Community discussions

 
User avatar
lapsio
Member
Member
Topic Author
Posts: 472
Joined: Wed Feb 24, 2016 5:19 pm

IPSec and ppp tunnel precedence

Fri Aug 02, 2019 12:15 am

Hello

I just bought NordVPN VPN and they prefer using IPSec. I'd also like to use PIA and daisy chain those 2 VPNs. At first I didn't like IPSec option since I have in general trust issues with IPSec and since OpenVPN client implementation has been fixed in last RouterOS update it sounds like viable option. However using OpenVPN for both PIA and NordVPN would require ppp in ppp which may be troublesome.

So I started to wonder - hey what if I use IPSec for one VPN provider and OpenVPN for another one? Technically it should work right? Since IPSec policy is basically determined by source and destination, it should also apply to any ppp tunnels. So it would make OpenVPN tunnel be established IPSec tunnel right? Am I missing anything here? Or would it actually work the other way around - making traffic inside OpenVPN tunnel be encrypted with IPSec policy?
MTCNA, MTCRE, MTCINE
 
sindy
Forum Guru
Forum Guru
Posts: 3811
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSec and ppp tunnel precedence

Fri Aug 02, 2019 11:50 am

Both ways are possible, the only exception is that you cannot directly tunnel one IPsec SA through another IPsec SA, which is clearly not your intention. The precedence is determined by the fact that IPsec policy match always wins - first all the routing and firewalling, including NAT, is done, and then, on its way to the out-interface, each packet is inspected by all IPsec policies; if one of them likes it, it steals it and sends it through its SA. In incoming direction, packets matching any of the IPsec policies with action=encrypt are silently dropped if they didn't arrive via that policy's SA (which kind of extends the information given by @Sob in your other today's topic).
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: No registered users and 73 guests