Community discussions

MikroTik App
 
ericdriver
just joined
Topic Author
Posts: 15
Joined: Thu Aug 20, 2020 8:03 am

Pure IPSEC with ECMP

Tue Jul 20, 2021 8:26 am

Is it possible to have two pure IPSEC tunnels via different ISPs and make ECMP using both tunnels?
Like for instance, my branch network is 10.10.10.0/24 and I want to encrypt everything from 10.10.10.0/24 to 0.0.0.0/0 using both ipsec tunnels via different ISPs?
It seems that it is not possible, because when I create two equal ipsec policies, only one become active, do you know some sollutions(for pure IPSEC)?

/ip ipsec policy
add dst-address=0.0.0.0/0 peer=peer2-1 sa-dst-address=172.17.150.2 sa-src-address=172.17.150.1 src-address=10.10.10.0/24 tunnel=yes
add dst-address=0.0.0.0/0 peer=peer2-2 sa-dst-address=172.17.150.130 sa-src-address=172.17.150.129 src-address=10.10.10.0/24 tunnel=yes
 
markmcn
Member Candidate
Member Candidate
Posts: 121
Joined: Wed Mar 03, 2010 2:15 am

Re: Pure IPSEC with ECMP

Tue Jul 20, 2021 1:20 pm

Hi Eric,
I was looking at this briefly, You can define multiple peers for a policy, I'm not sure if this will do ECMP but might be worth trying in a lab.
You could could setup some CHR instances to test, If I get a chance to test this I will and share results.
I've often found policy based IPSec generally isn't too great when it comes to doing things like ECMP.
If you control both ends of the IPSec tunnel you could use IPIP or GRE tunnels with IPSec and do ECMP over these.
Hope this helps
Cheers
Mark
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Pure IPSEC with ECMP

Tue Jul 20, 2021 1:31 pm

I have an installation where I do similar thing, except I have three ISP connections on both sides, not two. It is easy in my case because I have 4 routers on each side. And I am not sure you can do that with just one.
 
markmcn
Member Candidate
Member Candidate
Posts: 121
Joined: Wed Mar 03, 2010 2:15 am

Re: Pure IPSEC with ECMP

Tue Jul 20, 2021 2:01 pm

Hey Andriys,
Since you have 3 routers on each side how do you manage routing between the subnets on each side.
do they all aggregate into a lan router which has 3 static routes for the same remote subnet one for each ipsec router?
I'm just curious how you're managing the load sharing
Cheers
Mark
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Pure IPSEC with ECMP

Tue Jul 20, 2021 2:33 pm

Yes. On each side I have a dedicated edge device for each ISP line (those are three ASA boxes on one side and three RB4011 on the other). An IPsec tunnel is built between each pair of edge devices, three tunnels in total. All these tunnels share exactly the same policies (i.e. bridge exactly the same networks on each side). And then I have a CCR1009 on each side that does the routing.

(And then for one internal network I also have three LACP-aggregated EoIP tunnels each routed over a specific IPsec tunnel).
 
ericdriver
just joined
Topic Author
Posts: 15
Joined: Thu Aug 20, 2020 8:03 am

Re: Pure IPSEC with ECMP

Tue Jul 20, 2021 3:12 pm

You can define multiple peers for a policy, I'm not sure if this will do ECMP but might be worth trying in a lab.
hi Mark!
Could you give me example or link please?
 
markmcn
Member Candidate
Member Candidate
Posts: 121
Joined: Wed Mar 03, 2010 2:15 am

Re: Pure IPSEC with ECMP

Tue Jul 20, 2021 5:01 pm

Hi Eric,
When defining the traffic policy in box you can select 2 peers from the drop down list.
In the general tab of New IPSec Policy you can see little arrows to the right of the dropdown list to allow you select a second peer.
from the CLI it would be
/ip ipsec policy> add peer=peer1,peer2 src-address=192.168.1.0/24 dst-address=192.168.2.0/24 protocol=all tunnel=yes action=encrypt level=require ipsec-protocols=esp proposal=default
Please note you'll need to change source and destination address proposal etc according to your setup

Cheers
Mark
 
markmcn
Member Candidate
Member Candidate
Posts: 121
Joined: Wed Mar 03, 2010 2:15 am

Re: Pure IPSEC with ECMP

Tue Jul 20, 2021 5:04 pm

Hey andriys
Thanks for the clarification I was just wondering if I had missed a useful trick somewhere when you mentioned your setup the first time
Cheers
Mark
 
markmcn
Member Candidate
Member Candidate
Posts: 121
Joined: Wed Mar 03, 2010 2:15 am

Re: Pure IPSEC with ECMP

Wed Jul 21, 2021 12:54 am

Hi Eric,
So I've just tested setting 2 peers in the lab for the same policy it didn't do load sharing as hoped.
At this stage I'd suggest using an IPIP tunnel (a tiny bit less overhead than GRE) with IPSec and that way you can put /30's on the tunnel interfaces and do ecmp that way
Cheers
Mark
 
ericdriver
just joined
Topic Author
Posts: 15
Joined: Thu Aug 20, 2020 8:03 am

Re: Pure IPSEC with ECMP

Thu Jul 22, 2021 4:20 pm

Hi Eric,
So I've just tested setting 2 peers in the lab for the same policy it didn't do load sharing as hoped.
At this stage I'd suggest using an IPIP tunnel (a tiny bit less overhead than GRE) with IPSec and that way you can put /30's on the tunnel interfaces and do ecmp that way
Cheers
Mark
could you tell me when it is usefull to setting 2 peers for the same policy?
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Pure IPSEC with ECMP

Sat Jul 24, 2021 11:13 pm

could you tell me when it is usefull to setting 2 peers for the same policy?
It may be useful for failover.

Who is online

Users browsing this forum: anton425425, jacobbailey, Pincha3 and 112 guests