Community discussions

MikroTik App
 
giesen
just joined
Topic Author
Posts: 3
Joined: Fri Mar 25, 2011 6:17 pm

Dual-WAN IPsec with fVRF

Wed Feb 01, 2023 4:48 am

I suspect I already know the answer, and after performing some web and forum searches I've not yet found the answer, so I assume it's not possible, but I'll describe what I'd like to do here anyways.

I'd like to end up with 2 (or more) WAN interfaces, each inside their own VRF. These would be Internet connections, each with their own default route. Terminated on each of these WAN interfaces would be an IPSec tunnel that I could use for load-balancing or failover. I've configured up the first interface (with the remainder of the router's interfaces in table main), and the IKEv1 SA seems to establish but it never establishes phase 2 and no traffic ever passes. I've also tried putting all interfaces in the VRF, and still never get full establishment of the tunnel.

I'd hoped with ROS v7 that VRFs would be more featureful, but perhaps I'm being too optimistic? Is it even possible to terminate an IPSec VPN inside of a VRF? (I realize you can have an IPIP or GRE tunnel reside inside a VRF while the tunnel source resides in the main table, but I'm looking to do the opposite and without the tunnel).

We're looking to do a lightweight Cisco DMVPN replacement, and since MikroTik doesn't support NHRP/Multipoint GRE, I'd prefer to avoid GRE/IPIP since I'd have to configure a separate tunnel on the headend for each site. And even if I wanted to do that, I still wouldn't have accomplished putting each WAN interface in a separate VRF (though I suppose I could just put statics for the /32 of the tunnel headends on the respective connections)

Anyone successfully implemented the above?

Who is online

Users browsing this forum: No registered users and 76 guests