Dear Mikrotik friends,
is there a way to define the Proposal and Profile when using EOIP with IPSEC?
My understanding is that the EOIP/IPSEC initiator automatically uses the setting based on the responder’s default settings.
Thanks for your input
dksoft
If you just specify the ipsec-secret value on the /interface eoip configuration row, RouterOS dynamically generates the IPsec configuration (peer, identity, policy) using the peer profile called default and the proposal called default.
So if you don’t plan to use this profile and proposal for other purposes, you can accommodate them to your needs. If you want to keep them unchanged, the simplest approach is to
Dear Sindy,
thanks, it worked right away and is exactly what I was looking for!
Do I understand correctly that this solution does not support road warriors unless I find a method to set the actual peer address before the client connects?
For road warriors, you get less headache if you use tunnel mode of the SA and create an individual identity referring to an individual policy template group for each road warrior. That way, you can use static private addresses at both ends for the EoIP tunnel although the WAN addresses of the road warriors are unknown in advance. It will cost you one more IP header in each packet.
But to use EoIP on a road warrior is kind of an act of desperation, L2 protocols are quite unhappy with long round-trip delays.