Hello.
I have to setup a site-2-site IPsec from MikroTIK device with VRRP configuration. Is it possible to bind IPsec service to VRRP virtual IP? Could you give some configuration examples?
Best Regards
Daniel
I didn’t try it, but it’s possible to specify local address for peer, and it doesn’t have to be address currently assigned to router, so it’s possible to set the same config even on backup router. I think it will work. You’ll probably want to enable/disable IPSec config using on-master/on-backup scripts.
Yes, IPSec can works on top of the VRRP interface. I’m using this scenario over years.
Simple use the virtual IP as the local address in the IPsec peer definition and as src. address in the policies. I use this for GRE/IPsec tunnels where both ends are VRRP virtual addresses. If the VRRP interface is in backup state then IPsec connections with virtual IP do not works.
As a small enhancement you can use VRRP on master/on slave scripts to switching these IPsec definition between normal and passive state so when VRRP is in backup state then IPsec do not tries setup these tunnels and do not fills a log with messages “ipsec,error phase1 negotiation failed due to send error.”.