Community discussions

MikroTik App
 
dksoft
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Thu Dec 06, 2012 8:56 am
Location: Germany

Question: Can I specify Proposal/Profile for EOIP/ISPEC?

Mon Feb 22, 2021 10:08 am

Dear Mikrotik friends,

is there a way to define the Proposal and Profile when using EOIP with IPSEC?
My understanding is that the EOIP/IPSEC initiator automatically uses the setting based on the responder's default settings.

Thanks for your input
dksoft
Setup: Dt. Telekom FTTH with GPON SFP MA5671A, CHR on Promox, CRS328-24P-4S+RM, multiple WAP AC via CAPsMAN. MCTNA
 
sindy
Forum Guru
Forum Guru
Posts: 6844
Joined: Mon Dec 04, 2017 9:19 pm

Re: Question: Can I specify Proposal/Profile for EOIP/ISPEC?

Mon Feb 22, 2021 12:17 pm

If you just specify the ipsec-secret value on the /interface eoip configuration row, RouterOS dynamically generates the IPsec configuration (peer, identity, policy) using the peer profile called default and the proposal called default.

So if you don't plan to use this profile and proposal for other purposes, you can accommodate them to your needs. If you want to keep them unchanged, the simplest approach is to
  • create your own profile and proposal (let's say my-profile and my-proposal)
  • set the ipsec-secret value on the /interface eoip configuration row so that RouterOS generated the IPsec objects
  • create static copies of those objects with modified parameters:
    /ip ipsec peer add copy-from=[find where dynamic] profile=my-profile name=my-eoip address=127.0.0.127
    /ip ipsec identity add copy-from=[find where dynamic] peer=my-eoip
    /ip ipsec policy add copy-from=[find where dynamic] proposal=my-proposal peer=my-eoip
  • unset the ipsec-secret on the /interface eoip configuration row
  • set the actual peer address on the static peer:
    /ip ipsec peer set my-eoip address=the.actual.peer.address
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
dksoft
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Thu Dec 06, 2012 8:56 am
Location: Germany

Re: Question: Can I specify Proposal/Profile for EOIP/ISPEC?

Mon Feb 22, 2021 1:31 pm

Dear Sindy,

thanks, it worked right away and is exactly what I was looking for!

Do I understand correctly that this solution does not support road warriors unless I find a method to set the actual peer address before the client connects?
Setup: Dt. Telekom FTTH with GPON SFP MA5671A, CHR on Promox, CRS328-24P-4S+RM, multiple WAP AC via CAPsMAN. MCTNA
 
sindy
Forum Guru
Forum Guru
Posts: 6844
Joined: Mon Dec 04, 2017 9:19 pm

Re: Question: Can I specify Proposal/Profile for EOIP/ISPEC?

Mon Feb 22, 2021 2:05 pm

For road warriors, you get less headache if you use tunnel mode of the SA and create an individual identity referring to an individual policy template group for each road warrior. That way, you can use static private addresses at both ends for the EoIP tunnel although the WAN addresses of the road warriors are unknown in advance. It will cost you one more IP header in each packet.

But to use EoIP on a road warrior is kind of an act of desperation, L2 protocols are quite unhappy with long round-trip delays.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Droemel, Google [Bot], N2B, sindy and 175 guests