Community discussions

MikroTik App
 
koos147
just joined
Topic Author
Posts: 14
Joined: Fri Sep 25, 2020 8:42 pm

Routing over ipsec

Sat Mar 20, 2021 4:26 pm

Hello,

@Home i have a Juniper SRX.
on the go a MAP2nd. and the live was good.
However there are multiple connections to the Juniper@home.

Normaly i will setup OSPF for this. however i found out that this isn't possible for a mikrotik with ipsec. (since there is no tunnel interface on the mikrotik to bind the ospf to)
Since there are only 3 networks any form of manually configuring routes is perfectly fine.

any change to get this working without changing to a different type of tunnel?

Kind regards
Mark
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Routing over ipsec

Sat Mar 20, 2021 6:15 pm

gre over ipsec.
 
koos147
just joined
Topic Author
Posts: 14
Joined: Fri Sep 25, 2020 8:42 pm

Re: Routing over ipsec

Fri Apr 02, 2021 3:31 pm

Isn’t that unnecessary complicated?
we have an Ike with ipsec and on top of that we make another tunnel....

Is there a solution without a second tunnel?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Routing over ipsec

Fri Apr 02, 2021 4:09 pm

No, you should make the IPsec profile only for transport mode (between the public IP addresses) and put GRE inside that as a tunnel.
 
mikeeg02
Member Candidate
Member Candidate
Posts: 162
Joined: Fri Mar 30, 2018 2:28 am
Location: Pennsylvania

Re: Routing over ipsec

Thu Apr 15, 2021 2:33 pm

I have done what pe1chl has described in a system in New Jersey for a customer. They had 6 sites with public ips, works pretty well. You can configure the gre tunnels to utilize ipsec. Then assign the gre's to ospf.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Routing over ipsec

Thu Apr 15, 2021 8:20 pm

GRE over IPsec is fine. In the (hopefully near) future, probably IPsec VTI will be an option in RouterOS v7.
 
nakimble
just joined
Posts: 4
Joined: Sat Mar 06, 2021 11:40 pm

Re: Routing over ipsec

Sun Apr 25, 2021 6:41 am

I really hope VTI is introduced in RouterOS v7. I want this feature so bad.
 
carragom
just joined
Posts: 9
Joined: Mon Feb 14, 2011 3:51 am

Re: Routing over ipsec

Sun Apr 25, 2021 11:57 pm

Hi koos147,
The correct solution for this problem is for ROS to implement VTI, or even better XFRM interfaces. But until such time comes what I normally do which does not require double tunneling is to use IPSec in transport mode with an IPIP tunnel, then you can put whatever routing protocol you need on top. It does have a BIG drawback, you can't be behind a NAT. If any of the endpoints are behind NAT you need an IPSec tunnel and some other tunnel inside e.i. GRE.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Routing over ipsec

Mon Apr 26, 2021 10:48 am

The correct solution for this problem is for ROS to implement VTI, or even better XFRM interfaces.
Yes, that is the recurring problem. Whenever some solution has been implemented after years of requests, the whole thing will start again with the next "better solution".

Who is online

Users browsing this forum: No registered users and 18 guests