Community discussions

 
markdutton
newbie
Topic Author
Posts: 36
Joined: Fri Sep 24, 2010 4:59 am

IPIP over IPSEC using different profile and policy templates

Fri Nov 08, 2019 10:16 am

I need to create and IPIP tunnel to Azure with their VPN connector in routed mode. However, the default Profile and Proposal are used for my other IPIP tunnels. Is there a way to get an IPIP tunnel to use a different profile and proposal than default?

If not is there a way to create an IP tunnel that is simply a routing interface like IPIP to work with third party routers that create routing interfaces over IPSEC (not policy based)?
 
sindy
Forum Guru
Forum Guru
Posts: 3904
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPIP over IPSEC using different profile and policy templates

Sat Nov 09, 2019 3:44 pm

I need to create and IPIP tunnel to Azure with their VPN connector in routed mode. However, the default Profile and Proposal are used for my other IPIP tunnels. Is there a way to get an IPIP tunnel to use a different profile and proposal than default?
Sure you can. It is just a convenience that when you set a non-empty value of ipsec-secret parameter of the /interface ipip, an IPsec configuration necessary to transport the IPIP tunnel is dynamically generated, but you can as well configure it manually with parameters of your choice.

To make the process as easy as possible, I'd recommend you to create the /interface ipip with the ipsec-secret parameter set at first, and then create the peer, identity, and policy as modified copies of those which RouterOS auto-creates for you:
  • create the /ip ipsec profile and /ip ipsec proposal you want to use for the Azure connection; in this example, I've called them azure-profile and azure-proposal
  • in the output of /ip ipsec peer print,
    • find the row index of the auto-created peer for Azure and use it instead of X in the following command,
    • find the auto-generated peer name and use it instead of PEER_NAME in the subsequent commands used to copy the identity and policy.
  • /ip ipsec peer add copy-from=X name=azure-ipip profile=azure-profile disabled=yes address=void.com
  • /ip ipsec identity add copy-from=[find peer=PEER_NAME] peer=azure-ipip
  • /ip ipsec policy add copy-from=[find peer=PEER_NAME] proposal=azure-proposal peer=azure-ipip

Once the above steps are done, you can remove the auto-generated items by removing the ipsec-secret value from the IPIP interface configuration:
/interface ipip unset ipip-tunnel1 ipsec-secret

As now the dynamically created peer doesn't collide with the manually created one any more, so you can enable the latter and set its address parameter to the actual IP address (or fqdn?) of the Azure peer which you had to substitute with void.com when copying it in order to avoid the collision:
/ip ipsec peer set azure-ipip disabled=no address=ip.of.azure.peer

If the profile and proposal are correct, in a few seconds you should have see a row representing the Azure peer in the output of /ip ipsec active-peer, the policy active, and IPIP tunnel up as well.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
markdutton
newbie
Topic Author
Posts: 36
Joined: Fri Sep 24, 2010 4:59 am

Re: IPIP over IPSEC using different profile and policy templates

Tue Nov 12, 2019 4:17 am

Thanks Sindy. That looks great.

I will give it a try soon. In the meantime, I just used a policy VPN gateway in Azure and used the standard IPSEC policy based setup in Mikrotik (with my custom profile and policy settings), which worked perfectly.

Mark

Who is online

Users browsing this forum: No registered users and 143 guests