Community discussions

MikroTik App
 
Vasko
just joined
Topic Author
Posts: 8
Joined: Fri Jul 02, 2021 1:24 am

Question regarding IKEv2/IPSEC route based

Sat May 21, 2022 4:00 am

Hello Guys,

I would like to establish between 2 mikrotik routers a route based ikev2/ipsec tunnel mode (not with GRE)
I tried to search on forums and web but all i can find is Policy based.

Do you have any documentation or a guide on how to configure that?
Mostly i can establish an IPSEC between the routers based on Peers DDNS with all 0s in policy, but no clue how i could route the traffic through the specific IPSEC tunnel.

Thanks in advance.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Question regarding IKEv2/IPSEC route based

Sat May 21, 2022 11:48 am

Unless I misunderstand what you mean here, RouterOS does not support this yet.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Question regarding IKEv2/IPSEC route based

Sat May 21, 2022 11:53 am

IPsec does not create any interfaces. so you can not manually create any routes as you would do with GRE for example.
 
Vasko
just joined
Topic Author
Posts: 8
Joined: Fri Jul 02, 2021 1:24 am

Re: Question regarding IKEv2/IPSEC route based

Sat May 21, 2022 5:35 pm

Thanks for the replies guys.

Is there any setup available between mikrotiks similar to the one you have with a vpn server for example surfshark, where it assigns you a 10.*.*.* IP dynamically on ether1 and you can specify the Source IP or IPs that you want to go through that ipsec on mode config and then it creates a dynamic nat with src-nat to that dynamically assigned 10.*.*.* IP?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Question regarding IKEv2/IPSEC route based

Sat May 21, 2022 10:24 pm

Sure you can make one of the Mikrotiks behave as the Surfshark server in terms that it assigns an address and destination subnets to the other one using mode-config. But more close to the title of the topic, you can also use an IPsec-encrypted IPIP tunnel, which has less overhead than a GRE one and doesn't suffer from some Mikrotik-specific issues related to GRE, and if there is no NAT between the two Mikrotiks, the bandwidth efficiency is the same like the one of IPsec in tunnel mode.
 
Vasko
just joined
Topic Author
Posts: 8
Joined: Fri Jul 02, 2021 1:24 am

Re: Question regarding IKEv2/IPSEC route based

Mon May 23, 2022 1:56 am

Sure you can make one of the Mikrotiks behave as the Surfshark server in terms that it assigns an address and destination subnets to the other one using mode-config. But more close to the title of the topic, you can also use an IPsec-encrypted IPIP tunnel, which has less overhead than a GRE one and doesn't suffer from some Mikrotik-specific issues related to GRE, and if there is no NAT between the two Mikrotiks, the bandwidth efficiency is the same like the one of IPsec in tunnel mode.
Hello Sindy,

Yep the main point is that i am looking for something else than GRE, with s2s using GRE i get around 18-20 mbps with 300 mbps link speed on each end. Although on surfshark setup i get 100+. So i want to test both solutions you mentioned and see which gives better results.
Do you have a guide on how to make one mikrotik behave as a surfshark server? Or should i look on ipsec wiki of mikrotik?

Thanks in advance
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Question regarding IKEv2/IPSEC route based

Mon May 23, 2022 7:35 am

Here goes a quote from a running configuration. Of course you can use any other peer authentication method than certificates. Instead of a particular IP address, you can refer to an /ip pool row on the /ip ipsec mode-config row, but if you want to assign a specific address to a particular initiator, you have to use a dedicated mode-config row with an address and a dedicated identity row for each initiator.

/ip ipsec mode-config
add address=10.222.222.8 address-prefix-length=32 name=mc-user1 split-include=10.222.221.0/24 system-dns=no

/ip ipsec policy group
add name=Mikrotik

/ip ipsec profile
add dh-group=ecp384,modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=Win10

/ip ipsec peer
add exchange-mode=ike2 name=IKEv2 passive=yes profile=Win10 send-initial-contact=no

/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=Mikrotik pfs-group=none

/ip ipsec identity
add auth-method=digital-signature certificate=my-ecdsa-server generate-policy=port-strict match-by=certificate mode-config=mc-user1 peer=IKEv2 policy-template-group=Mikrotik remote-certificate=peer1-certificate

/ip ipsec policy
add group=Mikrotik proposal=Mikrotik template=yes
 
Vasko
just joined
Topic Author
Posts: 8
Joined: Fri Jul 02, 2021 1:24 am

Re: Question regarding IKEv2/IPSEC route based

Tue May 31, 2022 2:47 am

Hello Sindy,

Sorry for the late reply, i was abroad.

So i managed to to make ikev2/ipsec tunnel mode based on the config you provided me. Ether1 got assigned IP and through mode config Dynamic src nat was created similar to surfshark. Although I didnt see any speed improvement compared to GRE so it made me worry (I can browse normally same as with GRE setup)

I checked the active peers and i see that they are using NAT-T (UDP 4500) although i have bridged the modem and have deselected NAT-T in the profiles which are assigned to Peers. Same thing i had tested before with GRE and it was still using the UDP 4500 port.

As i am testing right now the setup is like this

ISP Modem bridged -> Ether 1 - Mikrotik 1 (Public IP X), ether 2 - Mikrotik 2 (Public IP Y) so basically i have VPN going through the same modem.

** Server **

1 R ;;; IKEv2/IPSEC
id="*****" local-address=******* port=4500 remote-address=******* port=4500 state=established side=responder dynamic-address=10.222.222.8 uptime=3m16s last-seen=1m10s
ph2-total=1 spii="e027bac6b4abdf79" spir="beefe222eadc16cb"


** Client **

5 ;;; IKEv2/IPSEC
id="*******" local-address=****** port=4500 remote-address=******* port=4500 state=established side=initiator uptime=6m39s last-seen=34s ph2-total=1 spii="e027bac6b4abdf79"
spir="beefe222eadc16cb"

even for surfshark which is configured on client its using NAT-T 4500 port but there i have fast speeds ~110mbps

1 ;;; IKEv2/IPSEC Surfshark VPN US
id="us-nyc.prod.surfshark.com" local-address=******** port=4500 remote-address=84.17.35.91 port=4500 state=established side=initiator uptime=4d22m58s last-seen=26s ph2-total=1
spii="f6d385d54e7951af" spir="04b07504fa596795"

do you think this might be a hardware limitation?

Mikrotik 1 - RBD53iG-5HacD2HnD
Mikrotik 2 - RBD52G-5HacD2HnD

Mikrotik 1 cfg for IPSEC (client)
/ip ipsec peer
add address="DDNS" comment="IKEv2/IPSEC" exchange-mode=ike2 name=peer1 profile=No_NAT-T

/ip ipsec identity
add comment="IKEv2/IPSEC" generate-policy=port-strict mode-config=ikev2-s2s peer=peer1 policy-template-group=ike2-s2s secret="*****"

/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=No_NAT-T nat-traversal=no

/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1d name=ike2-s2s pfs-group=modp2048

/ip ipsec mode-config
add name=ikev2-s2s responder=no src-address-list=LAN

/ip ipsec policy group
add name=ike2-s2s

/ip ipsec policy
add group=ike2-s2s proposal=ike2-s2s template=yes
Mikrotik 2 cfg for IPSEC (server)
/ip ipsec mode-config
add address=10.222.222.8 address-prefix-length=32 name=mc-user1 system-dns=no

/ip ipsec policy group
add name=ike2-s2s

/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=ike2-s2s nat-traversal=no

/ip ipsec peer
add exchange-mode=ike2 name=IKEv2-s2s passive=yes profile=ike2-s2s send-initial-contact=no

/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1d name=ike2-s2s pfs-group=modp2048

/ip ipsec identity
add comment="IKEv2/IPSEC" generate-policy=port-strict mode-config=mc-user1 peer=IKEv2-s2s policy-template-group=ike2-s2s

/ip ipsec policy
add group=ike2-s2s proposal=ike2-s2s template=yes
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Question regarding IKEv2/IPSEC route based

Tue May 31, 2022 8:14 am

I checked the active peers and i see that they are using NAT-T (UDP 4500) although i have bridged the modem and have deselected NAT-T in the profiles which are assigned to Peers. Same thing i had tested before with GRE and it was still using the UDP 4500 port.
NAT-T is an optional extension to IKE (v1); in IKEv2, handling of NAT is an intrinsic part of the standard so the configuration element nat-traversal in /ip ipsec profile is ignored if the peer exchange-mode is set to ike2. IKEv2 always uses port 4500 for the Phase 1 SA, no matter whether NAT traversal is needed or not. To see whether NAT traversal has really been engaged you have to look at the src-address and dst-address fields in /ip ipsec installed-sa print output - if there are ports, NAT traversal is used. And even if NAT traversal is used, its impact on the speed is not too high, it is just one more layer of encapsulation (the ESP packets are prepended with UDP headers).

do you think this might be a hardware limitation?

Mikrotik 1 - RBD53iG-5HacD2HnD
Mikrotik 2 - RBD52G-5HacD2HnD
If one of these gives you 110 Mbit/s when connected to a Surfshark server, there is no reason why a combination of both should give you less - the two models you've stated have the same CPU and you have chosen encryption and authentication algorithms that are supported in hardware.

So one question is whether the uplink provides full 300 Mbit/s also in upload direction, not only in the download one; another question is whether you have disabled fasttracking for the IPsec payload traffic at both devices.
 
Vasko
just joined
Topic Author
Posts: 8
Joined: Fri Jul 02, 2021 1:24 am

Re: Question regarding IKEv2/IPSEC route based

Tue May 31, 2022 3:51 pm

I checked the active peers and i see that they are using NAT-T (UDP 4500) although i have bridged the modem and have deselected NAT-T in the profiles which are assigned to Peers. Same thing i had tested before with GRE and it was still using the UDP 4500 port.
NAT-T is an optional extension to IKE (v1); in IKEv2, handling of NAT is an intrinsic part of the standard so the configuration element nat-traversal in /ip ipsec profile is ignored if the peer exchange-mode is set to ike2. IKEv2 always uses port 4500 for the Phase 1 SA, no matter whether NAT traversal is needed or not. To see whether NAT traversal has really been engaged you have to look at the src-address and dst-address fields in /ip ipsec installed-sa print output - if there are ports, NAT traversal is used. And even if NAT traversal is used, its impact on the speed is not too high, it is just one more layer of encapsulation (the ESP packets are prepended with UDP headers).
do you think this might be a hardware limitation?

Mikrotik 1 - RBD53iG-5HacD2HnD
Mikrotik 2 - RBD52G-5HacD2HnD
If one of these gives you 110 Mbit/s when connected to a Surfshark server, there is no reason why a combination of both should give you less - the two models you've stated have the same CPU and you have chosen encryption and authentication algorithms that are supported in hardware.

So one question is whether the uplink provides full 300 Mbit/s also in upload direction, not only in the download one; another question is whether you have disabled fasttracking for the IPsec payload traffic at both devices.
You are right I just checked the installed SA field and for the IPSEC which its not behind NAT is indeed not showing any ports.
The internet speed is 300/20, so on GRE i get 18/10. (I am using 3rd party site to test the speed)

Regarding fasttracking, i dont think i have it configured. If i recall this is happening with Mangle rules right? I dont have any of those marking IPSec connections.
 
User avatar
memelchenkov
Member Candidate
Member Candidate
Posts: 202
Joined: Sun Oct 11, 2020 12:00 pm
Contact:

Re: Question regarding IKEv2/IPSEC route based

Tue May 31, 2022 4:20 pm

Replying to author's original post: if I remember correctly, route-based IPSEC is a standard choice on *BSD systems (and routers based on it), not on Linux. VTI/XFRM interfaces, which probably could implement what you want (sorry, I can't say exactly because did not work with them), are not implemented in MikroTik. So, policy-based routing is the only way here.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Question regarding IKEv2/IPSEC route based

Tue May 31, 2022 5:27 pm

The internet speed is 300/20, so on GRE i get 18/10. (I am using 3rd party site to test the speed)
If both routers have 300/20, and you use router A as an internet gateway for router B, the download of Router B via the tunnel cannot be faster than router A's upload. For bi-directional traffic, it is even worse as part of Router A's upload carries Router B's upload coming from the tunnel, so Router B's upload and download compete for the upload bandwidth of router A.

Regarding fasttracking, i dont think i have it configured. If i recall this is happening with Mangle rules right?
Fasttracking is activated by filter rules, handles only forwarded traffic, and is incompatible with mangle (with some ways allowing them to coexist with limitations) and totally incompatible with IPsec.
 
Vasko
just joined
Topic Author
Posts: 8
Joined: Fri Jul 02, 2021 1:24 am

Re: Question regarding IKEv2/IPSEC route based

Fri Jun 03, 2022 11:55 am

The internet speed is 300/20, so on GRE i get 18/10. (I am using 3rd party site to test the speed)
If both routers have 300/20, and you use router A as an internet gateway for router B, the download of Router B via the tunnel cannot be faster than router A's upload. For bi-directional traffic, it is even worse as part of Router A's upload carries Router B's upload coming from the tunnel, so Router B's upload and download compete for the upload bandwidth of router A.

Regarding fasttracking, i dont think i have it configured. If i recall this is happening with Mangle rules right?
Fasttracking is activated by filter rules, handles only forwarded traffic, and is incompatible with mangle (with some ways allowing them to coexist with limitations) and totally incompatible with IPsec.
Hello Sindy,

So i tested speed with different peers which have on Mikrotik A 50/50 mbps and Mikrotik B 200/200 because one was causing me problems as its behind NAT to establish ipsec tunneled mode, i tried with GRE. I get same result 20 mbps download 18 mbps upload.

Regarding fast track rule, i have it almost on bottom of firewall rules because when it is above the accept established related untracked connections it drops my VPN speeds. So technically it is not matching any packets when its down there.

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked <=========
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related <===========
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log-prefix="Implicit Deny"

Do you have any suggestion?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Question regarding IKEv2/IPSEC route based

Fri Jun 03, 2022 12:40 pm

Buy a better router. 18-20 Mbps is normal for the old MIPS 600 MHz single core routers.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Question regarding IKEv2/IPSEC route based

Fri Jun 03, 2022 12:45 pm

He's got ARM ones with hardware encryption, that's not the reason here for IPsec. Can't say anything regarding GRE, though.
 
onnoossendrijver
Member
Member
Posts: 486
Joined: Mon Jul 14, 2008 11:10 am
Location: The Netherlands

Re: Question regarding IKEv2/IPSEC route based

Thu Jun 29, 2023 3:01 pm

Sorry to reply on this old thread.. Now that most requested features are implemented :wink: .. I would really like to have Route based ipsec in RouterOS.
It is the only reason why we are still using Juniper and Edgerouter (not many, because lack of development) on certain locations.
 
psztoch
just joined
Posts: 7
Joined: Sun Mar 05, 2023 7:13 pm

Re: Question regarding IKEv2/IPSEC route based

Mon Mar 25, 2024 8:04 pm

Sorry to reply on this old thread.. Now that most requested features are implemented :wink: .. I would really like to have Route based ipsec in RouterOS.
It is the only reason why we are still using Juniper and Edgerouter (not many, because lack of development) on certain locations.
This is one of the most annoying missing features of RouterOS.

CheckPoint and Juniper people have a big problem with setting up GRE tunnels in IPsec.

Additionally, it is important that the tunnel interface can be placed in a specific VRF and thus definitively solve the problem of overlapping addresses for different tunnels.

Who is online

Users browsing this forum: Ahrefs [Bot], EmuAGR, ppawe, sas2k, TheCat12, truefriendcz and 78 guests