Community discussions

MikroTik App
 
hkusulja
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Fri Apr 13, 2012 1:14 am

BGP and IPSec policy

Wed May 31, 2023 12:40 pm

Hello,
I have scenario with multiple site-to-site VPN's using IPSec Tunnel mode, with dynamic IP ranges and using BGP.

On latest MikroTik 7, i have to manually specifcy all source / destination IP address ranges in IPSec policies (tunnel mode) which makes the BGP routing hard to sync with IPSec policies
Example, on Cisco devices, when you have IPSec Tunnel mode, it is visible as "tunnel" interface, which makes it easier to specify source/destination IP addreses used for IPSec , for example when using BGP.

What are best practices to handle dynamic ip address ranges when using BGP routing, with IPSec policies on RouterOS ?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: BGP and IPSec policy

Wed May 31, 2023 1:43 pm

What you want to do is not possible with MikroTik. RouterOS does not support VTI and apparently there are no plans to add it.

What you can do instead: remove all your IPsec config and add a GRE tunnel with IPsec password.
That will automatically create IPsec policies for transporting GRE over IPsec.
Then you assign addresses (e.g. a /30 network) to both ends of the GRE tunnel, and configure BGP to connect via that tunnel.
Then it works fine.
 
hkusulja
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Fri Apr 13, 2012 1:14 am

Re: BGP and IPSec policy

Wed May 31, 2023 2:10 pm

What you want to do is not possible with MikroTik. RouterOS does not support VTI and apparently there are no plans to add it.

What you can do instead: remove all your IPsec config and add a GRE tunnel with IPsec password.
That will automatically create IPsec policies for transporting GRE over IPsec.
Then you assign addresses (e.g. a /30 network) to both ends of the GRE tunnel, and configure BGP to connect via that tunnel.
Then it works fine.
Thank you for your information. Unfortunately I can not make impact on another sites. So I can not change to GRE.
Also sometimes other site is AWS or Azure VPN gateway, which are also over BGP and using IPSec Policy tunnel mode, but not using GRE Tunnels.

Is there a process where request feature can be submitted to routeros about Virtual Tunnel Interfaces (VTI) for IPSec Tunnel (cisco example https://www.cisco.com/en/US/technologie ... 9d629.html)

since it is strange that for so many years and other forum posts and discussion, it is not even considered to be added as a feature :/
also, no workarounds :/ (when you can not change the other side to (gre))
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: BGP and IPSec policy

Wed May 31, 2023 3:42 pm

It has been requested for many years, but the recent reply to it was that it is not planned to be implemented.
That is indeed sometimes inconvenient, but it is what it is.
Remember that there are tens of different VPN protocols each having multiple options, and it simply isn't possible to implement EVERYTHING.
Each time when an often-requested VPN or option is finally implemented, people are already lined up to request yet another one. It is a never-ending story.

When I recently had to make a VPN towards Azure, I created a separate Linux VM on our ESXi host and configured it there. Piece of cake.
Maybe you can do a similar workaround using the "container" feature of RouterOS (depending on what router model you have).
 
wiseroute
Member
Member
Posts: 352
Joined: Sun Feb 05, 2023 11:06 am

Re: BGP and IPSec policy

Thu Jun 01, 2023 4:47 pm

@ pe1chl

[*]

That is indeed sometimes inconvenient, but it is what it is.
Remember that there are tens of different VPN protocols each having multiple options, and it simply isn't possible to implement EVERYTHING.
Each time when an often-requested VPN or option is finally implemented, people are already lined up to request yet another one. It is a never-ending story.
[*]

can't be disagree. 👍🏻

it is what it is... this is heavy.
 
hkusulja
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 75
Joined: Fri Apr 13, 2012 1:14 am

Re: BGP and IPSec policy

Thu Jun 01, 2023 6:42 pm

I understand it is what it is.
However, constant improvement and change is now normal, including new features to be added.

Also, I understand that can not all features be implemented, including all types of VPN's, however. using Cisco native tunel, which is also in Azure VPN and AWS, is not "small thing" and is very very common in industry, therefore I am still hoping this will be added, and hopefully soon.

Using workaround and container for me unfortunately is not an option for me.

Thank you all for replies, and hope that someone will have better resolution as workaround or that RouterOS team will implement virtual tunnel interfaces for IPSec policies in tunnel mode.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: BGP and IPSec policy

Thu Jun 01, 2023 9:01 pm

The forum has a search function. When you search for VTI you can find the many other requests to have it implemented.
Due to the limits of the search function it is not so easy to find the latest reply from a MikroTik employee, but I'm quite sure that the latest reply was "there currently are no plans to implement VTI".

But hey, for many many years lots of requests were made to implement OpenVPN UDP mode, and to implement Wireguard. Those were met with similar replies.
But after years and years, those requests were honored in v7. Even BEFORE v7 had/has achieved full feature parity with v6!
(i.e. people are using v6 and waiting to be able to upgrade to v7 but a feature they use is not finished in v7, however new features are introduced in v7, even some that nobody asked for)

So all hope is not lost.

Who is online

Users browsing this forum: No registered users and 16 guests