The proposal to improve the VPN possibilities.

skibi82 · January 30, 2014, 6:05pm

My suggestion is to finally add the src ip for:

SSTP Client
PPTP Client
L2TP Client
OVPN Client
IPSEC PHASE 1

After adding the src ip options for VPN clients could finally establish two simultaneous connections to a VPN concentrator.
It gave balance to the links

And not only used second link as a spare.

nz_monkey · January 30, 2014, 10:05pm

+1

On FortiGate you can specify “local-gw” and “remote-gw” for the IPSEC phase1, this gives you quite a bit of flexibility on devices with multiple IP addresses allowing you to terminate/originate a tunnel to a specific IP but not others.

Example config from Fortigate:

config vpn ipsec phase1
edit "P1-SupplierVPN"
set interface "port1"
set local-gw 10.98.50.1
set dhgrp 2
set keylife 86400
set proposal 3des-sha1
set remote-gw 26.43.2.70
set psksecret ENC #######
next

Also, I know the Mikrotik guys laugh about how many times I have requested this, but PLEASE add Virtual Tunnel Interfaces to IPSEC, and finish off xauth-RADIUS support so its actually useful

i4jordan · January 30, 2014, 10:28pm

+1 for Virtual IPsec Tunnel interfaces.

I implement IPsec tunnel interface in SonicWall SRA solutions and those tunnels work superb with a load of (OSPF) routing options.

It would be perfect if RouterOS would support a kind of ipsec virtual interface just like IPIP and GRE tunnels but then standard with ipsec security. With the performance of IPIP+ipsec and the nice MTU independent usage of GRE+ipsec.

Also source IP for any kind of tunnel is very important especially if you have multiple WAN and per WAN a load of usable IP addresses.

i4jordan · January 30, 2014, 10:30pm

Also support for IPsec IKEV2 should be very nice.

andriys · January 31, 2014, 7:10am

+1

And also make NAT-T do its primary job- allow multiple clients from behind the same NAT device connect concurrently to the same VPN concentrator.

nz_monkey · January 31, 2014, 8:59am

I think a big part of the problem with IPSEC on RouterOS is that Mikrotik are still using Racoon for IPSEC, to support most of the requested features they will need to move to StrongSwan.

Not a huge undertaking, but not a small one either.

i4jordan · January 31, 2014, 10:27am

StrongSwan looks OK. They implemented IKEv2 and a load of other usable features.

http://www.strongswan.org

Mikrotik R&D please take a look at this.

i4jordan · March 24, 2014, 2:37pm

No response on this subject from Mikrotik development?

In short, it would be nice to have IKEv2 implementation in RouterOS.
Is this planned for RoutersOS v7?

mrz · March 24, 2014, 2:43pm

Yes there are plans to add IKEv2, most likely in v7.

i4jordan · March 24, 2014, 3:24pm

@mrz, thank you for your quick answer.

I will be patiently waiting for v7.