Routing over ipsec

RouterOS Forwarding Protocols
1

Hello,

@Home i have a Juniper SRX.
on the go a MAP2nd. and the live was good.
However there are multiple connections to the Juniper@home.

Normaly i will setup OSPF for this. however i found out that this isn’t possible for a mikrotik with ipsec. (since there is no tunnel interface on the mikrotik to bind the ospf to)
Since there are only 3 networks any form of manually configuring routes is perfectly fine.

any change to get this working without changing to a different type of tunnel?

Kind regards
Mark

2

gre over ipsec.

3

Isn’t that unnecessary complicated?
we have an Ike with ipsec and on top of that we make another tunnel…

Is there a solution without a second tunnel?

4

No, you should make the IPsec profile only for transport mode (between the public IP addresses) and put GRE inside that as a tunnel.

5

I have done what pe1chl has described in a system in New Jersey for a customer. They had 6 sites with public ips, works pretty well. You can configure the gre tunnels to utilize ipsec. Then assign the gre’s to ospf.

6

GRE over IPsec is fine. In the (hopefully near) future, probably IPsec VTI will be an option in RouterOS v7.

7

I really hope VTI is introduced in RouterOS v7. I want this feature so bad.

8

Hi koos147,
The correct solution for this problem is for ROS to implement VTI, or even better XFRM interfaces. But until such time comes what I normally do which does not require double tunneling is to use IPSec in transport mode with an IPIP tunnel, then you can put whatever routing protocol you need on top. It does have a BIG drawback, you can’t be behind a NAT. If any of the endpoints are behind NAT you need an IPSec tunnel and some other tunnel inside e.i. GRE.

9

Yes, that is the recurring problem. Whenever some solution has been implemented after years of requests, the whole thing will start again with the next “better solution”.