Community discussions

MikroTik App
 
timk
just joined
Topic Author
Posts: 14
Joined: Wed Sep 05, 2012 3:33 am

IPSec VTI

Tue Jun 09, 2015 4:14 pm

Please can IPSec VTI be considered for RouterOS v7?

The Linux kernel has had support since 2012:
http://git.kernel.org/cgit/linux/kernel ... c617c68059

I know the same can be done manually with IPSec+GRE but it is a huge deal with larger installs and one is more prone to making mistakes.

Cheers
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 1968
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: IPSec VTI

Wed Jun 10, 2015 5:14 am

This has been requested countless times.

See http://forum.mikrotik.com/viewtopic.php?f=2&t=65734
Mikrotik MTCNA, MTCRE, MTCINE
http://thebrotherswisp.com/
 
timk
just joined
Topic Author
Posts: 14
Joined: Wed Sep 05, 2012 3:33 am

Re: IPSec VTI

Wed Jun 10, 2015 8:35 am

Thanks, I must have a bad memory, I had even posted in that thread! :shock:
 
aigarslv
just joined
Posts: 5
Joined: Mon May 25, 2015 11:24 pm

Re: IPSec VTI

Fri Jun 12, 2015 5:22 pm

I also would like to see this feature. Also it would be good to be able to create Virtual Interfaces in general (as you can in Linux) and not only for MetaRouters or KVM.
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 1968
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: IPSec VTI

Mon Jun 15, 2015 1:16 pm

Thanks, I must have a bad memory, I had even posted in that thread! :shock:
Ha ha.

Hopefully Mikrotik have not forgotten this request :)
Mikrotik MTCNA, MTCRE, MTCINE
http://thebrotherswisp.com/
 
Arcticfox
just joined
Posts: 19
Joined: Fri Mar 29, 2013 2:29 pm

Re: IPSec VTI

Fri Nov 15, 2019 8:40 pm

2019 AD, November 15, Strongswan have a stable implementation of VTI...
Request still pending.
 
valsily
just joined
Posts: 2
Joined: Mon Mar 21, 2011 1:09 pm

Re: IPSec VTI

Mon Nov 18, 2019 4:23 am

Bump. We need VTI support!
 
dnordenberg
Frequent Visitor
Frequent Visitor
Posts: 86
Joined: Wed Feb 24, 2016 8:00 pm

Re: IPSec VTI

Mon Dec 02, 2019 8:18 pm

Yes, VTI support please, policy tunneling is not very user friendly to setup, I rather use traditional routing.
 
bluecrow76
newbie
Posts: 27
Joined: Wed Sep 13, 2006 11:55 pm

Re: IPSec VTI

Thu Apr 01, 2021 3:09 am

Not to mention that this would allow interop with many other router vendors IPSEC VTI based tunneling solutions.
 
mducharme
Trainer
Trainer
Posts: 1474
Joined: Tue Jul 19, 2016 6:45 pm

Re: IPSec VTI

Thu Apr 01, 2021 3:13 am

Not to mention that this would allow interop with many other router vendors IPSEC VTI based tunneling solutions.
They are adding VTI is my understanding. I think the issue probably is if they add it now, while RouterOS v6 is still being updated, it is much more work for them to manage both code bases because the RouterOS v7 ipsec code will diverge from the RouterOS v6 ipsec code making it a lot harder to keep the code bases in sync with the same fixes. So they are likely waiting until RouterOS v7 stable comes out before they add this, as at that point, they will no longer need to make updates to RouterOS v6 as frequently.
 
dnordenberg
Frequent Visitor
Frequent Visitor
Posts: 86
Joined: Wed Feb 24, 2016 8:00 pm

Re: IPSec VTI

Thu Apr 01, 2021 9:05 am

Not to mention that this would allow interop with many other router vendors IPSEC VTI based tunneling solutions.
Ehm, I could be wrong here but my understanding is that VTIs are purely a local thing, the tunnel or other end does not know about if VTI is used or not at the opposite end. VTI should allow you to add a virtual interface in a hw/L2 like manner but will still only pass L3 traffic. Just as the policies. Policies vs VTI/routing is just cosmetic, both will do the same but in different configuration ways.
 
User avatar
doneware
Trainer
Trainer
Posts: 644
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: IPSec VTI

Tue May 18, 2021 3:20 pm

Not to mention that this would allow interop with many other router vendors IPSEC VTI based tunneling solutions.
VTI should allow you to add a virtual interface in a hw/L2 like manner but will still only pass L3 traffic.
yes and no. it has to support also multicast transport (for OSPF to work) which is not possible with policies.
also the encapsulation is different, consider the figure below.
VTI.jpg
You do not have the required permissions to view the files attached to this post.
#TR0359

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], Semrush [Bot] and 41 guests