Exactly my idea and that’s what I did, open a ticket via email with the following subject: Resource request - Tunnel Interface (VTI)
I explained my motivations. I hope that community demand changes Mikrotik’s stance on the feature.
One of the main reasons is with Cloud providers too, we cannot use, for example, BGP with them and other small reasons.
Our case is the same, solving it paleatively with Linux, in my case I use Strongswan. But I would love to see it directly on RouterOS, it takes away one more point from my infrastructure to monitor and manage.
Yes, they told me it is not planned. At the moment, there is no plan to add this functionality,., but we will see if it can be supported in the future.
That was in june 2024.
And that has been the status for at least 10 years now.
There is IMHO a good reason Mikrotik should reconsider priority of adding VTI interfaces.
When considering HA interlinks of various public cloud services with on-premise components it’s mandatory (mandated by cloud providers) that you use dynamic routing in a form of BGP and it implies using route based IPsec tunnels implemented most often as VTIs.
For example on AWS template config for Mikrotik uses scary 0.0.0.0/0<=>0.0.0.0/0 policy due to missing VTI and AWS in their own words describe this solution as “workaround”. And this workaround allows only one (1!) such connection per device. AWS re:Post’s Article about BGP and Mikrotik
Please note I do not endorse any vendor just showing the one I had the most experience with. I also had the same problems with Azure and GCP.
It’s crazy to me that MikroTik has had VTI as a feature request for over a decade without any kind of official stance being posted about it. Something as simple as “this is impossible due to architectural limitations of RouterOS” would be better than prolonged silence.
That said, I couldn’t tell you the last time I built an IPsec tunnel. It’s been at least five years, if not longer. I’ve long since stopped using any products or services that don’t support WireGuard.
IPSec is still usable enough if you ask me. However without VTI? Not so much.
With acceleration the CPU gets offloaded, leaving high throughput and not so much strain on the CPU.
So why ditch IPSec? I only use Wireguard for my site-to-site because….. yes, you guessed it: lack of VTI.
In many cases, WireGuard outperforms or at least matches IPsec in throughput and latency even without the benefit of the hardware optimizations that IPsec enjoys, simply because WireGuard is a more lightweight protocol. I also like that it's less easily detected vs IPsec, which you know is a tunnel as soon as you sniff traffic.
If it seems like I'm trying to dissuade you from using IPsec, I'm not. I say use whatever works best for your particular situation. I just find that for my own use cases, WireGuard checks all the boxes and I love how easy it is to set up. We're in agreement that VTI would be a welcome addition to RouterOS's bag of tricks though.
Sure, whatever makes your heart beat. Heavy user of Wireguard here too. Very much like the protocol.
Especially for RoadWarrior applications I just love it because of its non-chatty and stateless nature.
Like a lot of people here I hope for years VTI will be implemented. However given the years long wish I doubt Mikrotik will implement it. Seems like a matter of principle that they don’t.
It depends on your work field if that is an option.
As a hobbyist, sure you can do that. In an environment where you decide what everyone has to conform to, you can as well.
But when you operate in a “professional” environment where other people pull the strings, and e.g. decide to use Azure cloud, or Cisco and similar network equipment, you will be laughed away with your Wireguard requirement.
Please grant this feature request, it’s been long 10 years since this request and we can’t peer to the cloud without doing extra work, our stack has been change significantly but still being haunted by some MT gears deployed in various spots in our network and sick and tired of deploying additional resource just to make this happen, I’m loosing hope honestly but I can’t sigh…
I would like to note that only yesterday, within a support ticket opened with MikroTik, I was informed about plans to implement VTI IPsec. As confirmation, I am attaching a screenshot of the communication with support.
