Hello,
Please add the ability to choose Proposal (in L2tp with “Use IPsec”)
Please explain why. L2TP always uses the default IPsec proposal, you can adjust security parameters for it if necessary. Additionally, you can create separate proposals for other IPsec tunnels.
I already have a configuration with a very large number of Ipsec policies (all these policies use proposal:default).
Now I created a l2tp connection with “Use Ipsec”, and i need another custom proposal for this.
I still do not see any real benefit of your request. It literally takes 2 seconds to change proposal value for your policies to a different one.
/ip ipsec proposal add name=newproposal copy-from=default
/ip ipsec policy set [find proposal=default] proposal=newproposal
I was just posting this exact same thing.. Beat me to it 
For example: If I fill IPsec Secret in ipip or eoip tunnel, it uses default policies and proposal too. If I want have different ipsec proposal (auth. or enc.) for L2TP and IP tunnels, I can’t. For now, I’m not using quick L2TP or IPoIP (EoIP) IPsec solution, but I’m creating ipsec policies, peers and proposal for them in old way.
It would be better, If it possible to choose IPsec Group for L2TP, IPoIP, EoIP etc.
Absolutely pointless thing.
Currently all tunnels with IPsec Secret enabled (l2tp/gre/…) creates dynamic policies with default proposal. Your “newproposal” will not be used.
What was suggested was to move all explicit IPSec config to a new proposal called “newproposal”.
You can then adjust the default one, and your dynamic IPSec things (tunnels with “use-ipsec=yes”) will use the default.
Anyway, if you are doing any in-depth IPSec config, you should NOT use the automagical “use-ipsec=yes”.
Configure IPSec for yourself for all the services, and you have full control over what is being done and how.
All my tunnels are configured with IPsec Secret enabled, and I will not change it.
We simply need the ability to choose Proposal for each tunnel.
Why is the use-ipsec=yes a bad thing?
It is not a bad thing if you just want to protect a connection.
What tomaskir said is that if you want to do an “in-depth IPSec config” it is
better not to use this parameters and to create the policies for the tunnels yourself.
The solution proposed by emils and intrusdave to control the dynamic IPsec proposals for all tunnels using use-ipsec=true,
i.e. to add a new proposal for whatever static configuration you have, while changing the default used by use-ipsec=true, is one I have
used myself, and I think a good balance between a simple ipsec config using “use-ipsec” and a full proposal-policies configuration.
I just messed up with the l2tp server and found the proposal for l2tp is not selectable.
Maybe It’s a “nice to have” feature.
Yes, we can create a proposal for every tunnel, but it’s a bit complex when the dest endpoint uses DDNS.
For someone from a search engine with the same scenario.
Now using a more complex IKEv2 setup (for ipip, gre,etc.), it works.
If both sites using dynamic IPs, we have to use a script to update local-ip in the tunnel interface anyway, just add a few more lines to update peer🤣.