I know this question seems to have been asked many times but it seems that no one has actually answered or looked into the issue (Love some MikroTik input here).
The issue seems to be is that there is NO way (that I can find) to monitor a site to site IPSEC connection. With other VPN’s we can monitor traffic between the sites but NOT IPSEC.
Also I have a further issue, because you cannot ping from router to router (through the IPSEC) without setting the source interface of the ping, it seems you also cannot monitor to ensure the VPN is actually functioning as it should.
Has someone found a work around for this??? Really big short coming of The Dude if this is actually the case?
You can solve problems like this by using IPIP/IPsec tunnel instead of a direct IPsec tunnel.
Put a /30 network on the tunnel endpoints and (auto)route the traffic across it.
Much more convenient for lots of purposes.
Yes I did think of this, only issue we have seen doing this is that using IPIP over IpSec you significantly reduce your thru-put. We have seen as much as a 50% less doing this.
We have also looked at EOIP just for the monitoring and management interface. While it kind of works, it is very unreliable and not a good solution.
IPSec is the corporate standard for many years - It’s a little sad that we seem unable to preform basic monitoring on this platform…
I agree, I think it has something to do with IPSEC off load (built into most Mikrotik products) - If you add another tunnel protocol like ISIS then the CPU load increases dramatically and effects thru-put.
Our testing was carried out with 2 x 2011’s and running pure IPSec and then introducing another tunnel.
The long and the short is that this needs to be fixed properly, we can do all kinds of things to get around the issue - but it really needs to be fixed…
But did you just add an IPIP interface over an already working IPsec tunnel?
Or did you remove the IPsec tunnel and then create an IPIP tunnel with IPsec transport, by setting the IPsec option in the IPIP tunnel interface and entering a secret?
Because I think that works well. Of course on the 2011 it will never really scream, but I don’t think there is a difference between those two options.
When you have 2011’s and want a tunnel that is secure against external attacks (ingress of unwanted traffic) but do not really need privacy, you can
setup IPsec in AH transport mode between the sites and then configure IPIP tunnel on top of that.
This has to be done manually as the IPsec autoconfiguration does not support that.
In this mode you will have much improved performance but anyone listening in on your communication could see your payload packets.
However, when using tunnels between company branches and operating on a single ISP with reasonably secure access (DSL, FTTH)
this could be acceptable. The ISP would not be monitoring your packets and external attackers don’t have access to that.
When using different ISPs, wireless, mobile, etc it of course is different.
I have some tunnels like that for private purposes and my 2011 can easily saturate my 50/20 MBps VDSL2 with that, and it cannot do that in ESP mode.
When this is not an acceptable solution, toss your 2011’s and use RB750Gr3 which has hardware accelerated ESP.