Questions about IPSEC

Techsystem · June 6, 2024, 11:39am

Hello everyone,

Anyone used IPSEC on MikroTik before..?

For those who have, I’d like to ask about the advantages and disadvantages of using it -( up and down side of using it)-. Also, which is better: IPSEC or WireGuard..?

Lastly, do I need a public IP address on both sides to use it?

Thanks in advance.

Larsa · June 6, 2024, 11:50am

If hardware acceleration is available on both sides go with IPSec; otherwise use WireGuard. You’ll need at least one public IP on either side, if not available use ZeroTier.

Kentzo · June 7, 2024, 3:25am

For RouterOS ↔ RouterOS? I don’t think it matters. Otherwise you’re probably better with Wireguard as RouterOS’s implementation of IPsec (especially “modern” IKEv2) is incomplete.

Larsa · June 7, 2024, 5:44am

IPSec AES hardware encryption can matter a lot compared to WireGuard which uses only software encryption (ChaCha20).

IPsec is not limited to just IKEv2. Btw, how is it incomplete?

Kentzo · June 7, 2024, 6:40am

As a responder it still requires deprecated mode-config where more appropriate IKEv2 attributes exist. IIRC split-include can only be used via mode-config, IKEv2 traffic selectors are not supported.

Larsa · June 7, 2024, 7:58am

I’m not quite sure which specific mode config you’re referring to that’s deprecated. As for split-include, you can do it but why would you want unencrypted traffic routed outside of the tunnel at all that could be exploited by attackers, so it’s pretty important to be aware of the security risks involved in using it. Like the docs says, “Split networking isn’t a security measure. The client (initiator) can still request a different Phase 2 traffic selector.” And about traffic selectors, are we discussing v6 or v7 as mentioned in the IPsec documentation “https://help.mikrotik.com/docs/display/ROS/IPsec” ? Besides, with ROS you can filter or select any egress traffic type for use by an encrypted tunnel.

Anyway, these are mostly edge cases.

Kentzo · June 7, 2024, 2:16pm

IKEv1 and IKEv2 differ in how configuration can be supplied with IKEv2 being backward compatible. RouterOS only supports backward compatible configuration, “new” configuration payload is not (fully?) supported.

What user may or may not want is orthogonal to want the implementation must support. And the implantation of IKEv2 must support the RFC in its entirety. Inability of RouterOS to configure IKEv2 clients per standard makes its implementation of the protocol incomplete.

Wrt split-include please see https://docs.strongswan.org/docs/5.9/howtos/forwarding.html#_split_tunneling, I think you misunderstand the goal here.

anav · June 7, 2024, 2:34pm

Unless we are talking enterprise, wireguard is relatively easy. It is designed for:

A. road warriors reaching:
a. internet via connection point
b. LAN devices
c. and reaching router config for admin.

B. Connecting Two or More Routers/road warriors to:
a. use internet at another site
b. reach lans of any router
c. allow admin to config any router

Caveat: Best scenario is you have at least ONE router with a public facing IP address (static or dynamic) OR an upstream ISP router with a public IP, which can forward the Wireguard port to your router.
Alternative: Find a friend who has a MT router with a public IP…to host the wireguard connection point.
Alternative: Use IPV6
Alternative: What I would do is rent a server $7US, and put a CHR on it as my connection point with a public IP.