Page 1 of 1

IPSec and ppp tunnel precedence

Posted: Fri Aug 02, 2019 12:15 am
by lapsio

I just bought NordVPN VPN and they prefer using IPSec. I'd also like to use PIA and daisy chain those 2 VPNs. At first I didn't like IPSec option since I have in general trust issues with IPSec and since OpenVPN client implementation has been fixed in last RouterOS update it sounds like viable option. However using OpenVPN for both PIA and NordVPN would require ppp in ppp which may be troublesome.

So I started to wonder - hey what if I use IPSec for one VPN provider and OpenVPN for another one? Technically it should work right? Since IPSec policy is basically determined by source and destination, it should also apply to any ppp tunnels. So it would make OpenVPN tunnel be established IPSec tunnel right? Am I missing anything here? Or would it actually work the other way around - making traffic inside OpenVPN tunnel be encrypted with IPSec policy?

Re: IPSec and ppp tunnel precedence

Posted: Fri Aug 02, 2019 11:50 am
by sindy
Both ways are possible, the only exception is that you cannot directly tunnel one IPsec SA through another IPsec SA, which is clearly not your intention. The precedence is determined by the fact that IPsec policy match always wins - first all the routing and firewalling, including NAT, is done, and then, on its way to the out-interface, each packet is inspected by all IPsec policies; if one of them likes it, it steals it and sends it through its SA. In incoming direction, packets matching any of the IPsec policies with action=encrypt are silently dropped if they didn't arrive via that policy's SA (which kind of extends the information given by @Sob in your other today's topic).