Community discussions

MikroTik App
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Topic Author
Posts: 2095
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Feature Request: IPSEC Improvements

Thu Sep 20, 2012 4:21 am

Hi All,

The current IPSEC implementation in RouterOS is very basic, to the point that for us it is unusable. Instead of selling a Mikrotik device or licence we sell a Juniper, Cisco or Fortinet device to terminate IPSEC.

The features I see that are missing, and would like Mikrotik to implement are:

XAuth - Extended Authentication
Allows for user/pass style authentication of IPSEC connections. This would allow RouterOS to be used as an access concentrator for "Road Warriors"

Mode-cfg
Allows access concentrator to specify various parameters for "Road Warrior" clients e.g. DNS and routes

VTI - Virtual Tunnel Interfaces
This has now been added to Linux so should be trivial for Mikrotik to support see http://www.spinics.net/lists/netdev/msg200673.html
Description: Virtual tunnel interface is a way to represent policy based IPsec tunnels as virtual interfaces in linux. This is similar to Cisco's VTI (virtual tunnel interface) and Juniper's representaion of secure tunnel (st.xx). The advantage of representing an IPsec tunnel as an interface is that it is possible to plug Ipsec tunnels into the routing protocol infrastructure of a router. Therefore it becomes possible to influence the packet path by toggling the link state of the tunnel or based on routing metrics.

I have seen all of these requested on the forums and wiki in the past, but IPSEC in RouterOS has changed very little in the past 3-4 years. It seems like Mikrotik has forgotten about IPSEC.

What are your thoughts on the RouterOS IPSEC implementation and what would you like to see changed ?

Would you buy more RouterOS devices/licences if these features were added ?
 
gregsowell
Member Candidate
Member Candidate
Posts: 128
Joined: Tue Aug 28, 2007 1:24 am
Contact:

Re: Feature Request: IPSEC Improvements

Thu Sep 20, 2012 4:47 am

Senior NZ has hit the nail on the head.

I will occasionally have a customer do an IPSec tunnel using a Mikrotik if it is the remote device, but seldom if it is the hub.
I've hit oddities that despite every effort I can't trouble shoot. Even the debugging messages aren't always enough...they can be somewhat lacking.

Cisco has always been my go-to due to stability and debug output. They have a vast array of features, but it really comes down to reliability.

I would LOVE to see some xauth come in also. The virtual tunnels are a welcome addition too.

I was under the impression that MTK sudo wrote their own IPSec implementation...have the packages out there not caught up yet?

With more stability I would run MTKs for tunneling all day, just not at this time.
 
gsloop
Member Candidate
Member Candidate
Posts: 213
Joined: Wed Jan 04, 2012 11:34 pm
Contact:

Re: Feature Request: IPSEC Improvements

Thu Sep 20, 2012 11:56 pm

IPSec policy match.
 
robertfranz
newbie
Posts: 37
Joined: Tue Apr 21, 2009 3:30 am

Re: Feature Request: IPSEC Improvements

Fri Sep 21, 2012 11:40 am

Hi All,


Would you buy more RouterOS devices/licences if these features were added ?
Unfortunately - no.

It would be too little, too late.
After wrestling with MT bugs for 5 years, we opted to upgrade to Cisco end-to-end.

I am waiting on some additional hardware so I can complete the move of our servers from our old colo facility to our new data center.

Once that's done, the last Mikrotik will be smashed with a sledge hammer.

Until then, I'm stuck with an ipsec tunnel that drops on a regular basis.
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Topic Author
Posts: 2095
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: Feature Request: IPSEC Improvements

Fri Sep 21, 2012 12:02 pm

After wrestling with MT bugs for 5 years, we opted to upgrade to Cisco end-to-end.
Once that's done, the last Mikrotik will be smashed with a sledge hammer.
Until then, I'm stuck with an ipsec tunnel that drops on a regular basis.
Ouch. That is sad to hear. We have had generally very good experiences with RouterOS, certainly we find no more bugs than we find on other vendors platforms.

It is mainly the poor IPSEC support that cause us to use other products, and I still hold hope that one day soon Mikrotik will improve it.
 
grg
newbie
Posts: 44
Joined: Fri Aug 20, 2010 9:51 am
Location: Latvia

Re: Feature Request: IPSEC Improvements

Fri Sep 21, 2012 3:13 pm

Fully agree on this one.
 
rjickity
Member Candidate
Member Candidate
Posts: 212
Joined: Sat Jul 17, 2010 10:40 am
Location: Perth, Australia

Re: Feature Request: IPSEC Improvements

Fri Sep 21, 2012 4:13 pm

Yes absolutely.

VTI +1
XAuth +1
 
gregsowell
Member Candidate
Member Candidate
Posts: 128
Joined: Tue Aug 28, 2007 1:24 am
Contact:

Re: Feature Request: IPSEC Improvements

Thu Oct 18, 2012 4:07 pm

*Sigh* agreed. :(
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1162
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: Feature Request: IPSEC Improvements

Fri Oct 19, 2012 12:38 pm

We do A LOT of IPSec site-to-site tunneling on Mikrotik, and I must say that I am happy. IPSec in Mikrotik just requires you to learn it and to do it by its rules :)

That said, Road Warrior has a lot of problems, and the features above would help out a lot. VTI would be awesome.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature Request: IPSEC Improvements

Thu Apr 11, 2013 12:48 pm

We have added initial mode-cfg support in version v6rc13. If anyone wants to test and suggest other needed mode-cfg features.
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Topic Author
Posts: 2095
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: Feature Request: IPSEC Improvements

Thu Apr 11, 2013 2:39 pm

Thanks mrz

I will test tomorrow
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Topic Author
Posts: 2095
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: Feature Request: IPSEC Improvements

Fri Apr 12, 2013 1:27 am

Hi Maris,


Will the mode-cfg settings be added to Winbox ?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature Request: IPSEC Improvements

Fri Apr 12, 2013 10:58 am

Yes, they will be added in winbox, but currently you should use console for configuration.
 
User avatar
bitak
just joined
Posts: 8
Joined: Wed Feb 20, 2013 5:43 am

Re: Feature Request: IPSEC Improvements

Sun Apr 21, 2013 1:31 am

Has somebody figured out how to setup ipsec mode-cfg and Shrew Soft Client?

Also I would highly appreciate adding the following mode-cfg features (sorted by importance):
1) dns server address
2) domain
3) split-dns
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature Request: IPSEC Improvements

Mon Apr 22, 2013 10:57 am

DNS servers are sent automatically when mode-cfg is enabled. Later we will add wiki article how to use mode-cfg with shrew client.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature Request: IPSEC Improvements

Fri May 10, 2013 1:11 pm

xauth and split tunnel examples are added in the wiki

http://wiki.mikrotik.com/wiki/Manual:IP ... _Mode_Conf
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Topic Author
Posts: 2095
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: Feature Request: IPSEC Improvements

Fri May 10, 2013 1:17 pm

Hi Maris,

Thanks for all the hard work on the IPSEC improvements.

Can xauth use RADIUS ? And if so what attributes are relevant?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature Request: IPSEC Improvements

Fri May 10, 2013 1:19 pm

Currently RADIUS support for xauth is not implemented.
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Topic Author
Posts: 2095
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: Feature Request: IPSEC Improvements

Mon May 13, 2013 1:18 am

Currently RADIUS support for xauth is not implemented.
Hi Maris,

I know you guys are super busy, but any idea when this feature will be implemented ?

We will do some testing on the current implementation, but I would say xauth --> RADIUS is pretty important to anyone wanting to deploy RouterOS as an IPSEC concentrator.
 
MiKeDaDoC
just joined
Posts: 2
Joined: Fri May 24, 2013 5:14 pm
Location: Germany

Re: Feature Request: IPSEC Improvements

Fri May 24, 2013 5:23 pm

xauth and split tunnel examples are added in the wiki

http://wiki.mikrotik.com/wiki/Manual:IP ... _Mode_Conf
In the wiki I think you mixed up IP ranges while creating the policy templates. SRC should be DST and vice versa.

Managed to get mode-cfg working with shrew client. Works like a charme for now (still in testing)
 
scampbell
Trainer
Trainer
Posts: 487
Joined: Thu Jun 22, 2006 5:20 am
Location: Wellington, NZ
Contact:

Re: Feature Request: IPSEC Improvements

Sun Jun 30, 2013 12:53 am

We have added initial mode-cfg support in version v6rc13. If anyone wants to test and suggest other needed mode-cfg features.
Hmmm.... Wiki update may be required here as these commands are definitely not in RoS 5.0+ :-)
ros5modeconf.JPG
You do not have the required permissions to view the files attached to this post.
 
selric
just joined
Posts: 6
Joined: Tue Jul 23, 2013 3:05 pm

Re: Feature Request: IPSEC Improvements

Tue Jul 23, 2013 3:07 pm

Any progress on the VTI implementation as well?

I'm also using the RouterOS and wan't establish IPSEC with OSPF between FortiGate and Junipers in an easy way.
 
selric
just joined
Posts: 6
Joined: Tue Jul 23, 2013 3:05 pm

Re: Feature Request: IPSEC Improvements

Sat Oct 26, 2013 7:34 pm

Nothing new on the VTI suggestions in this thread?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature Request: IPSEC Improvements

Mon Oct 28, 2013 11:35 am

If you want tunnel interface run ipsec in transport mode and ipip or gre over it.
 
User avatar
afink
newbie
Posts: 34
Joined: Wed May 29, 2013 7:16 pm
Location: Basel & Freetown
Contact:

Re: Feature Request: IPSEC Improvements

Fri Nov 01, 2013 2:47 pm

the current release 6.5 and also 6.6rc1 still have _sever_ bug in ipsec.

in our case we try to set up a simple point to point tunnel between two mikrotiks.
the profile matches, the policy has the two endpoints of the tunnel as source/destination (the outer IP's) and protocol=47 (which is GRE) defined. The result is the tunnel never establishes.

if you define the policy to use all protocols, then the tunnel establishes but the node to node communication is then blocked (you can not telnet from the outer IP to the other outer IP) and at key re-negotiation time the tunnel drops and stays off again.

This is heavily broken since 6.1 and it stops us from buying another pile of 10Gbit Mikrotiks
 
volga629
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Tue Nov 19, 2013 6:21 am

Re: Feature Request: IPSEC Improvements

Sat Nov 23, 2013 5:33 am

VTI +1

A lot of cases were I need run Eoip though ipsec and there another tunnels to supply OSPF for router. Tunnel interface will be simplify for 100% everything. Hope this feature will be on Router OS soon.
 
begemoti
just joined
Posts: 1
Joined: Fri May 31, 2013 4:19 pm

Re: Feature Request: IPSEC Improvements

Wed Feb 12, 2014 12:14 pm

+ VTI
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Topic Author
Posts: 2095
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: Feature Request: IPSEC Improvements

Wed Feb 12, 2014 12:43 pm

If you want tunnel interface run ipsec in transport mode and ipip or gre over it.
Unfortunately this has low cross-vendor inter-op. VTI is common on Cisco, Fortigate, Juniper SSG, Juniper SRX, Palo Alto Networks, Vyatta.

Doing IPSEC+GRE or IPSEC+IPIP also have higher overheads, as well as more configuration steps than VTI.
 
_saik0
Member Candidate
Member Candidate
Posts: 129
Joined: Sun Aug 26, 2007 11:18 pm

Re: Feature Request: IPSEC Improvements

Wed Mar 05, 2014 6:52 pm

VTI++

IPSec in transport mode with a tunnel upon it, almost impossible if you are dealing with dynamic IPs on all sites ...
 
timk
just joined
Posts: 14
Joined: Wed Sep 05, 2012 3:33 am

Re: Feature Request: IPSEC Improvements

Tue Mar 25, 2014 1:14 pm

Another vote for VTI here!
 
i4jordan
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Mon Sep 02, 2013 1:42 am

Re: Feature Request: IPSEC Improvements

Tue Mar 25, 2014 1:46 pm

A good working and simple to setup ipsec VTI would stop us from selling (expensive) SonicWall SRA solutions.

The ipsec VTI should be working like an IPIP/GRE tunnel but then with ipsec security.

We now use IPIP or GRE tunnels with ipsec transport security.
This works but is not easy to setup and specially GRE+ipsec has a huge performance penalty.

Please look also at: http://forum.mikrotik.com/viewtopic.php?f=1&t=81317

We also have asked for IKEv2 options on ipsec tunnels.
 
jollis
just joined
Posts: 4
Joined: Wed Jun 15, 2011 2:38 am

Re: Feature Request: IPSEC Improvements

Tue Mar 25, 2014 10:20 pm

has anyone come across a way to make IPSEC use multiple CPUs in routerOS?
 
i4jordan
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Mon Sep 02, 2013 1:42 am

Re: Feature Request: IPSEC Improvements

Wed Mar 26, 2014 12:37 am

@jollis

No,
I also have seen that ipsec uses 1 CPU on my CCR1036 :(
So 1 CPU very busy, 35 doing almost nothing.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature Request: IPSEC Improvements

Wed Mar 26, 2014 11:55 am

Maybe there is not enough traffic to utilize more than one core?
It works in my setup:

ros code

ipsec                     0         8.5%
ipsec                     1         1.5%
ipsec                     2           0%
ipsec                     3           0%
ipsec                     4        29.5%
ipsec                     8           0%
ipsec                     9           0%
ipsec                    12           1%
ipsec                    19         0.5%
ipsec                    20           0%
ipsec                    21           0%
ipsec                    23           1%
ipsec                    25         0.5%
ipsec                    27         0.5%
ipsec                    29         0.5%
ipsec                    30          24%
ipsec                    35           0%
 
megasohaib
just joined
Posts: 14
Joined: Tue Mar 25, 2014 11:33 am

Re: Feature Request: IPSEC Improvements

Sun Mar 30, 2014 2:30 pm

Hello Team, I hope you are all fine.

I have some problem with my Ipsec vpn between multiple sites. my 5 sites are connected with same ISP through MIKROTIOK ROUTER IPSEC TUNNEL. sites are a,b,c,d,e. a site is my head office and b,c,d,e sites is my clients(branches). all clients are connected with head office (a) through ipsec tunnel and working properly.But problem is that (b) not connected to (c,d,e) and (c) not connected to (b,d,e) and (d) not connected to (b,c,e) and (e) not connected to (b,c,d). Other words is (b,c,d,e) are not connected to eachother. All sites have different subnets.
Kindly give me some help that what i do work on my head office mikrotik router (a).

Although i was add subnet on routes opetion of my branches. but issed are same.


Regards
Sohaib
 
User avatar
ziegenberg
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Thu Mar 07, 2013 11:14 am
Location: Vienna
Contact:

Re: Feature Request: IPSEC Improvements

Tue Mar 17, 2015 3:43 pm

I'm also strongly in for Radius enabled XAuth and VTI! So:

+1 XAuth with Radius
+1 VTI
 
User avatar
bajodel
Long time Member
Long time Member
Posts: 551
Joined: Sun Nov 24, 2013 8:30 am
Location: Italy

Re: Feature Request: IPSEC Improvements

Wed Mar 18, 2015 5:21 pm

+1 XAuth (radius)
+1 VTI
 
bjornpost
just joined
Posts: 19
Joined: Mon Feb 16, 2015 3:44 pm

Re: Feature Request: IPSEC Improvements

Wed Jun 17, 2015 2:35 pm

+1 on adding VTI support
 
cobusv
just joined
Posts: 8
Joined: Fri Sep 25, 2015 7:52 am

Re: Feature Request: IPSEC Improvements

Wed Sep 30, 2015 11:13 am

+1 on adding VTI support
 
cbabcock
just joined
Posts: 13
Joined: Sun Jun 21, 2015 10:27 pm

Re: Feature Request: IPSEC Improvements

Fri Oct 16, 2015 5:08 am

VTI +1
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Feature Request: IPSEC Improvements

Fri Oct 16, 2015 5:36 am

+1 for VTI

until that iPiP over IPSEC works very very good for me
 
User avatar
bajodel
Long time Member
Long time Member
Posts: 551
Joined: Sun Nov 24, 2013 8:30 am
Location: Italy

Re: Feature Request: IPSEC Improvements

Fri Oct 16, 2015 8:36 am

until that iPiP over IPSEC works very very good for me
agree, probably MT just need to "put them together" and call it VTI :lol:
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Feature Request: IPSEC Improvements

Fri Oct 16, 2015 10:49 am

agree, probably MT just need to "put them together" and call it VTI :lol:
Nope, that's a different beast. People also want VTI interoperability with other vendors.

Basically, what people usually call VTI is a semi-separate IPsec stack bound to a virtual interface (hence VTI = virtual tunnel interface). The VTI IPsec policies are always 0.0.0.0/0 -> 0.0.0.0/0 and (contrary to the classic policy-based IPsec) the traffic to encrypt is selected by routing (what's going out the tunnel interface) rather then policy (because VTI IPsec policy matches everything).
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: IPSEC Improvements

Sat Oct 17, 2015 9:24 am

agree, probably MT just need to "put them together" and call it VTI :lol:
Nope, that's a different beast. People also want VTI interoperability with other vendors.

Basically, what people usually call VTI is a semi-separate IPsec stack bound to a virtual interface (hence VTI = virtual tunnel interface). The VTI IPsec policies are always 0.0.0.0/0 -> 0.0.0.0/0 and (contrary to the classic policy-based IPsec) the traffic to encrypt is selected by routing (what's going out the tunnel interface) rather then policy (because VTI IPsec policy matches everything).
Isn't that just GRE over IPsec transport?
That can be very easily configured, especially when you have no special requirements for the IPsec parameters.
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Feature Request: IPSEC Improvements

Sat Oct 17, 2015 11:56 am

Isn't that just GRE over IPsec transport?
The end result is similar in both cases (with the only exception GRE+IPsec will lead to a slightly lower tunnel's MTU as compared to IPsec VTI), however GRE+IPsec will not interoperate with, for instance, Cisco VTI, some cloud providers and other VTI implementations. To my knowledge, what people often call VTI has never been standardized, but still is relatively widely used, nevertheless.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: IPSEC Improvements

Sat Oct 17, 2015 5:46 pm

The end result is similar in both cases (with the only exception GRE+IPsec will lead to a slightly lower tunnel's MTU as compared to IPsec VTI), however GRE+IPsec will not interoperate with, for instance, Cisco VTI, some cloud providers and other VTI implementations. To my knowledge, what people often call VTI has never been standardized, but still is relatively widely used, nevertheless.
Ah I thought that GRE over IPsec was a Cisco invention and quite often used in Cisco configs.
Apparently they have again switched to something else.

Of course when you configure IPsec policies and set the "tunnel" checkmark, what in fact happens is very similar to an IPIP tunnel, including the protocol value field.
I have never tested it, but I would not be suprised when an IPIP tunnel over IPsec transport would be compatible with having that VTI on the other end.
It may be more difficult when the other end has automatic policies or strict policy checking.

Anyway, I remember the days when IPsec in Linux was implemented with separate virtual interfaces like ipsec0.
I also found this much more convenient and clearer e.g. when configuring iptables rules.
But, it was deprecated and then abandoned as happens so often in the Linux world. The developers have an opinion and all the users in the world have to follow it. Maybe it was done because Cisco (at that time) did it the same way.

As it is now, the way it works in a MikroTik is the way it works in Linux, and I can fully understand when MikroTik is not going to make changes so deeply in the system. Maybe it is better to first try to convince the Linux developers to change this, and then MikroTik probably will enable it in their RouterOS as well (as it then becomes just a config item, which is what their product is already doing).
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Topic Author
Posts: 2095
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: Feature Request: IPSEC Improvements

Sun Oct 18, 2015 8:32 am

pe1chl: ahh, Linux has had VTI support for quite a few years now. There are links above to the mailing list posts for the original commits. There is no real reason not to support it these days.
 
Srv02
just joined
Posts: 7
Joined: Fri Jul 04, 2014 3:50 pm

Re: Feature Request: IPSEC Improvements

Thu Jan 12, 2017 10:23 pm

VTI +2 (me and a friend of mine)
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Topic Author
Posts: 2095
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: Feature Request: IPSEC Improvements

Thu Jan 12, 2017 11:53 pm

Mikrotik have done an extensive amount of work on IPSEC in RouterOS recently, adding features like xauth, IKEv2 and RADIUS authentication.

Once development and bugfixing on these features has settled down, we will hopefully get VTI support :)
 
bedior
newbie
Posts: 41
Joined: Sat Jan 31, 2015 5:09 pm

Re: Feature Request: IPSEC Improvements

Fri Jan 13, 2017 4:57 pm

Is ability to configure IKEv2 tunnel as client to Strongswan in RouterOS 6.38?
 
User avatar
ziegenberg
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Thu Mar 07, 2013 11:14 am
Location: Vienna
Contact:

Re: Feature Request: IPSEC Improvements

Fri Jan 13, 2017 5:16 pm

Is ability to configure IKEv2 tunnel as client to Strongswan in RouterOS 6.38?
IKEv2 is in RouterOS 6.38
 
bedior
newbie
Posts: 41
Joined: Sat Jan 31, 2015 5:09 pm

Re: Feature Request: IPSEC Improvements

Fri Jan 13, 2017 6:02 pm

How configure it as client?
 
User avatar
ziegenberg
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Thu Mar 07, 2013 11:14 am
Location: Vienna
Contact:

Re: Feature Request: IPSEC Improvements

Fri Jan 13, 2017 6:07 pm

How configure it as client?
Are you talking about a roaming client or a site-to-site VPN? You can find all the necessary information here in the wiki.
 
bedior
newbie
Posts: 41
Joined: Sat Jan 31, 2015 5:09 pm

Re: Feature Request: IPSEC Improvements

Fri Jan 13, 2017 6:08 pm

About site-to-site
 
onnoossendrijver
Member
Member
Posts: 486
Joined: Mon Jul 14, 2008 11:10 am
Location: The Netherlands

Re: Feature Request: IPSEC Improvements

Wed May 17, 2017 2:44 pm

VTI +2 (me and a friend of mine)
IPSec VTI +2 here also :)
 
zontor
just joined
Posts: 2
Joined: Fri Sep 22, 2017 12:36 pm

Re: Feature Request: IPSEC Improvements

Fri Sep 22, 2017 12:52 pm

IPSec VTI +1

beside other advantages it's the simplest way to create non-split tunnel ipsec vpn for some interfaces/networks of the router
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: IPSEC Improvements

Fri Sep 22, 2017 2:30 pm

When you just need the VTI functionality and not the compatibility with another manufacturer's implementation, you
can just use IPIP or GRE tunnel over IPsec transport. It has the same advantages as VTI. And it is very easy to
configure, at least when you have fixed external IP addresses. Just make a tunnel interface and enter the IPsec secret.
 
zontor
just joined
Posts: 2
Joined: Fri Sep 22, 2017 12:36 pm

Re: Feature Request: IPSEC Improvements

Fri Sep 22, 2017 4:13 pm

I've read about that. But in our main site we are using a fortigate and considering an incresing scenario with multiple vpn's to main office, and will be simple with VTI than manage several subnets just for gre/ipip

As we use a proxy to access the web in the ipsec range tunnel i can set the nat rul to 0.0.0.0/0 to block the split-tunnel and the web access needed goes by the proxy. But will be nice a simple and compatible solution for interface like VTI.
 
migacz
just joined
Posts: 1
Joined: Tue Aug 07, 2018 4:15 pm

Re: Feature Request: IPSEC Improvements

Tue Aug 07, 2018 4:16 pm

IPSec VTI +1
pls :?
 
TaBo
just joined
Posts: 2
Joined: Tue Apr 02, 2019 8:06 am

Re: Feature Request: IPSEC Improvements

Thu Jun 20, 2019 12:43 am

IPSec VTI +1
One of the usefull feature
 
nicksniper2
just joined
Posts: 3
Joined: Tue Jul 09, 2019 8:23 pm

Re: Feature Request: IPSEC Improvements

Thu Jul 11, 2019 8:21 am

IPSec VTI +1
Sometimes you can't understand why your devices sell badly. The secret is very simple - you have no required (must have) functionality...
 
0daymaster
just joined
Posts: 6
Joined: Sat Jul 20, 2019 7:59 pm

Re: Feature Request: IPSEC Improvements

Sat Oct 19, 2019 4:54 pm

VTI++
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Topic Author
Posts: 2095
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: Feature Request: IPSEC Improvements

Tue Oct 22, 2019 6:56 am

Mikrotik support have stated in the past that they could not add IPSEC VTI support due to kernel limitations, and that they would reconsider once RouterOS v7 was out.

Well, v7 beta is now out.... Hopefully Mikrotik find the resources to add IPSEC VTI support. It is sorely missed from RouterOS and as you can see from this forum topic (and many others) it is widely requested.
 
valsily
just joined
Posts: 5
Joined: Mon Mar 21, 2011 1:09 pm

Re: Feature Request: IPSEC Improvements

Mon Nov 18, 2019 3:50 am

Add VTI support please.
 
0daymaster
just joined
Posts: 6
Joined: Sat Jul 20, 2019 7:59 pm

Re: Feature Request: IPSEC Improvements

Tue Dec 17, 2019 6:30 am

If you want tunnel interface run ipsec in transport mode and ipip or gre over it.
GRE over IPsec transport doesn't work for the purpose of running OSPF with pfSense or Cisco on the other end.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: IPSEC Improvements

Tue Dec 17, 2019 1:59 pm

Why not?? That should be no problem!
(of course assuming you can configure the other end to the same settings)
 
0daymaster
just joined
Posts: 6
Joined: Sat Jul 20, 2019 7:59 pm

Re: Feature Request: IPSEC Improvements

Thu Feb 20, 2020 5:25 am

Why not?? That should be no problem!
(of course assuming you can configure the other end to the same settings)
No clue. I've tried countless times to run OSPF over GRE between MikroTik and pfSense. Ultimately the routers will form full adjacencies but the routes never gets installed in the routing table on the MikroTik end.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature Request: IPSEC Improvements

Thu Feb 20, 2020 10:21 am

It works if you do not use IP unnumbered (at least on Cisco)
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Feature Request: IPSEC Improvements

Thu Feb 20, 2020 11:17 am

Can we have automatic root certificate check so that public certificates (IKEv2) have not to be manually imported in the store?

cert.JPG
You do not have the required permissions to view the files attached to this post.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature Request: IPSEC Improvements

Thu Feb 20, 2020 1:59 pm

That would require to store large CA database on the router.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: IPSEC Improvements

Thu Feb 20, 2020 2:15 pm

Of course it is standard that a certificate should be imported including all its signing certificates up to the root.
The fact that many client systems don't require it because they have their own cert store where they cache those certificates does not mean it is correct to import only your own cert.
(any SSL checking site on internet will point it out when you import only your own cert into your website and have it checked)

So it is not at all unusual that "all certificates" have to be imported, MikroTik or other system. It could be possible to have an optional package containing root certs and often-used 2nd level certs (like that Sectigo cert, the Letsencrypt cert, etc) but it would be only for convenience and should be optional as it requires storage that not everyone may want to waste on it.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Feature Request: IPSEC Improvements

Fri Feb 21, 2020 11:15 am

If the certificate database is big, even if it has a selected number of root certificates is it an idea to make the database to be "side-load" as a dedicated file? If it is present the router can use/import the correct certificate and the user does not have track down the right certificate.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature Request: IPSEC Improvements

Fri Feb 21, 2020 3:53 pm

First problem with certificate database is where to get it, there isn't one universally trusted, OS or browser manufacturers decide what CAs they include. I doubt that MikroTik would be interested in maintaining own list at same scale. Of course they could just use someone else's list (for example curl uses CAs from Mozilla). It's not prohibitively big, 220kB PEM could be even smaller in some different format. Although when imported to RouterOS (quick test with CHR), it currently takes ~600kB, which is probably too much to include by default, with just 16MB flash in so many devices.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: IPSEC Improvements

Fri Feb 21, 2020 4:08 pm

That is what I mean, it could be an optional package.
But then:
- it will remain mostly unused (because of the cumbersome method to add optional packages to a router. there should be a selection list in the package menu to add an optional package with a couple of mouseclicks, but it is not there)
- it appears that MikroTik is backing out of the idea of having optional packages, in v7 most of the optional packages have been put in one single big package

Also note that the CAs from Mozilla would not be large enough of a list, it should be like the CAs included in Windows by default.
Certs like that Sectigo 2nd level cert are not in the Mozilla list, which mostly contains only trusted root certs. Windows includes such 2nd level certs as well.
(that is why sometimes certificate validation fails on Firefox and Linux when certs are incorrectly installed on websites, while Windows IE/Chrome has no problem at all)
 
ThomasLevering
just joined
Posts: 8
Joined: Mon Nov 14, 2016 8:38 am
Location: Germany

Re: Feature Request: IPSEC Improvements

Sat Feb 22, 2020 10:25 am

Here a Root Certificate Collection in PEM

http://wiki.overbyte.eu/wiki/index.php/ ... oot_Stores

https://www.magsys.co.uk/download/softw ... undles.zip

apple.pem - 174 Certificates
google_aosp.pem - 137 Certificates
microsoft_windows.pem - 289 Certificates
mozilla_nss.pem - 137 Certificates
openjdk.pem - 88 Certificates
oracle_java.pem - 88 Certificates
 
akoznov
just joined
Posts: 12
Joined: Wed Sep 12, 2018 7:23 am

Re: Feature Request: IPSEC Improvements

Tue May 19, 2020 11:02 am

+1 for VTI
 
OlofL
Member Candidate
Member Candidate
Posts: 113
Joined: Mon Oct 12, 2015 2:37 pm

Re: Feature Request: IPSEC Improvements

Wed May 20, 2020 12:33 pm

Guys calm down, first we need to finish openvpn over udp.
You need to wait another two decades until alpha version of vti is available.
 
User avatar
Kamaz
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Sun Apr 30, 2017 9:35 am

Re: Feature Request: IPSEC Improvements

Thu May 28, 2020 12:40 pm

VTI +1
XAuth +1
 
mytrix
just joined
Posts: 2
Joined: Mon Oct 23, 2017 12:30 pm

Re: Feature Request: IPSEC Improvements

Thu Jun 11, 2020 3:22 pm

Add VTI support please.
We have multiple IPSec tunnels with our partners which use Cisco products and "patch" with GRE tunnel is not possible, because they don't accept it.
 
ErikCarlseen
just joined
Posts: 5
Joined: Mon Jun 22, 2020 8:31 pm

Re: Feature Request: IPSEC Improvements

Thu Jun 25, 2020 2:45 am

+1 for VTI support, so that we can do dynamic routing against Cisco ASA clusters in datacenters.
 
techlord
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Mon Nov 18, 2019 4:33 pm

Re: Feature Request: IPSEC Improvements

Thu Jun 25, 2020 11:31 pm

+1 to VTI because policy based ipsec is so limited....
 
alex32c
just joined
Posts: 19
Joined: Tue Apr 07, 2020 1:53 am

Re: Feature Request: IPSEC Improvements

Fri Jun 26, 2020 1:22 am

+1 for VTI
 
Mrdude
just joined
Posts: 24
Joined: Thu Mar 01, 2018 3:07 pm

Re: Feature Request: IPSEC Improvements

Fri Dec 11, 2020 12:06 pm

yes it should be implemented in the next update !

For version 7?
 
Mrdude
just joined
Posts: 24
Joined: Thu Mar 01, 2018 3:07 pm

Re: Feature Request: IPSEC Improvements

Sat Dec 12, 2020 7:57 pm

+1 for VTI
 
User avatar
kehrlein
newbie
Posts: 48
Joined: Tue Jul 09, 2019 1:35 am

Re: Feature Request: IPSEC Improvements

Mon Dec 14, 2020 12:12 pm

VTI +1
and also +1 for an optional package with Root Certificates.
 
slvfibergarrett
just joined
Posts: 4
Joined: Mon Jan 04, 2021 7:24 am

Re: Feature Request: IPSEC Improvements

Mon Jan 04, 2021 7:30 am

+1, need VTI bad.
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1162
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: Feature Request: IPSEC Improvements

Tue Jan 05, 2021 11:48 pm

With the prevalence of IKEv2 everywhere in the last few years, VTI is indeed a must-have now.

The fact that people have been asking in this topic for VTI for 8 years hopefully shows there is a substantial demand for it.
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Topic Author
Posts: 2095
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: Feature Request: IPSEC Improvements

Wed Jan 06, 2021 5:19 am

With the prevalence of IKEv2 everywhere in the last few years, VTI is indeed a must-have now.

The fact that people have been asking in this topic for VTI for 8 years hopefully shows there is a substantial demand for it.
Given how trivial it is to implement VTI now that they are running a 5.x Kernel in RouterOS v7beta I do not understand why it has not been delivered. It is certainly a lot less work than adding Wireguard or updating OpenVPN.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: IPSEC Improvements

Wed Jan 06, 2021 12:13 pm

I guess most people requesting new features are not running beta versions...
(the v7beta is not really usable in production, like the v6 betas often would be)
 
Rossakiro
just joined
Posts: 2
Joined: Tue Mar 02, 2021 5:00 pm

Re: Feature Request: IPSEC Improvements

Tue Mar 02, 2021 5:06 pm

+1 to VTI support
 
User avatar
bajodel
Long time Member
Long time Member
Posts: 551
Joined: Sun Nov 24, 2013 8:30 am
Location: Italy

Re: Feature Request: IPSEC Improvements

Sun Mar 14, 2021 10:35 am

I've already asked for VTI support a couple of years ago, now I'm begging for VTI support at least on v.7
Every week (sometimes more often) I came across a situation in witch I HAVE TO exclude Mikrotik because of the lack of VTI support.
Side note: the worst case being ending up switching an already deployed router/fw because of that!
Side effect: when something make you waste time and money >> someone on the big chairs is starting to push away from it.

Come on, it's just a matter of putting it on the 'to do' list and getting the job done. It's something people is asking over and over.
Personally I really feel the lack of VTI and LAC(/LNS) support in MT every single day. Not mentioning a really full IPv6 implementation with the proper tools.

There was a time in witch MT was kind of the preferred choice for ISP/Wireless, then they started to focus more on core networking (CCR and so) leaving the wireless suffer ..fine, I can deal with that. Now "Chateau and Kid Control" is the new direction ? Poor us, I hope it's not.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: IPSEC Improvements

Sun Mar 14, 2021 12:47 pm

You have to understand that when you are operating in a mixed-vendor environment it can happen any day that the other vendor comes up with something new and you cannot follow, and it is not reasonable to ask from every vendor to track every other vendor in their new features.
We have seen it with VTI, we have seen it with OpenVPN, we have seen it with other vpn-protocols-on-the-horizon (like wireguard).

When you need only the functionality of VTI, you can always use GRE/IPsec or IPIP/IPsec tunnels. When you need the real thing, you maybe need to buy the real thing.
I suppose the users of Cisco and Juniper routers are also whining in their user forums about why they don't get wireguard or OpenVPN on their boxes?
And does that have any effect on the developments?
 
User avatar
bajodel
Long time Member
Long time Member
Posts: 551
Joined: Sun Nov 24, 2013 8:30 am
Location: Italy

Re: Feature Request: IPSEC Improvements

Sun Mar 14, 2021 4:56 pm

I see your point, supporting everything is not feasible.
The main issue with VTI, as for many other things (LAC, IPv6 stuff, etc..), is that we can't wait another half decade to discover that those features are not going to be implemented. There is no (public) disclosure/planning with MT; we can't base our next device choices on just hopes.
..[cut].. I suppose the users of Cisco and Juniper routers are also whining ..[cut]..
I'm not really hearing their moaning here, they kind of have the privilege to dictate who is going to swap the device to get the job done. You know what I mean.

Bye the way, even in the scenario you can get by with standard policy IPsec to interact with other vendor, you miss the versatility of a real interface. There are cases in witch I had to deploy two boxes instead of one because of that; one to handle all the routing/natting/whatever, the other to talk to a Palo Alto IPSec end point (I've haven't found a way to 1:1 nat traffic coming from an external source, l2tp in my case, and make it good to enter the local IPSec policy).
The latter might be something interesting to discuss in another topic, ideas ?

Bye
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: IPSEC Improvements

Sun Mar 14, 2021 8:52 pm

Well, as I already mentioned, there is IPIP over IPsec or GRE over IPsec, which both perform the same function as VTI (especially when IPsec is used in transport mode).
You get your separate interface, you get your troublefree operation in a router that also does NAT, etc.
In fact Cisco itself was always promoting GRE/IPsec as the solution before they came up with their VTI.
I think even today most devices can do it (certainly Cisco IOS routers), the problem you are hitting is that the admin has standardized on VTI, only knows about VTI, or similar.
So when you tell them "hey I have this router that does not do VTI but it does GRE/IPsec, can we use that?", and you get the laughing reply that this must be a toy router and you should replace it, you know the other side does not know that much about the topic.

However I agree with you that it would be convenient when there would be some kind of roadmap that tells us what we can expect and in what kind of release timeframe.
As far as I understood at MUM events, this roadmap of course exists within MikroTik but the priorities are determined by what they hear from their sales people and dealers, not by what is reasonable to have from a technical viewpoint. That is especially apparent for IPv6: they claim that "nobody ever asks for it" and therefore there is no priority.
And that probably is correct when you ask salesmen and dealers, even when technicians would want to have it. Especially in the kind of market where MikroTIk often operate.
 
LK7R
just joined
Posts: 2
Joined: Thu Aug 25, 2011 2:52 pm

Re: Feature Request: IPSEC Improvements

Mon Mar 29, 2021 10:30 am

Any news on this? VTI support, MikroTik? Pretty please?
 
volga629
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Tue Nov 19, 2013 6:21 am

Re: Feature Request: IPSEC Improvements

Sat May 22, 2021 6:56 pm

2021 outside no updates on VTI, version 7 is still beta with no confirmed feature list or roadmap. We being told take out all CHR from cloud deployments, because luck Vti ipsec for BGP interconnect and replace with VyOS. Based on testing out of the box VTI, DMVPN, BGP, zone based firewall. Seems like mikrotik heading to the cliff, strategy is incorrect.
 
wispmikrotik
Member Candidate
Member Candidate
Posts: 137
Joined: Tue Apr 25, 2017 10:43 am

Re: Feature Request: IPSEC Improvements

Sun Sep 12, 2021 6:49 pm

Any news from VTI?
 
User avatar
LogicalNZ
Frequent Visitor
Frequent Visitor
Posts: 59
Joined: Sat Oct 19, 2013 6:35 am
Location: New Zealand
Contact:

Re: Feature Request: IPSEC Improvements

Thu Oct 28, 2021 5:20 pm

I guess another one for VTI? I thought MT said this would be implemented with V7? We are up to RC5 but still no sign of VTI? Can we please have an update of when we will see it. From reading the posts here, it is a game changer for many and is likely to mean more situations where we can use Tiks….
 
w4rh0und
Member Candidate
Member Candidate
Posts: 107
Joined: Fri Oct 16, 2009 10:58 pm

Re: Feature Request: IPSEC Improvements

Thu Nov 11, 2021 11:15 am

+1 VTI
Policy based is a PIA for serious networks, also it is ancient as design.
Adding IPSEC on top of a tunnel interface like GRE/IPIP is a huge overhead
Also it would help to use these VTI interfaces in FW rules lists.
Last edited by w4rh0und on Thu Nov 11, 2021 11:25 am, edited 1 time in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: IPSEC Improvements

Thu Nov 11, 2021 11:20 am

Adding IPSEC on top of a tunnel interface like GRE/IPIP is a huge overhead
That is incorrect! The overhead for IPIP/IPsec and "VTI" is exactly the same.
And using tunnels (IPIP or GRE) in combination with an autorouting protocol is much more versatile than having static IPsec tunnels, VTI or not.
$$$ routers require an additional protocol for that (e.g. NHRP) so when VTI is realized probably the whining for NHRP will start....
 
mikruser
Long time Member
Long time Member
Posts: 578
Joined: Wed Jan 16, 2013 6:28 pm

Re: Feature Request: IPSEC Improvements

Thu Nov 11, 2021 1:45 pm

The overhead for IPIP/IPsec and "VTI" is exactly the same.
IPsec test results for MT routers are shown for IPsec in tunnel mode
https://mikrotik.com/product/RB750Gr3#fndtn-testresults
https://mikrotik.com/product/RB3011UiAS ... estresults
https://mikrotik.com/product/hap_ac2#fndtn-testresults
https://mikrotik.com/product/CCR1009-7G ... estresults
and this was done for a reason:
if you add IPsec in transport mode to IPIP/GRE/EoIP tunnels, it leads to high performance degradation in MT routers:
viewtopic.php?t=97880&sid=9f43c91c0422f ... 15#p625029
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: IPSEC Improvements

Thu Nov 11, 2021 3:22 pm

I exclusively use GRE/IPsec and I do not have that experience. It is likely due to EoIP, not to GRE (or IPIP) over IPsec.
In fact, "IPsec tunnel mode" internally is exactly the same as "IPIP over IPsec transport", except the way the "interesting traffic" is matched.
 
mikruser
Long time Member
Long time Member
Posts: 578
Joined: Wed Jan 16, 2013 6:28 pm

Re: Feature Request: IPSEC Improvements

Thu Nov 11, 2021 3:37 pm

I exclusively use GRE/IPsec and I do not have that experience.
Can you provide proof in the form of test results on a gigabit network? (gre+ipsec vs. pure ipsec tunnel mode, file copy throughput results and profile results)
 
azzurro
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Mon Jan 17, 2022 2:55 am

Re: Feature Request: IPSEC Improvements

Sun Jan 30, 2022 3:56 am

+1 for VTI!
On Fortigates I've been doing that for 10 years!
i gotta return my hEX and RB5009 as they can't interoperate with my Fortigates which are doing VTI. And even if they could, not having tunnel interfaces when connectes to my Fortigates is a huge PITA, due to routing.
 
JoaoS
just joined
Posts: 9
Joined: Thu May 14, 2020 9:18 pm

Re: Feature Request: IPSEC Improvements

Fri Apr 08, 2022 4:38 pm

Hey guys.

I would also like to give my vote to Mikrotik to support VTI. Even there are other technologies (GRE, IPIP). VTI is just as effective and widely used with IPsec and supported by many other vendors. It has time on the market, it is not something recent to not have the deserved support.

I very much agree with the thinking of @bajodel and @pe1chl, both are right.
But with more and more advances to the cloud. Today operating these cloud providers IPsec VPN with Mikrotik via Policy-Based is very bad.
These providers do not support GRE or IPIP.
If Mikrotik proposed having the CHR, as their solution in the cloud/virtualization, it should have also thought about the VTI.
Supporting this feature for us techs is very essential.
I would really like that Mikrotik takes care of itself and places itself as a strategy.
I see an advance more and more to the VTI and more and more people not wanting to use another technology. Like cloud providers.

This time, I think Mikrotik is wrong in not paying attention.
 
almdandi
Frequent Visitor
Frequent Visitor
Posts: 64
Joined: Sun May 03, 2015 5:22 pm

Re: Feature Request: IPSEC Improvements

Fri Apr 08, 2022 8:10 pm

+1 for VTI Support
 
mwisniewski
just joined
Posts: 2
Joined: Sun Jun 05, 2022 2:01 am

Re: Feature Request: IPSEC Improvements

Sun Jun 05, 2022 2:18 am

So I just registered to put a +1 on VTI. I have very complex corporate network with all kind of devices being used as routers - from VyOS and OpnSense virtual appliances (mostly in cloud) to heavy duty hardware routers like Sophos, Cisco and Juniper devices. All of them do have VTI and we are using that intensively to keep OSPF busy (and our route tables at least readable). Plain IPSEC policies are pain with complex routers (100 VLANs on just single premise, not all should be advertised by policy, some are overlapping with cooperants so we need high level of granurality) and of course - we do have multipath failovers (leased gray fibers between premises, some traffic over BGP advertised public IPs). Writing policies for that is painful already. In case of deployment of our own hw router on cooperants premises (some are harder to cooperate on technical level than others) we need a way to securely connect to at least three nodes (cloud and two main prems) to keep HA intact. For the very same reason we need similar setup for all of admins working remotely. OSPF with VTI solves 99% of our issues, but unfotunately MT does not support it. We had very hard time with UniFi routing solutions, but rackmount equipment is not always possible or convenient.
Please, patch ROS6 to support VTI without hacks and workarounds.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: IPSEC Improvements

Sun Jun 05, 2022 12:23 pm

I can almost guarantee that there never will be VTI in RouterOS v6!
We can only hope that it will become available in RouterOS v7.
In the meantime, consider using GRE or IPIP tunnels over IPsec transport, that provides an equivalent solution.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: IPSEC Improvements

Mon Jun 06, 2022 11:13 am

Of course you have to know that VTI in fact is a trick, introduced by one router vendor and copied by some others.
There is a whole history behind that. It is much like requesting from all vendors that they implement proprietary protocol extensions made by Microsoft.
 
User avatar
barts
just joined
Posts: 8
Joined: Fri May 24, 2019 6:57 am

Re: Feature Request: IPSEC Improvements

Wed Jun 08, 2022 5:53 am

+1 for VTI Support
 
alv84
newbie
Posts: 34
Joined: Mon Dec 27, 2021 5:46 am

Re: Feature Request: IPSEC Improvements

Wed Jun 08, 2022 11:16 am

huy everyone. VTI +100!
good day guys.
 
JoaoS
just joined
Posts: 9
Joined: Thu May 14, 2020 9:18 pm

Re: Feature Request: IPSEC Improvements

Thu Jun 09, 2022 10:32 pm

I can almost guarantee that there never will be VTI in RouterOS v6!
We can only hope that it will become available in RouterOS v7.
In the meantime, consider using GRE or IPIP tunnels over IPsec transport, that provides an equivalent solution.
Hi pe1chl.

I would like to congratulate your efforts in the community. I've seen your nickname several times on the forum.

Unfortunately we can't always use GRE with other players, either for support or technical preference.

This preference for the VTI is great, even though I know it's a trick.
I have four personal considerations that VTI is better than GRE\IPsec:

1 - Smaller payload, since it does not have GRE encapsulation;
2 - Less packet fragmentation problem - Automatic MTU calculation doesn't work because of ESP;
3 - Guarantee that the tunnel is always encrypted - With GRE, if IPsec fails, GRE continues to work without encryption;
4 - On some hardware I noticed that there is no hardware acceleration of ESP on top of GRE, missing an important benefit of the architecture.

One of the most important players are cloud providers. We cannot use the VPN structure of AWS, Azure, Google Cloud, Oracle cloud. None have GRE support.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: IPSEC Improvements

Thu Jun 09, 2022 11:00 pm

I have a preference for GRE because it allows other payloads (IPv6) and supports multicast, but when you use IPIP over IPsec transport (that assumes you have no NAT) the overhead is the same as for plain IPsec tunnels or VTI. Most people do not know that a plain IPsec TUNNEL is much like IPIP over IPsec TRANSPORT.
(they are not inter-operable but the headers are basically the same)

With IPIP or GRE over IPsec you can manually set the MTU in the tunnel definition and use the usual TCP MSS clamping trick, so fragmentation is normally no problem.

To avoid unencrypted communication, you only need to configure your firewall correctly. Accept GRE with IPsec Policy "in:ipsec", reject other GRE.
(you can do the same on the output chain with IPsec Policy "out:ipsec")

I have never noticed the lack of acceleration, this is probably related more to the user setting stronger encryptions that are not accelerated on the particular hardware.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1025
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Feature Request: IPSEC Improvements

Thu Jun 09, 2022 11:15 pm

Of course you have to know that VTI in fact is a trick, introduced by one router vendor and copied by some others.
There is a whole history behind that. It is much like requesting from all vendors that they implement proprietary protocol extensions made by Microsoft.

I believe Sindy or Sob made a pretty good post about the history behind VTI, I just can't find it in the forums.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Feature Request: IPSEC Improvements

Fri Jun 10, 2022 12:36 am

I'll help you, it wasn't me, so you don't need to search through ~17k posts, only ~9k. ;)
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: IPSEC Improvements

Fri Jun 10, 2022 10:33 am

Yes there was a recent link to the history of IPsec on Linux.
It isn't really about VTI, but it discusses the concept of having a separate virtual interface for a plain IPsec tunnel, instead of a matching policy that catches traffic between two specified subnets and invisibly encrypts it.
I think VTI includes some other changes that would make it incompatible even with that historic Linux IPsec implementation.

Furthermore I want to re-iterate that VTI is just one layer in the Cisco VPN architecture. I predict that when VTI finally arrives, people will realize that it is not complete and they need other proprietary protocols to be implemented on MikrotTik as well, e.g. NHRP.
 
JoaoS
just joined
Posts: 9
Joined: Thu May 14, 2020 9:18 pm

Re: Feature Request: IPSEC Improvements

Fri Jun 10, 2022 2:53 pm

I would like to read this post about the history of the VTI. Not for discussion, to acquire knowledge. If you find it, I'll be very grateful.

If I find the post, I'll leave it here for everyone.



I know VTI is not RFC compliant and I know it's an elaborate trick. The packet payload remains encrypted and keeps the information secure. Whether I try to modify the design or not, the important thing is that the traffic data is safe. it's what I think.

I would like to say that the point here is not to discuss advantages of protocols. It's messing with other equipment and other professinals. This has already been discussed here. Finds the professional's technical limit and/or limit of some equipment.

I think that making it all more difficult is the silence of Mikrotik, in at least saying a yes, a maybe or not will have support, and informing the reason.

I understand that direct suppliers are heard and there are not many requests, but it is very uncomfortable to see that there are requests for WireGuard, ZeroTier and something that is longer, not mentioned.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Feature Request: IPSEC Improvements

Fri Jun 10, 2022 4:39 pm

VTI is not exclusive of cisco, many UTM Vendors use it since decades

i think is the facto standard in the industry of security appliances

managing a router/firewall in which the ipsec tunnels are separated interfaces makes more easier to configure manage and diagnose

MikroTik without VTI will be kept behind in this market

Please do not make this VTI topic another episode of linux vs the world
 
dnordenberg
Member Candidate
Member Candidate
Posts: 126
Joined: Wed Feb 24, 2016 8:00 pm

Re: Feature Request: IPSEC Improvements

Fri Jul 22, 2022 1:22 pm

I do want VTI too as it is easier to understand the "standard" routing principles than the policy one. I think it will be easier to get a overview of what is happening in the device when IPsec behaves just like any other interface. Easier to setup firewall rules based on interfaces.

But that is just my points on it, what makes VTI a highly missed feature for others? I see dynamic routing mentioned here. More?

And why was the policy method even made up in the first place? I mean, IPsec is much newer than the "old school" interface based routing principles and if the policy method is so limited so why was it chosen as the IPsec standard one?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: IPSEC Improvements

Fri Jul 22, 2022 2:08 pm

I do want VTI too as it is easier to understand the "standard" routing principles than the policy one. I think it will be easier to get a overview of what is happening in the device when IPsec behaves just like any other interface. Easier to setup firewall rules based on interfaces.
As said many times before: when you want THAT, just make an IPIP or GRE tunnel and enable IPsec security on it. That does the same thing.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Feature Request: IPSEC Improvements

Fri Jul 22, 2022 4:25 pm

I do want VTI too as it is easier to understand the "standard" routing principles than the policy one. I think it will be easier to get a overview of what is happening in the device when IPsec behaves just like any other interface. Easier to setup firewall rules based on interfaces.
As said many times before: when you want THAT, just make an IPIP or GRE tunnel and enable IPsec security on it. That does the same thing.
good luck passing across NAT

the advantage with ipsec is NAt traversal well known features
 
dnordenberg
Member Candidate
Member Candidate
Posts: 126
Joined: Wed Feb 24, 2016 8:00 pm

Re: Feature Request: IPSEC Improvements

Fri Jul 22, 2022 6:48 pm

I do want VTI too as it is easier to understand the "standard" routing principles than the policy one. I think it will be easier to get a overview of what is happening in the device when IPsec behaves just like any other interface. Easier to setup firewall rules based on interfaces.
As said many times before: when you want THAT, just make an IPIP or GRE tunnel and enable IPsec security on it. That does the same thing.
Well, in my cases, most of the time I'm not in charge of the IPsec service in the other end so that argument falls flat at least for me :( Sorry I was not looking to hear people explaining how to solve this or that, my question would have been stated differently then...
I do use GRE and EoIP when I'm in charge of both ends.
 
dnordenberg
Member Candidate
Member Candidate
Posts: 126
Joined: Wed Feb 24, 2016 8:00 pm

Re: Feature Request: IPSEC Improvements

Fri Jul 22, 2022 7:06 pm


As said many times before: when you want THAT, just make an IPIP or GRE tunnel and enable IPsec security on it. That does the same thing.
good luck passing across NAT

the advantage with ipsec is NAt traversal well known features
Some of these NAT unfriendly protocols can be used with IPsec with just a click on a checkbox and typing a passphrase in MT and now they are NAT compatible 😊
 
sajt
just joined
Posts: 6
Joined: Sun Mar 12, 2017 5:10 am

Re: Feature Request: IPSEC Improvements

Fri Aug 26, 2022 4:43 pm

Having wireguard is nice and all, but ipsec is still sadly the standard.

We still wish for vti, either in the form of linux kernel based virtual tunnel or xfrm interface.
Both are mature within the 5.x kernel versions that v7 routeros is based on.

So yeah +1 for vti.
 
nezu
just joined
Posts: 1
Joined: Sat Jun 12, 2021 4:47 am

Re: Feature Request: IPSEC Improvements

Wed Nov 09, 2022 2:06 am

+1 for VTI.
 
nwhisper
just joined
Posts: 1
Joined: Wed Jan 04, 2023 5:20 pm

Re: Feature Request: IPSEC Improvements

Thu Jan 19, 2023 10:45 am

+1 for VTI & XFRM
 
kargchris
just joined
Posts: 5
Joined: Mon Apr 23, 2018 3:26 pm

Re: Feature Request: IPSEC Improvements

Fri Jan 20, 2023 8:37 pm

+1 also for AES GCM 128 256 512 in phase 1 of IKE2
 
sirpkc
just joined
Posts: 2
Joined: Fri Jan 20, 2023 5:23 pm

Re: Feature Request: IPSEC Improvements

Sun Jan 22, 2023 10:16 am

+1 for VTI
 
gabacho4
Member
Member
Posts: 329
Joined: Mon Dec 28, 2020 12:30 pm
Location: Earth

Re: Feature Request: IPSEC Improvements

Sun Jan 22, 2023 3:33 pm

+1 for AES GCM 128 256 512 in phase 1 of IKE2

AND

VTI
 
tpedko
just joined
Posts: 23
Joined: Wed May 22, 2019 9:58 am

Re: Feature Request: IPSEC Improvements

Tue Sep 19, 2023 1:09 pm

+1 for VTI
 
azzurro
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Mon Jan 17, 2022 2:55 am

Re: Feature Request: IPSEC Improvements

Tue Sep 19, 2023 1:14 pm

unsubscribing, since I do not even care anymore. moved back to fortigates because of this crap.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: IPSEC Improvements

Tue Sep 19, 2023 5:17 pm

unsubscribing, since I do not even care anymore. moved back to fortigates because of this crap.
Useless to report that here. Report the number of units you planned to buy and have canceled to sales@mikrotik.com, then it may have an effect.
 
azzurro
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Mon Jan 17, 2022 2:55 am

Re: Feature Request: IPSEC Improvements

Tue Sep 19, 2023 5:26 pm

as I said, I do not care anymore. that amount of ignorance won't drive just me away.
MT is now switches for me and that's it (maybe L3 switches). certainly no firewall and certainly no ipsec endpoint.
both is hilariously cumbersome if one has ever worked with any kind of even entry level enterprise product.

and MT is too ignorant to make even the easiest changes and quality of life improvements (not talking about VTI there).

choose the right tool for the right job I'd say and MT devices have their spots, definitely. especially considering the price point.
but sometimes, not even the lowest price justifies that amount of PITA.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Feature Request: IPSEC Improvements

Tue Sep 19, 2023 5:59 pm

IPSEC improvement is here, its called wireguard ;-P
 
azzurro
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Mon Jan 17, 2022 2:55 am

Re: Feature Request: IPSEC Improvements

Tue Sep 19, 2023 6:00 pm

IPSEC improvement is here, its called wireguard ;-P
yea, sure ;)
 
User avatar
floaty
Member
Member
Posts: 314
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E

Re: Feature Request: IPSEC Improvements

Tue Sep 19, 2023 9:04 pm

sorry !? ... is this the right IPSec-VTI-supporters thread ??
.
don't wanna come under suspicion, that I am one of these rascals, who give their '+1' twice ...
:D
 
User avatar
NetHorror
just joined
Posts: 21
Joined: Fri Dec 06, 2013 8:12 am

Re: Feature Request: IPSEC Improvements

Tue Feb 13, 2024 5:30 pm

Hello everyone. I am from the year 2050. The current version of ROS is 15.3.5, but there is still no VTI in it.
 
RiFF
newbie
Posts: 34
Joined: Sun Apr 29, 2018 9:35 pm

Re: Feature Request: IPSEC Improvements

Tue Feb 13, 2024 6:16 pm

:lol: . developing VTI on RouterOS is too difficult to exist in this Universe :D
 
WhileECoyote
just joined
Posts: 6
Joined: Fri Oct 13, 2023 8:25 pm

Re: Feature Request: IPSEC Improvements

Sun Feb 18, 2024 4:09 pm

+10*10³² for xfrm or at least vti ipsec tunnels
 
User avatar
hsin
just joined
Posts: 3
Joined: Thu Mar 14, 2024 8:08 pm

Re: Feature Request: IPSEC Improvements

Thu Mar 14, 2024 8:19 pm

Hello Team, I hope you are all fine.

I have some problem with my Ipsec vpn between multiple sites. my 5 sites are connected with same ISP through MIKROTIOK ROUTER IPSEC TUNNEL. sites are a,b,c,d,e. a site is my head office and b,c,d,e sites is my clients(branches). all clients are connected with head office (a) through ipsec tunnel and working properly.But problem is that (b) not connected to (c,d,e) and (c) not connected to (b,d,e) and (d) not connected to (b,c,e) and (e) not connected to (b,c,d). Other words is (b,c,d,e) are not connected to eachother. All sites have different subnets.
Kindly give me some help that what i do work on my head office mikrotik router (a).

Although i was add subnet on routes opetion of my branches. but issed are same.


Regards
Sohaib


I had same problem and I need VTI!!
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: IPSEC Improvements

Thu Mar 14, 2024 10:38 pm

You do not need VTI to solve that problem! Simple GRE/IPsec tunnels and automatic routing will do it.
 
mwisniewski
just joined
Posts: 2
Joined: Sun Jun 05, 2022 2:01 am

Re: Feature Request: IPSEC Improvements

Fri Mar 15, 2024 12:07 am

sorry @pe1chl but we don't need workarounds. we need solution. "Simple" GRE/ipsec is not so simple. It tends to interfere with fasttrack (so you need additional raw rules), has reported issues with hardware offloading and in many cases is just incompatible with remote endpoint. Everything needed is already in the kernel. At the moment I am just using software routers for links requiring VTI but devices targeting enterprise should provide compatibility with widespread industry standards.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: IPSEC Improvements

Fri Mar 15, 2024 10:30 am

hsin said "I have same problem" and what he quoted was a setup with MikroTik equipment.
When that wasn't his situation he should not have claimed he had "same problem".

Remember VTI is nothing magical. When there are issues with hardware acceleration, they will be present in VTI as well.
Sure it would be convenient when you could make a tunnel to others which only support VTI.
But MikroTik has indicated several times they are not going to do it. Their new toy is wireguard, also requested by many.
 
azzurro
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Mon Jan 17, 2022 2:55 am

Re: Feature Request: IPSEC Improvements

Fri Mar 15, 2024 10:53 am

just move to a different vendor. mikrotik only supporting policy based ipsec vpn has shown to stay beyond ridiculousness.
 
User avatar
hsin
just joined
Posts: 3
Joined: Thu Mar 14, 2024 8:08 pm

Re: Feature Request: IPSEC Improvements

Fri Mar 15, 2024 12:07 pm

I am evaluating various solutions, but it is surprising that MikroTik does not support VTI, which is widely used and easy to manage in the industry. I don't understand why MikroTik insists on not developing this feature, especially it's an enterprise product.
 
azzurro
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Mon Jan 17, 2022 2:55 am

Re: Feature Request: IPSEC Improvements

Fri Mar 15, 2024 1:09 pm

i don't know, honestly. but their level of ignorance drove me away from mikrotik for anything edge-firewall which needs to do VPN stuff.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Feature Request: IPSEC Improvements

Fri Mar 15, 2024 2:03 pm

I am evaluating various solutions, but it is surprising that MikroTik does not support VTI, which is widely used and easy to manage in the industry. I don't understand why MikroTik insists on not developing this feature, especially it's an enterprise product.
MikroTik is moving from the business market to the home market. Routers to be supplied by ISPs, maybe some devices used internally to ISPs.
"enterprise" has never really been their market, but "small and medium business" apparently is also going out of scope.

(we get wireguard, improved SMB, DLNA, etc. but not VTI, NHRP, etc)
 
azzurro
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Mon Jan 17, 2022 2:55 am

Re: Feature Request: IPSEC Improvements

Fri Mar 15, 2024 2:05 pm

at least, that's the message that they are sending. kind of. because not many home users or small businesses will need a 40G switch. especially when considering that the 40G train is kind of dead, since 10/25/100/400G emerged.
 
User avatar
hsin
just joined
Posts: 3
Joined: Thu Mar 14, 2024 8:08 pm

Re: Feature Request: IPSEC Improvements

Fri Mar 15, 2024 7:12 pm

Perhaps Mikrotik developing a consumer and enterprise-grade mixing product, combining home-use simple functionalities with an overly complex UI typical of enterprise products, for stress-testing their consumers. Based on my understanding, if transitioning to the SOHO or home market, it would be more appropriate to incorporate user-friendly technologies like VTI...

Who is online

Users browsing this forum: No registered users and 71 guests