Dear Mikrotik friends,
is there a way to define the Proposal and Profile when using EOIP with IPSEC?
My understanding is that the EOIP/IPSEC initiator automatically uses the setting based on the responder's default settings.
Thanks for your input
dksoft
Question: Can I specify Proposal/Profile for EOIP/ISPEC?
Setup: Dt. Telekom FTTH with GPON SFP MA5671A, CHR on Promox, CRS328-24P-4S+RM, multiple WAP AC via CAPsMAN. MCTNA
Re: Question: Can I specify Proposal/Profile for EOIP/ISPEC?
If you just specify the ipsec-secret value on the /interface eoip configuration row, RouterOS dynamically generates the IPsec configuration (peer, identity, policy) using the peer profile called default and the proposal called default.
So if you don't plan to use this profile and proposal for other purposes, you can accommodate them to your needs. If you want to keep them unchanged, the simplest approach is to
So if you don't plan to use this profile and proposal for other purposes, you can accommodate them to your needs. If you want to keep them unchanged, the simplest approach is to
- create your own profile and proposal (let's say my-profile and my-proposal)
- set the ipsec-secret value on the /interface eoip configuration row so that RouterOS generated the IPsec objects
- create static copies of those objects with modified parameters:
/ip ipsec peer add copy-from=[find where dynamic] profile=my-profile name=my-eoip address=127.0.0.127
/ip ipsec identity add copy-from=[find where dynamic] peer=my-eoip
/ip ipsec policy add copy-from=[find where dynamic] proposal=my-proposal peer=my-eoip - unset the ipsec-secret on the /interface eoip configuration row
- set the actual peer address on the static peer:
/ip ipsec peer set my-eoip address=the.actual.peer.address
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
Re: Question: Can I specify Proposal/Profile for EOIP/ISPEC?
Dear Sindy,
thanks, it worked right away and is exactly what I was looking for!
Do I understand correctly that this solution does not support road warriors unless I find a method to set the actual peer address before the client connects?
thanks, it worked right away and is exactly what I was looking for!
Do I understand correctly that this solution does not support road warriors unless I find a method to set the actual peer address before the client connects?
Setup: Dt. Telekom FTTH with GPON SFP MA5671A, CHR on Promox, CRS328-24P-4S+RM, multiple WAP AC via CAPsMAN. MCTNA
Re: Question: Can I specify Proposal/Profile for EOIP/ISPEC?
For road warriors, you get less headache if you use tunnel mode of the SA and create an individual identity referring to an individual policy template group for each road warrior. That way, you can use static private addresses at both ends for the EoIP tunnel although the WAN addresses of the road warriors are unknown in advance. It will cost you one more IP header in each packet.
But to use EoIP on a road warrior is kind of an act of desperation, L2 protocols are quite unhappy with long round-trip delays.
But to use EoIP on a road warrior is kind of an act of desperation, L2 protocols are quite unhappy with long round-trip delays.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.