I would like to ask anyone would agree that the current policy based IPsec management is disabling a number of setups.
One with a long history is a 4 year old bug (http://rant.gulbrandsen.priv.no/amazon/ ... -aws-ipsec, http://forum.mikrotik.com/viewtopic.php ... 81#p441037), when two IPsec policies in tunnel mode with same src and dst addresses, but different sa-src and sa-dst addresses (effectively, two or more different tunnels to the same remote network) are not allowed.
Another impossible use case I just encountered is when I wanted to create a policy based routing with an IPsec tunnel as one of the optional default routes. This setup would require creating a policy that would intercept all traffic from my local network, disregarding my routing rules.
I think that the biggest issue here is the fact that IPsec tunnel mode is not treated as a real tunnel. Transport mode is OK with policies, but why is tunnel mode so limited?
Imagine if in tunnel IPsec mode we would be able to actually see that virtual interface in the interfaces list:
- first, we would be able to apply common interface settings, like MTU or ARP modes.
- second, and this would be a killer feature, we would be able to use that interface in the routing, and that would apply IPsec encryption to the traffic even if the destination address of packets is not within the other end of the IPsec tunnel
What is Mikrotik's team opinion on this?
P.S. I have just come up with a potential solution to my default route problem by using trasport mode and a simple ipip tunel. I will create an ipip tunel as usual and use it in my routing, and then simply create one IPSec transport mode policy for the two ends of the IPIP tunnel. Still, the AWS problem is unsolved