement our current IPSec Hub and spoke infrastructure with Mikrotik routers. The “Hub” Device is a Snapgear VPN router and we want to use the RB750G at the hub locations.
Is there any way to set the IPSec initiator ID in Mikrotik OS? A large number of our hub sites have dynamic IP address so we can’t use the IP as the identifier (which it looks like the Mikrotik does by default).
All other IPSec solutions I have worked with allow you to set the IPSec ID, that way if the initiator is connecting from a dynamic IP it uses the ID to figure out which tunnel it is trying to connect to.
It looks like Certificate bases IPSec might work but with the certificates I can only use Main Mode and not Aggressive Mode IKE (maybe a Snapgear limitation).
Also, is it possible for the MikroTik to automatically bring up the IPSec tunnel? Since the MikroTik has a dynamic IP it has to initiate the IPSec connection but the traffic inside the tunnel is initiated from the Hub site, so there isn’t traffic on the spoke site towards the hub that would start the IPSec tunnel.
The RouterOs allows you to use a feature called Netwatch. It will ping the remote lan connections to bring up the tunnel without the need of apps.(you can set the frequency of the pings). The is simular to keep alive features in other routers but with more control.
As far as your question on the Identifiers, I would also like to see a method or have them add a feature to allow this to happen. For now my sites are working fine with Main Mode and Using the Remote IP’s in my policies. I also have a couple of Dynamic IP’s on remote sites and that adds a little more complexity but I was able to do it with the help of Greg (Kudos to you Greg!)
AFAIK you cannot set the ID, unfortunately.
However, if you do use netwatch as suggested to initiate traffic from the spoke to the hub initially, that’ll also have the side effect of keeping the tunnel up. Since aggressive vs main mode only comes into play during phase 1, and since tunnels will be always up, there shouldn’t be much draw back to using main mode and you can use certificates.
Do you have any specific reason for strongly preferring aggressive mode?