Hi all,

I would like to ask anyone would agree that the current policy based IPsec management is disabling a number of setups.

One with a long history is a 4 year old bug (http://rant.gulbrandsen.priv.no/amazon/ ... -aws-ipsec, http://forum.mikrotik.com/viewtopic.php ... 81#p441037), when two IPsec policies in tunnel mode with same src and dst addresses, but different sa-src and sa-dst addresses (effectively, two or more different tunnels to the same remote network) are not allowed.
Another impossible use case I just encountered is when I wanted to create a policy based routing with an IPsec tunnel as one of the optional default routes. This setup would require creating a policy that would intercept all traffic from my local network, disregarding my routing rules.

I think that the biggest issue here is the fact that IPsec tunnel mode is not treated as a real tunnel. Transport mode is OK with policies, but why is tunnel mode so limited?

Imagine if in tunnel IPsec mode we would be able to actually see that virtual interface in the interfaces list:

• first, we would be able to apply common interface settings, like MTU or ARP modes.
• second, and this would be a killer feature, we would be able to use that interface in the routing, and that would apply IPsec encryption to the traffic even if the destination address of packets is not within the other end of the IPsec tunnel

This would solve my use case of policy based routing, as well as the AWS problem above, since the encryption would be applied to both virtual tunnels, and the decision of which tunnel to use will be purely routing.

What is Mikrotik's team opinion on this?

P.S. I have just come up with a potential solution to my default route problem by using trasport mode and a simple ipip tunel. I will create an ipip tunel as usual and use it in my routing, and then simply create one IPSec transport mode policy for the two ends of the IPIP tunnel. Still, the AWS problem is unsolved

It would be great if these feature requests can be reconsidered!

IPSec doesn't use ports like UDP and TCP do. So a connection is only defined by src-ip and dst-ip. The security associations are applied to a connection, which are used to decrypt the payload. This means there is no option for Mikrotik to create a connection identifier.

However, if the IPSec connection is made between both Mikrotiks, then you can use other tunnels to create interfaces. EoIP for Layer 2, IPIP or GRE for Layer 3.

Creating an IPSec tunnel can be overwhelming for some users. So Mikrotik offers a very easy way to create a GRE/IPSec tunnel. Go to interfaces, add a GRE interface. In there you'll see an option for passphrase (or pre-shared-key). Setting a passphrase enables IPSec, configurations are pre-set for you.

Hello i try to make a ipip tunel behind a router, which is the ipip port to fw ?