I need to create and IPIP tunnel to Azure with their VPN connector in routed mode. However, the default Profile and Proposal are used for my other IPIP tunnels. Is there a way to get an IPIP tunnel to use a different profile and proposal than default?
Sure you can. It is just a convenience that when you set a non-empty value of ipsec-secret
parameter of the /interface ipip
, an IPsec configuration necessary to transport the IPIP tunnel is dynamically generated, but you can as well configure it manually with parameters of your choice.
To make the process as easy as possible, I'd recommend you to create the /interface ipip
with the ipsec-secret
parameter set at first, and then create the peer, identity, and policy as modified copies of those which RouterOS auto-creates for you:
- create the /ip ipsec profile and /ip ipsec proposal you want to use for the Azure connection; in this example, I've called them azure-profile and azure-proposal
- in the output of /ip ipsec peer print,
- find the row index of the auto-created peer for Azure and use it instead of X in the following command,
- find the auto-generated peer name and use it instead of PEER_NAME in the subsequent commands used to copy the identity and policy.
- /ip ipsec peer add copy-from=X name=azure-ipip profile=azure-profile disabled=yes address=void.com
- /ip ipsec identity add copy-from=[find peer=PEER_NAME] peer=azure-ipip
- /ip ipsec policy add copy-from=[find peer=PEER_NAME] proposal=azure-proposal peer=azure-ipip
Once the above steps are done, you can remove the auto-generated items by removing the ipsec-secret
value from the IPIP interface configuration:
/interface ipip unset ipip-tunnel1 ipsec-secret
As now the dynamically created peer doesn't collide with the manually created one any more, so you can enable the latter and set its address parameter to the actual IP address (or fqdn?) of the Azure peer which you had to substitute with void.com
when copying it in order to avoid the collision:
/ip ipsec peer set azure-ipip disabled=no address=ip.of.azure.peer
If the profile and proposal are correct, in a few seconds you should have see a row representing the Azure peer in the output of /ip ipsec active-peer
, the policy active, and IPIP tunnel up as well.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.