Community discussions

MikroTik App
 
amirdeadline2
just joined
Topic Author
Posts: 4
Joined: Thu Jun 24, 2021 9:07 pm

using interface in VRF for IPSEC underlay

Wed Feb 01, 2023 9:57 am

Hi Experts,
Is it possible to use the interface in a VRF (not main) as IPSEC underlay (local address) in RouterOS v7? I have done this is V6 using mangle, but I cannot do the same in V7.

example, this works in V6:
/interface bridge
add fast-forward=no name=lo0
add fast-forward=no name=lo101
add fast-forward=no name=lo102
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=ecp384
/ip address
add address=200.40.104.41/24 interface=ether3 network=200.40.104.0
add address=10.40.104.41/24 interface=ether2 network=10.40.104.0
add address=172.16.40.1/24 interface=ether1 network=172.16.40.0
add address=169.254.41.33 interface=lo101 network=169.254.41.33
add address=169.254.41.35 interface=lo102 network=169.254.41.35
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip firewall mangle
add action=accept chain=input disabled=yes dst-address=200.40.104.41
add action=mark-routing chain=output dst-address=100.99.100.99 log=yes new-routing-mark=INET2 passthrough=yes src-address=200.40.104.41
add action=mark-routing chain=output dst-address=100.99.100.99 log=yes new-routing-mark=INET1 passthrough=yes src-address=10.40.104.41
/ip ipsec peer
add address=100.99.100.99/32 comment=102 dh-group=ecp384 enc-algorithm=aes-256 exchange-mode=ike2 hash-algorithm=sha256 lifetime=1h local-address=200.40.104.41 my-id=fqdn:41_102 notrack-chain=output secret=FCBarca1988!
add address=100.99.100.99/32 comment=101 dh-group=ecp384 enc-algorithm=aes-256 exchange-mode=ike2 hash-algorithm=sha256 lifetime=1h local-address=10.40.104.41 my-id=fqdn:41_101 notrack-chain=output secret=FCBarca1988!
/ip ipsec policy
add comment=101 dst-address=169.254.41.32/32 sa-dst-address=100.99.100.99 sa-src-address=10.40.104.41 src-address=169.254.41.33/32 tunnel=yes
add comment=102 dst-address=169.254.41.34/32 sa-dst-address=100.99.100.99 sa-src-address=200.40.104.41 src-address=169.254.41.35/32 tunnel=yes
/ip route
add distance=1 gateway=200.40.104.104 pref-src=200.40.104.41 routing-mark=INET2
add distance=1 gateway=10.40.104.104 pref-src=10.40.104.41 routing-mark=INET1
add distance=1 gateway=ether3
add distance=1 gateway=ether2
add distance=1 dst-address=10.40.104.41/32 gateway=ether2
add distance=1 dst-address=200.40.104.41/32 gateway=ether3
/ip route vrf
add interfaces=ether3 route-distinguisher=10.0.0.41:102 routing-mark=INET2
add interfaces=ether2 route-distinguisher=10.0.0.41:101 routing-mark=INET1
 
giesen
just joined
Posts: 3
Joined: Fri Mar 25, 2011 6:17 pm

Re: using interface in VRF for IPSEC underlay

Tue Feb 07, 2023 5:26 pm

@amirdeadline2,

We you able to figure this out? I'm in more or less the same boat. I'm trying to run L2TP over IPSec, with the Internet-facing interface in a VRF. I can make plain L2TP work, but obviously that's unencrypted and not much use.

Who is online

Users browsing this forum: anton425425, Google [Bot], jacobbailey, Pincha3 and 92 guests