Community discussions

 
User avatar
nz_monkey
Forum Guru
Forum Guru
Topic Author
Posts: 1821
Joined: Mon Jan 14, 2008 1:53 pm
Location: Straya
Contact:

Feature Request: IPSEC Improvements

Thu Sep 20, 2012 4:21 am

Hi All,

The current IPSEC implementation in RouterOS is very basic, to the point that for us it is unusable. Instead of selling a Mikrotik device or licence we sell a Juniper, Cisco or Fortinet device to terminate IPSEC.

The features I see that are missing, and would like Mikrotik to implement are:

XAuth - Extended Authentication
Allows for user/pass style authentication of IPSEC connections. This would allow RouterOS to be used as an access concentrator for "Road Warriors"

Mode-cfg
Allows access concentrator to specify various parameters for "Road Warrior" clients e.g. DNS and routes

VTI - Virtual Tunnel Interfaces
This has now been added to Linux so should be trivial for Mikrotik to support see http://www.spinics.net/lists/netdev/msg200673.html
Description: Virtual tunnel interface is a way to represent policy based IPsec tunnels as virtual interfaces in linux. This is similar to Cisco's VTI (virtual tunnel interface) and Juniper's representaion of secure tunnel (st.xx). The advantage of representing an IPsec tunnel as an interface is that it is possible to plug Ipsec tunnels into the routing protocol infrastructure of a router. Therefore it becomes possible to influence the packet path by toggling the link state of the tunnel or based on routing metrics.

I have seen all of these requested on the forums and wiki in the past, but IPSEC in RouterOS has changed very little in the past 3-4 years. It seems like Mikrotik has forgotten about IPSEC.

What are your thoughts on the RouterOS IPSEC implementation and what would you like to see changed ?

Would you buy more RouterOS devices/licences if these features were added ?
http://thebrotherswisp.com/ | Mikrotik MTCNA, MTCRE, MTCINE | Fortinet FTCNA, FCNSP, FCT | Extreme Networks ENA
 
gregsowell
Member Candidate
Member Candidate
Posts: 127
Joined: Tue Aug 28, 2007 1:24 am
Contact:

Re: Feature Request: IPSEC Improvements

Thu Sep 20, 2012 4:47 am

Senior NZ has hit the nail on the head.

I will occasionally have a customer do an IPSec tunnel using a Mikrotik if it is the remote device, but seldom if it is the hub.
I've hit oddities that despite every effort I can't trouble shoot. Even the debugging messages aren't always enough...they can be somewhat lacking.

Cisco has always been my go-to due to stability and debug output. They have a vast array of features, but it really comes down to reliability.

I would LOVE to see some xauth come in also. The virtual tunnels are a welcome addition too.

I was under the impression that MTK sudo wrote their own IPSec implementation...have the packages out there not caught up yet?

With more stability I would run MTKs for tunneling all day, just not at this time.
Hit my blog for video tutorials of Mikrotik and Cacti.
Just so I look as cool as everyone else ->CCNA / CCNP / CCIE W / MCNA / MCRE / MCIE / Certified Trainer / A+ / N+ / Partridge in pear tree <- *sigh* I'll never know enough...
 
gsloop
Member Candidate
Member Candidate
Posts: 213
Joined: Wed Jan 04, 2012 11:34 pm
Contact:

Re: Feature Request: IPSEC Improvements

Thu Sep 20, 2012 11:56 pm

IPSec policy match.
- If I helped you solve your problem ... Karma is an appropriate gift! :) -
 
robertfranz
newbie
Posts: 37
Joined: Tue Apr 21, 2009 3:30 am

Re: Feature Request: IPSEC Improvements

Fri Sep 21, 2012 11:40 am

Hi All,


Would you buy more RouterOS devices/licences if these features were added ?
Unfortunately - no.

It would be too little, too late.
After wrestling with MT bugs for 5 years, we opted to upgrade to Cisco end-to-end.

I am waiting on some additional hardware so I can complete the move of our servers from our old colo facility to our new data center.

Once that's done, the last Mikrotik will be smashed with a sledge hammer.

Until then, I'm stuck with an ipsec tunnel that drops on a regular basis.
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Topic Author
Posts: 1821
Joined: Mon Jan 14, 2008 1:53 pm
Location: Straya
Contact:

Re: Feature Request: IPSEC Improvements

Fri Sep 21, 2012 12:02 pm

After wrestling with MT bugs for 5 years, we opted to upgrade to Cisco end-to-end.
Once that's done, the last Mikrotik will be smashed with a sledge hammer.
Until then, I'm stuck with an ipsec tunnel that drops on a regular basis.
Ouch. That is sad to hear. We have had generally very good experiences with RouterOS, certainly we find no more bugs than we find on other vendors platforms.

It is mainly the poor IPSEC support that cause us to use other products, and I still hold hope that one day soon Mikrotik will improve it.
http://thebrotherswisp.com/ | Mikrotik MTCNA, MTCRE, MTCINE | Fortinet FTCNA, FCNSP, FCT | Extreme Networks ENA
 
grg
newbie
Posts: 44
Joined: Fri Aug 20, 2010 9:51 am
Location: Latvia

Re: Feature Request: IPSEC Improvements

Fri Sep 21, 2012 3:13 pm

Fully agree on this one.
 
rjickity
Member Candidate
Member Candidate
Posts: 212
Joined: Sat Jul 17, 2010 10:40 am
Location: Perth, Australia

Re: Feature Request: IPSEC Improvements

Fri Sep 21, 2012 4:13 pm

Yes absolutely.

VTI +1
XAuth +1
 
gregsowell
Member Candidate
Member Candidate
Posts: 127
Joined: Tue Aug 28, 2007 1:24 am
Contact:

Re: Feature Request: IPSEC Improvements

Thu Oct 18, 2012 4:07 pm

*Sigh* agreed. :(
Hit my blog for video tutorials of Mikrotik and Cacti.
Just so I look as cool as everyone else ->CCNA / CCNP / CCIE W / MCNA / MCRE / MCIE / Certified Trainer / A+ / N+ / Partridge in pear tree <- *sigh* I'll never know enough...
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: Feature Request: IPSEC Improvements

Fri Oct 19, 2012 12:38 pm

We do A LOT of IPSec site-to-site tunneling on Mikrotik, and I must say that I am happy. IPSec in Mikrotik just requires you to learn it and to do it by its rules :)

That said, Road Warrior has a lot of problems, and the features above would help out a lot. VTI would be awesome.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5942
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature Request: IPSEC Improvements

Thu Apr 11, 2013 12:48 pm

We have added initial mode-cfg support in version v6rc13. If anyone wants to test and suggest other needed mode-cfg features.
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Topic Author
Posts: 1821
Joined: Mon Jan 14, 2008 1:53 pm
Location: Straya
Contact:

Re: Feature Request: IPSEC Improvements

Thu Apr 11, 2013 2:39 pm

Thanks mrz

I will test tomorrow
http://thebrotherswisp.com/ | Mikrotik MTCNA, MTCRE, MTCINE | Fortinet FTCNA, FCNSP, FCT | Extreme Networks ENA
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Topic Author
Posts: 1821
Joined: Mon Jan 14, 2008 1:53 pm
Location: Straya
Contact:

Re: Feature Request: IPSEC Improvements

Fri Apr 12, 2013 1:27 am

Hi Maris,


Will the mode-cfg settings be added to Winbox ?
http://thebrotherswisp.com/ | Mikrotik MTCNA, MTCRE, MTCINE | Fortinet FTCNA, FCNSP, FCT | Extreme Networks ENA
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5942
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature Request: IPSEC Improvements

Fri Apr 12, 2013 10:58 am

Yes, they will be added in winbox, but currently you should use console for configuration.
 
User avatar
bitak
just joined
Posts: 5
Joined: Wed Feb 20, 2013 5:43 am

Re: Feature Request: IPSEC Improvements

Sun Apr 21, 2013 1:31 am

Has somebody figured out how to setup ipsec mode-cfg and Shrew Soft Client?

Also I would highly appreciate adding the following mode-cfg features (sorted by importance):
1) dns server address
2) domain
3) split-dns
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5942
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature Request: IPSEC Improvements

Mon Apr 22, 2013 10:57 am

DNS servers are sent automatically when mode-cfg is enabled. Later we will add wiki article how to use mode-cfg with shrew client.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5942
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature Request: IPSEC Improvements

Fri May 10, 2013 1:11 pm

xauth and split tunnel examples are added in the wiki

http://wiki.mikrotik.com/wiki/Manual:IP ... _Mode_Conf
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Topic Author
Posts: 1821
Joined: Mon Jan 14, 2008 1:53 pm
Location: Straya
Contact:

Re: Feature Request: IPSEC Improvements

Fri May 10, 2013 1:17 pm

Hi Maris,

Thanks for all the hard work on the IPSEC improvements.

Can xauth use RADIUS ? And if so what attributes are relevant?
http://thebrotherswisp.com/ | Mikrotik MTCNA, MTCRE, MTCINE | Fortinet FTCNA, FCNSP, FCT | Extreme Networks ENA
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5942
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature Request: IPSEC Improvements

Fri May 10, 2013 1:19 pm

Currently RADIUS support for xauth is not implemented.
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Topic Author
Posts: 1821
Joined: Mon Jan 14, 2008 1:53 pm
Location: Straya
Contact:

Re: Feature Request: IPSEC Improvements

Mon May 13, 2013 1:18 am

Currently RADIUS support for xauth is not implemented.
Hi Maris,

I know you guys are super busy, but any idea when this feature will be implemented ?

We will do some testing on the current implementation, but I would say xauth --> RADIUS is pretty important to anyone wanting to deploy RouterOS as an IPSEC concentrator.
http://thebrotherswisp.com/ | Mikrotik MTCNA, MTCRE, MTCINE | Fortinet FTCNA, FCNSP, FCT | Extreme Networks ENA
 
MiKeDaDoC
just joined
Posts: 2
Joined: Fri May 24, 2013 5:14 pm
Location: Germany

Re: Feature Request: IPSEC Improvements

Fri May 24, 2013 5:23 pm

xauth and split tunnel examples are added in the wiki

http://wiki.mikrotik.com/wiki/Manual:IP ... _Mode_Conf
In the wiki I think you mixed up IP ranges while creating the policy templates. SRC should be DST and vice versa.

Managed to get mode-cfg working with shrew client. Works like a charme for now (still in testing)
 
scampbell
Trainer
Trainer
Posts: 458
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:

Re: Feature Request: IPSEC Improvements

Sun Jun 30, 2013 12:53 am

We have added initial mode-cfg support in version v6rc13. If anyone wants to test and suggest other needed mode-cfg features.
Hmmm.... Wiki update may be required here as these commands are definitely not in RoS 5.0+ :-)
ros5modeconf.JPG
You do not have the required permissions to view the files attached to this post.
 
selric
just joined
Posts: 6
Joined: Tue Jul 23, 2013 3:05 pm

Re: Feature Request: IPSEC Improvements

Tue Jul 23, 2013 3:07 pm

Any progress on the VTI implementation as well?

I'm also using the RouterOS and wan't establish IPSEC with OSPF between FortiGate and Junipers in an easy way.
 
selric
just joined
Posts: 6
Joined: Tue Jul 23, 2013 3:05 pm

Re: Feature Request: IPSEC Improvements

Sat Oct 26, 2013 7:34 pm

Nothing new on the VTI suggestions in this thread?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5942
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature Request: IPSEC Improvements

Mon Oct 28, 2013 11:35 am

If you want tunnel interface run ipsec in transport mode and ipip or gre over it.
 
User avatar
afink
just joined
Posts: 11
Joined: Wed May 29, 2013 7:16 pm
Location: Basel & Reykjavik
Contact:

Re: Feature Request: IPSEC Improvements

Fri Nov 01, 2013 2:47 pm

the current release 6.5 and also 6.6rc1 still have _sever_ bug in ipsec.

in our case we try to set up a simple point to point tunnel between two mikrotiks.
the profile matches, the policy has the two endpoints of the tunnel as source/destination (the outer IP's) and protocol=47 (which is GRE) defined. The result is the tunnel never establishes.

if you define the policy to use all protocols, then the tunnel establishes but the node to node communication is then blocked (you can not telnet from the outer IP to the other outer IP) and at key re-negotiation time the tunnel drops and stays off again.

This is heavily broken since 6.1 and it stops us from buying another pile of 10Gbit Mikrotiks
 
volga629
newbie
Posts: 34
Joined: Tue Nov 19, 2013 6:21 am

Re: Feature Request: IPSEC Improvements

Sat Nov 23, 2013 5:33 am

VTI +1

A lot of cases were I need run Eoip though ipsec and there another tunnels to supply OSPF for router. Tunnel interface will be simplify for 100% everything. Hope this feature will be on Router OS soon.
 
begemoti
just joined
Posts: 1
Joined: Fri May 31, 2013 4:19 pm

Re: Feature Request: IPSEC Improvements

Wed Feb 12, 2014 12:14 pm

+ VTI
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Topic Author
Posts: 1821
Joined: Mon Jan 14, 2008 1:53 pm
Location: Straya
Contact:

Re: Feature Request: IPSEC Improvements

Wed Feb 12, 2014 12:43 pm

If you want tunnel interface run ipsec in transport mode and ipip or gre over it.
Unfortunately this has low cross-vendor inter-op. VTI is common on Cisco, Fortigate, Juniper SSG, Juniper SRX, Palo Alto Networks, Vyatta.

Doing IPSEC+GRE or IPSEC+IPIP also have higher overheads, as well as more configuration steps than VTI.
http://thebrotherswisp.com/ | Mikrotik MTCNA, MTCRE, MTCINE | Fortinet FTCNA, FCNSP, FCT | Extreme Networks ENA
 
_saik0
Member Candidate
Member Candidate
Posts: 127
Joined: Sun Aug 26, 2007 11:18 pm

Re: Feature Request: IPSEC Improvements

Wed Mar 05, 2014 6:52 pm

VTI++

IPSec in transport mode with a tunnel upon it, almost impossible if you are dealing with dynamic IPs on all sites ...
 
timk
just joined
Posts: 14
Joined: Wed Sep 05, 2012 3:33 am

Re: Feature Request: IPSEC Improvements

Tue Mar 25, 2014 1:14 pm

Another vote for VTI here!
 
i4jordan
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Mon Sep 02, 2013 1:42 am

Re: Feature Request: IPSEC Improvements

Tue Mar 25, 2014 1:46 pm

A good working and simple to setup ipsec VTI would stop us from selling (expensive) SonicWall SRA solutions.

The ipsec VTI should be working like an IPIP/GRE tunnel but then with ipsec security.

We now use IPIP or GRE tunnels with ipsec transport security.
This works but is not easy to setup and specially GRE+ipsec has a huge performance penalty.

Please look also at: http://forum.mikrotik.com/viewtopic.php?f=1&t=81317

We also have asked for IKEv2 options on ipsec tunnels.
 
jollis
just joined
Posts: 4
Joined: Wed Jun 15, 2011 2:38 am

Re: Feature Request: IPSEC Improvements

Tue Mar 25, 2014 10:20 pm

has anyone come across a way to make IPSEC use multiple CPUs in routerOS?
 
i4jordan
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Mon Sep 02, 2013 1:42 am

Re: Feature Request: IPSEC Improvements

Wed Mar 26, 2014 12:37 am

@jollis

No,
I also have seen that ipsec uses 1 CPU on my CCR1036 :(
So 1 CPU very busy, 35 doing almost nothing.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5942
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature Request: IPSEC Improvements

Wed Mar 26, 2014 11:55 am

Maybe there is not enough traffic to utilize more than one core?
It works in my setup:

ros code

ipsec                     0         8.5%
ipsec                     1         1.5%
ipsec                     2           0%
ipsec                     3           0%
ipsec                     4        29.5%
ipsec                     8           0%
ipsec                     9           0%
ipsec                    12           1%
ipsec                    19         0.5%
ipsec                    20           0%
ipsec                    21           0%
ipsec                    23           1%
ipsec                    25         0.5%
ipsec                    27         0.5%
ipsec                    29         0.5%
ipsec                    30          24%
ipsec                    35           0%
 
megasohaib
just joined
Posts: 14
Joined: Tue Mar 25, 2014 11:33 am

Re: Feature Request: IPSEC Improvements

Sun Mar 30, 2014 2:30 pm

Hello Team, I hope you are all fine.

I have some problem with my Ipsec vpn between multiple sites. my 5 sites are connected with same ISP through MIKROTIOK ROUTER IPSEC TUNNEL. sites are a,b,c,d,e. a site is my head office and b,c,d,e sites is my clients(branches). all clients are connected with head office (a) through ipsec tunnel and working properly.But problem is that (b) not connected to (c,d,e) and (c) not connected to (b,d,e) and (d) not connected to (b,c,e) and (e) not connected to (b,c,d). Other words is (b,c,d,e) are not connected to eachother. All sites have different subnets.
Kindly give me some help that what i do work on my head office mikrotik router (a).

Although i was add subnet on routes opetion of my branches. but issed are same.


Regards
Sohaib
 
User avatar
ziegenberg
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Thu Mar 07, 2013 11:14 am
Location: Vienna
Contact:

Re: Feature Request: IPSEC Improvements

Tue Mar 17, 2015 3:43 pm

I'm also strongly in for Radius enabled XAuth and VTI! So:

+1 XAuth with Radius
+1 VTI
 
User avatar
bajodel
Long time Member
Long time Member
Posts: 545
Joined: Sun Nov 24, 2013 8:30 am
Location: Italy

Re: Feature Request: IPSEC Improvements

Wed Mar 18, 2015 5:21 pm

+1 XAuth (radius)
+1 VTI
 
bjornpost
just joined
Posts: 19
Joined: Mon Feb 16, 2015 3:44 pm

Re: Feature Request: IPSEC Improvements

Wed Jun 17, 2015 2:35 pm

+1 on adding VTI support
 
cobusv
just joined
Posts: 3
Joined: Fri Sep 25, 2015 7:52 am

Re: Feature Request: IPSEC Improvements

Wed Sep 30, 2015 11:13 am

+1 on adding VTI support
 
cbabcock
just joined
Posts: 13
Joined: Sun Jun 21, 2015 10:27 pm

Re: Feature Request: IPSEC Improvements

Fri Oct 16, 2015 5:08 am

VTI +1
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1743
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Feature Request: IPSEC Improvements

Fri Oct 16, 2015 5:36 am

+1 for VTI

until that iPiP over IPSEC works very very good for me
 
User avatar
bajodel
Long time Member
Long time Member
Posts: 545
Joined: Sun Nov 24, 2013 8:30 am
Location: Italy

Re: Feature Request: IPSEC Improvements

Fri Oct 16, 2015 8:36 am

until that iPiP over IPSEC works very very good for me
agree, probably MT just need to "put them together" and call it VTI :lol:
 
andriys
Forum Guru
Forum Guru
Posts: 1187
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Feature Request: IPSEC Improvements

Fri Oct 16, 2015 10:49 am

agree, probably MT just need to "put them together" and call it VTI :lol:
Nope, that's a different beast. People also want VTI interoperability with other vendors.

Basically, what people usually call VTI is a semi-separate IPsec stack bound to a virtual interface (hence VTI = virtual tunnel interface). The VTI IPsec policies are always 0.0.0.0/0 -> 0.0.0.0/0 and (contrary to the classic policy-based IPsec) the traffic to encrypt is selected by routing (what's going out the tunnel interface) rather then policy (because VTI IPsec policy matches everything).
 
pe1chl
Forum Guru
Forum Guru
Posts: 5928
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: IPSEC Improvements

Sat Oct 17, 2015 9:24 am

agree, probably MT just need to "put them together" and call it VTI :lol:
Nope, that's a different beast. People also want VTI interoperability with other vendors.

Basically, what people usually call VTI is a semi-separate IPsec stack bound to a virtual interface (hence VTI = virtual tunnel interface). The VTI IPsec policies are always 0.0.0.0/0 -> 0.0.0.0/0 and (contrary to the classic policy-based IPsec) the traffic to encrypt is selected by routing (what's going out the tunnel interface) rather then policy (because VTI IPsec policy matches everything).
Isn't that just GRE over IPsec transport?
That can be very easily configured, especially when you have no special requirements for the IPsec parameters.
 
andriys
Forum Guru
Forum Guru
Posts: 1187
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Feature Request: IPSEC Improvements

Sat Oct 17, 2015 11:56 am

Isn't that just GRE over IPsec transport?
The end result is similar in both cases (with the only exception GRE+IPsec will lead to a slightly lower tunnel's MTU as compared to IPsec VTI), however GRE+IPsec will not interoperate with, for instance, Cisco VTI, some cloud providers and other VTI implementations. To my knowledge, what people often call VTI has never been standardized, but still is relatively widely used, nevertheless.
 
pe1chl
Forum Guru
Forum Guru
Posts: 5928
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: IPSEC Improvements

Sat Oct 17, 2015 5:46 pm

The end result is similar in both cases (with the only exception GRE+IPsec will lead to a slightly lower tunnel's MTU as compared to IPsec VTI), however GRE+IPsec will not interoperate with, for instance, Cisco VTI, some cloud providers and other VTI implementations. To my knowledge, what people often call VTI has never been standardized, but still is relatively widely used, nevertheless.
Ah I thought that GRE over IPsec was a Cisco invention and quite often used in Cisco configs.
Apparently they have again switched to something else.

Of course when you configure IPsec policies and set the "tunnel" checkmark, what in fact happens is very similar to an IPIP tunnel, including the protocol value field.
I have never tested it, but I would not be suprised when an IPIP tunnel over IPsec transport would be compatible with having that VTI on the other end.
It may be more difficult when the other end has automatic policies or strict policy checking.

Anyway, I remember the days when IPsec in Linux was implemented with separate virtual interfaces like ipsec0.
I also found this much more convenient and clearer e.g. when configuring iptables rules.
But, it was deprecated and then abandoned as happens so often in the Linux world. The developers have an opinion and all the users in the world have to follow it. Maybe it was done because Cisco (at that time) did it the same way.

As it is now, the way it works in a MikroTik is the way it works in Linux, and I can fully understand when MikroTik is not going to make changes so deeply in the system. Maybe it is better to first try to convince the Linux developers to change this, and then MikroTik probably will enable it in their RouterOS as well (as it then becomes just a config item, which is what their product is already doing).
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Topic Author
Posts: 1821
Joined: Mon Jan 14, 2008 1:53 pm
Location: Straya
Contact:

Re: Feature Request: IPSEC Improvements

Sun Oct 18, 2015 8:32 am

pe1chl: ahh, Linux has had VTI support for quite a few years now. There are links above to the mailing list posts for the original commits. There is no real reason not to support it these days.
http://thebrotherswisp.com/ | Mikrotik MTCNA, MTCRE, MTCINE | Fortinet FTCNA, FCNSP, FCT | Extreme Networks ENA
 
Srv02
just joined
Posts: 6
Joined: Fri Jul 04, 2014 3:50 pm

Re: Feature Request: IPSEC Improvements

Thu Jan 12, 2017 10:23 pm

VTI +2 (me and a friend of mine)
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Topic Author
Posts: 1821
Joined: Mon Jan 14, 2008 1:53 pm
Location: Straya
Contact:

Re: Feature Request: IPSEC Improvements

Thu Jan 12, 2017 11:53 pm

Mikrotik have done an extensive amount of work on IPSEC in RouterOS recently, adding features like xauth, IKEv2 and RADIUS authentication.

Once development and bugfixing on these features has settled down, we will hopefully get VTI support :)
http://thebrotherswisp.com/ | Mikrotik MTCNA, MTCRE, MTCINE | Fortinet FTCNA, FCNSP, FCT | Extreme Networks ENA
 
bedior
newbie
Posts: 39
Joined: Sat Jan 31, 2015 5:09 pm

Re: Feature Request: IPSEC Improvements

Fri Jan 13, 2017 4:57 pm

Is ability to configure IKEv2 tunnel as client to Strongswan in RouterOS 6.38?
 
User avatar
ziegenberg
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Thu Mar 07, 2013 11:14 am
Location: Vienna
Contact:

Re: Feature Request: IPSEC Improvements

Fri Jan 13, 2017 5:16 pm

Is ability to configure IKEv2 tunnel as client to Strongswan in RouterOS 6.38?
IKEv2 is in RouterOS 6.38
 
bedior
newbie
Posts: 39
Joined: Sat Jan 31, 2015 5:09 pm

Re: Feature Request: IPSEC Improvements

Fri Jan 13, 2017 6:02 pm

How configure it as client?
 
User avatar
ziegenberg
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Thu Mar 07, 2013 11:14 am
Location: Vienna
Contact:

Re: Feature Request: IPSEC Improvements

Fri Jan 13, 2017 6:07 pm

How configure it as client?
Are you talking about a roaming client or a site-to-site VPN? You can find all the necessary information here in the wiki.
 
bedior
newbie
Posts: 39
Joined: Sat Jan 31, 2015 5:09 pm

Re: Feature Request: IPSEC Improvements

Fri Jan 13, 2017 6:08 pm

About site-to-site
 
onnoossendrijver
Member
Member
Posts: 418
Joined: Mon Jul 14, 2008 11:10 am
Location: The Netherlands

Re: Feature Request: IPSEC Improvements

Wed May 17, 2017 2:44 pm

VTI +2 (me and a friend of mine)
IPSec VTI +2 here also :)
Linux/network engineer: ITIL, LPI1, CCNA R+S, CCNP R+S, JNCIA, JNCIS-SEC
 
zontor
just joined
Posts: 2
Joined: Fri Sep 22, 2017 12:36 pm

Re: Feature Request: IPSEC Improvements

Fri Sep 22, 2017 12:52 pm

IPSec VTI +1

beside other advantages it's the simplest way to create non-split tunnel ipsec vpn for some interfaces/networks of the router
 
pe1chl
Forum Guru
Forum Guru
Posts: 5928
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: IPSEC Improvements

Fri Sep 22, 2017 2:30 pm

When you just need the VTI functionality and not the compatibility with another manufacturer's implementation, you
can just use IPIP or GRE tunnel over IPsec transport. It has the same advantages as VTI. And it is very easy to
configure, at least when you have fixed external IP addresses. Just make a tunnel interface and enter the IPsec secret.
 
zontor
just joined
Posts: 2
Joined: Fri Sep 22, 2017 12:36 pm

Re: Feature Request: IPSEC Improvements

Fri Sep 22, 2017 4:13 pm

I've read about that. But in our main site we are using a fortigate and considering an incresing scenario with multiple vpn's to main office, and will be simple with VTI than manage several subnets just for gre/ipip

As we use a proxy to access the web in the ipsec range tunnel i can set the nat rul to 0.0.0.0/0 to block the split-tunnel and the web access needed goes by the proxy. But will be nice a simple and compatible solution for interface like VTI.
 
migacz
just joined
Posts: 1
Joined: Tue Aug 07, 2018 4:15 pm

Re: Feature Request: IPSEC Improvements

Tue Aug 07, 2018 4:16 pm

IPSec VTI +1
pls :?
 
TaBo
just joined
Posts: 2
Joined: Tue Apr 02, 2019 8:06 am

Re: Feature Request: IPSEC Improvements

Thu Jun 20, 2019 12:43 am

IPSec VTI +1
One of the usefull feature
 
nicksniper2
just joined
Posts: 2
Joined: Tue Jul 09, 2019 8:23 pm

Re: Feature Request: IPSEC Improvements

Thu Jul 11, 2019 8:21 am

IPSec VTI +1
Sometimes you can't understand why your devices sell badly. The secret is very simple - you have no required (must have) functionality...
 
0daymaster
just joined
Posts: 2
Joined: Sat Jul 20, 2019 7:59 pm

Re: Feature Request: IPSEC Improvements

Sat Oct 19, 2019 4:54 pm

VTI++
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Topic Author
Posts: 1821
Joined: Mon Jan 14, 2008 1:53 pm
Location: Straya
Contact:

Re: Feature Request: IPSEC Improvements

Tue Oct 22, 2019 6:56 am

Mikrotik support have stated in the past that they could not add IPSEC VTI support due to kernel limitations, and that they would reconsider once RouterOS v7 was out.

Well, v7 beta is now out.... Hopefully Mikrotik find the resources to add IPSEC VTI support. It is sorely missed from RouterOS and as you can see from this forum topic (and many others) it is widely requested.
http://thebrotherswisp.com/ | Mikrotik MTCNA, MTCRE, MTCINE | Fortinet FTCNA, FCNSP, FCT | Extreme Networks ENA
 
valsily
just joined
Posts: 2
Joined: Mon Mar 21, 2011 1:09 pm

Re: Feature Request: IPSEC Improvements

Mon Nov 18, 2019 3:50 am

Add VTI support please.

Who is online

Users browsing this forum: MSN [Bot] and 24 guests