Fri Nov 18, 2022 9:49 am
Yes and no. Yes, you can use IKEv2 to encrypt an IPIP tunnel, but no, it is not enough to change the default profile and policy template group - instead of just setting the ipsec-secret parameter on the /interfare ipip row to a non-empty string and thus letting RouterOS "dynamically" create the IPsec configuration, you have to configure the peer and policy manually. To make it easier, you can use the dynamic mode first, make a copy of the dynamically created peer and policy with changed key items (name and exchange-mode for the peer, and peer for the policy), and then set the ipsec-secret to an empty string. Peers that only differ in exchange-mode and name can coexist, and two policies that only differ in peer can coexist too, except that the second one will be marked as invalid until the first one disappears.