Pure IPSEC with ECMP

ericdriver · July 20, 2021, 5:26am

Is it possible to have two pure IPSEC tunnels via different ISPs and make ECMP using both tunnels?
Like for instance, my branch network is 10.10.10.0/24 and I want to encrypt everything from 10.10.10.0/24 to 0.0.0.0/0 using both ipsec tunnels via different ISPs?
It seems that it is not possible, because when I create two equal ipsec policies, only one become active, do you know some sollutions(for pure IPSEC)?

/ip ipsec policy
add dst-address=0.0.0.0/0 peer=peer2-1 sa-dst-address=172.17.150.2 sa-src-address=172.17.150.1 src-address=10.10.10.0/24 tunnel=yes
add dst-address=0.0.0.0/0 peer=peer2-2 sa-dst-address=172.17.150.130 sa-src-address=172.17.150.129 src-address=10.10.10.0/24 tunnel=yes

markmcn · July 20, 2021, 10:20am

Hi Eric,
I was looking at this briefly, You can define multiple peers for a policy, I’m not sure if this will do ECMP but might be worth trying in a lab.
You could could setup some CHR instances to test, If I get a chance to test this I will and share results.
I’ve often found policy based IPSec generally isn’t too great when it comes to doing things like ECMP.
If you control both ends of the IPSec tunnel you could use IPIP or GRE tunnels with IPSec and do ECMP over these.
Hope this helps
Cheers
Mark

andriys · July 20, 2021, 10:31am

I have an installation where I do similar thing, except I have three ISP connections on both sides, not two. It is easy in my case because I have 4 routers on each side. And I am not sure you can do that with just one.

markmcn · July 20, 2021, 11:01am

Hey Andriys,
Since you have 3 routers on each side how do you manage routing between the subnets on each side.
do they all aggregate into a lan router which has 3 static routes for the same remote subnet one for each ipsec router?
I’m just curious how you’re managing the load sharing
Cheers
Mark

andriys · July 20, 2021, 11:33am

Yes. On each side I have a dedicated edge device for each ISP line (those are three ASA boxes on one side and three RB4011 on the other). An IPsec tunnel is built between each pair of edge devices, three tunnels in total. All these tunnels share exactly the same policies (i.e. bridge exactly the same networks on each side). And then I have a CCR1009 on each side that does the routing.

(And then for one internal network I also have three LACP-aggregated EoIP tunnels each routed over a specific IPsec tunnel).

ericdriver · July 20, 2021, 12:12pm

hi Mark!
Could you give me example or link please?

markmcn · July 20, 2021, 2:01pm

Hi Eric,
When defining the traffic policy in box you can select 2 peers from the drop down list.
In the general tab of New IPSec Policy you can see little arrows to the right of the dropdown list to allow you select a second peer.
from the CLI it would be

/ip ipsec policy> add peer=peer1,peer2 src-address=192.168.1.0/24 dst-address=192.168.2.0/24 protocol=all tunnel=yes action=encrypt level=require ipsec-protocols=esp proposal=default

Please note you’ll need to change source and destination address proposal etc according to your setup

Cheers
Mark

markmcn · July 20, 2021, 2:04pm

Hey andriys
Thanks for the clarification I was just wondering if I had missed a useful trick somewhere when you mentioned your setup the first time
Cheers
Mark

markmcn · July 20, 2021, 9:54pm

Hi Eric,
So I’ve just tested setting 2 peers in the lab for the same policy it didn’t do load sharing as hoped.
At this stage I’d suggest using an IPIP tunnel (a tiny bit less overhead than GRE) with IPSec and that way you can put /30’s on the tunnel interfaces and do ecmp that way
Cheers
Mark

ericdriver · July 22, 2021, 1:20pm

could you tell me when it is usefull to setting 2 peers for the same policy?

andriys · July 24, 2021, 8:13pm

It may be useful for failover.