Community discussions

MikroTik App
 
mikruser
Long time Member
Long time Member
Topic Author
Posts: 578
Joined: Wed Jan 16, 2013 6:28 pm

Please add the ability to choose Proposal

Wed Aug 08, 2018 12:12 pm

Hello,

Please add the ability to choose Proposal (in L2tp with "Use IPsec")
 
User avatar
emils
Forum Veteran
Forum Veteran
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: Please add the ability to choose Proposal

Wed Aug 08, 2018 2:04 pm

Please explain why. L2TP always uses the default IPsec proposal, you can adjust security parameters for it if necessary. Additionally, you can create separate proposals for other IPsec tunnels.
 
mikruser
Long time Member
Long time Member
Topic Author
Posts: 578
Joined: Wed Jan 16, 2013 6:28 pm

Re: Please add the ability to choose Proposal

Wed Aug 08, 2018 4:50 pm

I already have a configuration with a very large number of Ipsec policies (all these policies use proposal:default).

Now I created a l2tp connection with "Use Ipsec", and i need another custom proposal for this.
 
User avatar
emils
Forum Veteran
Forum Veteran
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: Please add the ability to choose Proposal

Wed Aug 08, 2018 4:57 pm

I still do not see any real benefit of your request. It literally takes 2 seconds to change proposal value for your policies to a different one.
/ip ipsec proposal add name=newproposal copy-from=default
/ip ipsec policy set [find proposal=default] proposal=newproposal
 
IntrusDave
Forum Guru
Forum Guru
Posts: 1286
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Please add the ability to choose Proposal

Wed Aug 08, 2018 4:59 pm

I still do not see any real benefit of your request. It literally takes 2 seconds to change proposal value for your policies to a different one.
/ip ipsec proposal add name=newproposal copy-from=default
/ip ipsec policy set [find proposal=default] proposal=newproposal
I was just posting this exact same thing.. Beat me to it :)
 
5nik
Member Candidate
Member Candidate
Posts: 104
Joined: Thu Dec 08, 2011 3:15 am
Location: Czech Republic

Re: Please add the ability to choose Proposal

Thu Aug 09, 2018 11:58 am

Please explain why. L2TP always uses the default IPsec proposal, you can adjust security parameters for it if necessary. Additionally, you can create separate proposals for other IPsec tunnels.
For example: If I fill IPsec Secret in ipip or eoip tunnel, it uses default policies and proposal too. If I want have different ipsec proposal (auth. or enc.) for L2TP and IP tunnels, I can't. For now, I'm not using quick L2TP or IPoIP (EoIP) IPsec solution, but I'm creating ipsec policies, peers and proposal for them in old way.
 
5nik
Member Candidate
Member Candidate
Posts: 104
Joined: Thu Dec 08, 2011 3:15 am
Location: Czech Republic

Re: Please add the ability to choose Proposal

Thu Aug 09, 2018 12:13 pm

Please add the ability to choose Proposal (in L2tp with "Use IPsec")
It would be better, If it possible to choose IPsec Group for L2TP, IPoIP, EoIP etc.
 
mikruser
Long time Member
Long time Member
Topic Author
Posts: 578
Joined: Wed Jan 16, 2013 6:28 pm

Re: Please add the ability to choose Proposal

Mon Mar 18, 2019 4:45 pm

I still do not see any real benefit of your request. It literally takes 2 seconds to change proposal value for your policies to a different one.
/ip ipsec proposal add name=newproposal copy-from=default
/ip ipsec policy set [find proposal=default] proposal=newproposal
I was just posting this exact same thing.. Beat me to it :)
Absolutely pointless thing.
Currently all tunnels with IPsec Secret enabled (l2tp/gre/...) creates dynamic policies with default proposal. Your "newproposal" will not be used.
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1162
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: Please add the ability to choose Proposal

Mon Mar 18, 2019 5:37 pm

What was suggested was to move all explicit IPSec config to a new proposal called "newproposal".
You can then adjust the default one, and your dynamic IPSec things (tunnels with "use-ipsec=yes") will use the default.

Anyway, if you are doing any in-depth IPSec config, you should NOT use the automagical "use-ipsec=yes".
Configure IPSec for yourself for all the services, and you have full control over what is being done and how.
 
mikruser
Long time Member
Long time Member
Topic Author
Posts: 578
Joined: Wed Jan 16, 2013 6:28 pm

Re: Please add the ability to choose Proposal

Mon Mar 18, 2019 5:53 pm

All my tunnels are configured with IPsec Secret enabled, and I will not change it.

We simply need the ability to choose Proposal for each tunnel.
 
dave864
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Fri Mar 11, 2016 2:37 pm

Re: Please add the ability to choose Proposal

Sat Jun 01, 2019 9:24 am

Why is the use-ipsec=yes a bad thing?
 
nostromog
Member Candidate
Member Candidate
Posts: 226
Joined: Wed Jul 18, 2018 3:39 pm

Re: Please add the ability to choose Proposal

Sat Jun 01, 2019 2:57 pm

Why is the use-ipsec=yes a bad thing?
It is not a bad thing if you just want to protect a connection.

What tomaskir said is that if you want to do an "in-depth IPSec config" it is
better not to use this parameters and to create the policies for the tunnels yourself.

The solution proposed by emils and intrusdave to control the dynamic IPsec proposals for all tunnels using use-ipsec=true,
i.e. to add a new proposal for whatever static configuration you have, while changing the default used by use-ipsec=true, is one I have
used myself, and I think a good balance between a simple ipsec config using "use-ipsec" and a full proposal-policies configuration.
 
User avatar
tutugreen
just joined
Posts: 13
Joined: Fri Oct 06, 2017 3:14 pm

Re: Please add the ability to choose Proposal

Mon Jul 26, 2021 5:17 am

I just messed up with the l2tp server and found the proposal for l2tp is not selectable.

Maybe It's a "nice to have" feature.

Yes, we can create a proposal for every tunnel, but it's a bit complex when the dest endpoint uses DDNS.

For someone from a search engine with the same scenario.

Now using a more complex IKEv2 setup (for ipip, gre,etc.), it works.

If both sites using dynamic IPs, we have to use a script to update local-ip in the tunnel interface anyway, just add a few more lines to update peer🤣.

Who is online

Users browsing this forum: Ahrefs [Bot], Amazon [Bot], Bing [Bot], Google [Bot], homerouter, Joseph, maciejl and 67 guests