Community discussions

MikroTik App
 
timk
just joined
Topic Author
Posts: 14
Joined: Wed Sep 05, 2012 3:33 am

IPSec VTI

Tue Jun 09, 2015 4:14 pm

Please can IPSec VTI be considered for RouterOS v7?

The Linux kernel has had support since 2012:
http://git.kernel.org/cgit/linux/kernel ... c617c68059

I know the same can be done manually with IPSec+GRE but it is a huge deal with larger installs and one is more prone to making mistakes.

Cheers
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 2182
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: IPSec VTI

Wed Jun 10, 2015 5:14 am

This has been requested countless times.

See http://forum.mikrotik.com/viewtopic.php?f=2&t=65734
 
timk
just joined
Topic Author
Posts: 14
Joined: Wed Sep 05, 2012 3:33 am

Re: IPSec VTI

Wed Jun 10, 2015 8:35 am

Thanks, I must have a bad memory, I had even posted in that thread! :shock:
 
aigarslv
just joined
Posts: 5
Joined: Mon May 25, 2015 11:24 pm

Re: IPSec VTI

Fri Jun 12, 2015 5:22 pm

I also would like to see this feature. Also it would be good to be able to create Virtual Interfaces in general (as you can in Linux) and not only for MetaRouters or KVM.
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 2182
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: IPSec VTI

Mon Jun 15, 2015 1:16 pm

Thanks, I must have a bad memory, I had even posted in that thread! :shock:
Ha ha.

Hopefully Mikrotik have not forgotten this request :)
 
Arcticfox
just joined
Posts: 19
Joined: Fri Mar 29, 2013 2:29 pm

Re: IPSec VTI

Fri Nov 15, 2019 8:40 pm

2019 AD, November 15, Strongswan have a stable implementation of VTI...
Request still pending.
 
valsily
just joined
Posts: 5
Joined: Mon Mar 21, 2011 1:09 pm

Re: IPSec VTI

Mon Nov 18, 2019 4:23 am

Bump. We need VTI support!
 
dnordenberg
Member Candidate
Member Candidate
Posts: 126
Joined: Wed Feb 24, 2016 8:00 pm

Re: IPSec VTI

Mon Dec 02, 2019 8:18 pm

Yes, VTI support please, policy tunneling is not very user friendly to setup, I rather use traditional routing.
 
User avatar
bluecrow76
newbie
Posts: 34
Joined: Wed Sep 13, 2006 11:55 pm

Re: IPSec VTI

Thu Apr 01, 2021 3:09 am

Not to mention that this would allow interop with many other router vendors IPSEC VTI based tunneling solutions.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: IPSec VTI

Thu Apr 01, 2021 3:13 am

Not to mention that this would allow interop with many other router vendors IPSEC VTI based tunneling solutions.
They are adding VTI is my understanding. I think the issue probably is if they add it now, while RouterOS v6 is still being updated, it is much more work for them to manage both code bases because the RouterOS v7 ipsec code will diverge from the RouterOS v6 ipsec code making it a lot harder to keep the code bases in sync with the same fixes. So they are likely waiting until RouterOS v7 stable comes out before they add this, as at that point, they will no longer need to make updates to RouterOS v6 as frequently.
 
dnordenberg
Member Candidate
Member Candidate
Posts: 126
Joined: Wed Feb 24, 2016 8:00 pm

Re: IPSec VTI

Thu Apr 01, 2021 9:05 am

Not to mention that this would allow interop with many other router vendors IPSEC VTI based tunneling solutions.
Ehm, I could be wrong here but my understanding is that VTIs are purely a local thing, the tunnel or other end does not know about if VTI is used or not at the opposite end. VTI should allow you to add a virtual interface in a hw/L2 like manner but will still only pass L3 traffic. Just as the policies. Policies vs VTI/routing is just cosmetic, both will do the same but in different configuration ways.
 
User avatar
doneware
Trainer
Trainer
Posts: 647
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: IPSec VTI

Tue May 18, 2021 3:20 pm

Not to mention that this would allow interop with many other router vendors IPSEC VTI based tunneling solutions.
VTI should allow you to add a virtual interface in a hw/L2 like manner but will still only pass L3 traffic.
yes and no. it has to support also multicast transport (for OSPF to work) which is not possible with policies.
also the encapsulation is different, consider the figure below.
VTI.jpg
You do not have the required permissions to view the files attached to this post.
 
dakobg
Member Candidate
Member Candidate
Posts: 120
Joined: Mon Nov 06, 2017 8:58 am

Re: IPSec VTI

Mon Nov 29, 2021 10:20 pm

I think ros7 must go to GA and everything on the current roadmap for it is stable, but I really hope Mikrotik will not forget about VTI in some point ...
 
User avatar
bluecrow76
newbie
Posts: 34
Joined: Wed Sep 13, 2006 11:55 pm

Re: IPSec VTI

Tue Nov 30, 2021 12:56 am

Earlier this year I sent an email to Mikrotik support asking if VTI was going to be included in ROS v7 as I had some customer projects coming up that needed VTI support. On Aug 30th, 2021, I received a reply stating "Unfortunately, currently there are no short term plans to implement this feature in RouterOS."

Bummer
 
dakobg
Member Candidate
Member Candidate
Posts: 120
Joined: Mon Nov 06, 2017 8:58 am

Re: IPSec VTI

Tue Nov 30, 2021 9:17 am

Well I hope then in 2031 we will see it in ros8 beta :)
 
tpedko
just joined
Posts: 23
Joined: Wed May 22, 2019 9:58 am

Re: IPSec VTI

Thu Dec 23, 2021 10:59 am

add, please
 
gtarada
just joined
Posts: 1
Joined: Thu Dec 23, 2021 11:18 am

Re: IPSec VTI

Thu Dec 23, 2021 11:20 am

+ need to be added
 
User avatar
woland
Member
Member
Posts: 310
Joined: Mon Aug 16, 2021 4:49 pm

Re: IPSec VTI

Thu Dec 23, 2021 11:23 am

Hi,
+1 as VTIs are great for usability and flexibility, and supported by most other vendors for a good reason!
Thanks!

Woland
 
mada3k
Forum Veteran
Forum Veteran
Posts: 744
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: IPSec VTI

Thu Dec 23, 2021 1:06 pm

Personally I would find mGRE & NHRP more useful.

We use IPIP or GRE instead of VTI, but I agree that when doing mesh'es it's gets problematic, but thats just IPSec.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPSec VTI

Thu Dec 23, 2021 3:22 pm

Indeed in a situation where you would "need" VTI, it would be possible to use IPIP or GRE with the same functionality, only unfortunately not compatible with others.
To setup a fully-meshed tunnel network, both have the same issues of scalability, solvable only with protocols like NHRP.

I fully expect the "VTI +1 whining" to shift to "NHRP PLEASE!" once it is implemented, maybe MikroTik understand that as well and put VTI low on the work list because of that.
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: IPSec VTI

Thu Dec 23, 2021 9:17 pm

It's natural, new things are invented, they are useful, competitors have them, people see it there and want them too, it will never end. It's not possible to add everything, but once something evolves into "everyone else has it", you can't ignore it forever.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPSec VTI

Thu Dec 23, 2021 9:34 pm

Yes, but the issue with VPN protocols is "there is always one more", even when it is not better there are always people who want to have it.
It is a prime example the famous quote "The nice thing about standards is that you have so many to choose from; furthermore, if you do not like any of them, you can just wait for next year's model."
 
azzurro
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Mon Jan 17, 2022 2:55 am

Re: IPSec VTI

Sun Jan 30, 2022 4:02 am

It's natural, new things are invented, they are useful, competitors have them, people see it there and want them too, it will never end. It's not possible to add everything, but once something evolves into "everyone else has it", you can't ignore it forever.
yes but VTI is not "everything". it is how ipsec has been done by most of the major vendors for about a decade. rather first keep up on the ipsec implementation before heading over to new-fangled rubbish wankery crap like wireguard or zeroconf.

the lack of VTI support is a major showstopper and we would have the opportunity for hundreds of customers buying mikrotik, but now they have to go to cisco or fortinet.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPSec VTI

Sun Jan 30, 2022 1:25 pm

the lack of VTI support is a major showstopper and we would have the opportunity for hundreds of customers buying mikrotik, but now they have to go to cisco or fortinet.
Are you sure that when VTI is implemented, you will not come back with "VTI is nice, now we need to have NHRP"?
Of course these hundreds of customers must be on networks where there already is Cisco or Fortinet, or else they could setup their network in a way
that MikroTik already supports (e.g. GRE/IPsec). So I find it hard to believe that you will not need another specific protocol once you have VTI, and
likely that is NHRP.
 
azzurro
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Mon Jan 17, 2022 2:55 am

Re: IPSec VTI

Sun Jan 30, 2022 3:40 pm

the lack of VTI support is a major showstopper and we would have the opportunity for hundreds of customers buying mikrotik, but now they have to go to cisco or fortinet.
Are you sure that when VTI is implemented, you will not come back with "VTI is nice, now we need to have NHRP"?
yes, because I don't need NHRP (although it would be nice). But do you know what would be even nicer? ADVPN: https://community.fortinet.com/t5/Forti ... a-p/195698
but in kind of static networks you do not need any dynamic routing protocol. what you do want though, is having the flexibility of routing traffic through sites if necessary and to be able to do dialup vpn to a hub site from a site where you only have dynamic wan ip addresses, while still having a fully routed and fully connected site, without any additional effort...

Even if there are folks out there who would want NHRP after they got VTI - what's the issue with that? Baby steps, one after the other. RouterOS is already an extremely cool, versatile and powerful solution and they keep making it better every day. I'm just suggesting to keep a bit of a focus on de-facto industry-standard stuff which can bring the Tiks up to the next level of versatility. Interoperability is a good thing, look at Microsoft as an example. They interopped with everything and then inhaled everything from within the structure.
Of course these hundreds of customers must be on networks where there already is Cisco or Fortinet, or else they could setup their network in a way
that MikroTik already supports (e.g. GRE/IPsec). So I find it hard to believe that you will not need another specific protocol once you have VTI, and
likely that is NHRP.
well, they are on Cisco and Fortinet (and others), but obviously every now and then you gotta re-evaluate and every now and then you have the opportunity to switch vendors. Now, that RouterOS, after the community asking for that features for years, still doesn't support VTI, MikroTiks are out of scope immediately.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPSec VTI

Sun Jan 30, 2022 7:39 pm

yes, because I don't need NHRP (although it would be nice). But do you know what would be even nicer? ADVPN: https://community.fortinet.com/t5/Forti ... a-p/195698
ADVPN is the marketing name for a VPN network based on VTI and NHRP. At least at Cisco it is. probably Fortinet is the same.
well, they are on Cisco and Fortinet (and others), but obviously every now and then you gotta re-evaluate and every now and then you have the opportunity to switch vendors. Now, that RouterOS, after the community asking for that features for years, still doesn't support VTI, MikroTiks are out of scope immediately.
I recommend you with any vendor to only look at what they offer TODAY and not at what is being demanded in the forums or even what is being promised by the vendor.
It does not matter what is being asked for, there is always something else on demand.

MikroTik have paid attention to those that demanded Wireguard and (to a lesser extent) OpenVPN improvements.
Probably the average customer of MikroTik is very happy with that and does not care so much about VTI or NHRP.
But you know what: go to Cisco and Fortinet and ask them to support OpenVPN or Wireguard and see how quickly THEY have added it to their routers!
 
azzurro
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Mon Jan 17, 2022 2:55 am

Re: IPSec VTI

Sun Jan 30, 2022 7:49 pm

I recommend you with any vendor to only look at what they offer TODAY and not at what is being demanded in the forums or even what is being promised by the vendor.
It does not matter what is being asked for, there is always something else on demand.
That's what I'm doing.
MikroTik have paid attention to those that demanded Wireguard and (to a lesser extent) OpenVPN improvements.
Probably the average customer of MikroTik is very happy with that and does not care so much about VTI or NHRP.
But you know what: go to Cisco and Fortinet and ask them to support OpenVPN or Wireguard and see how quickly THEY have added it to their routers!
You are mixing things up here. IPSEC has been used for ages in the industry. OpenVPN not so much, at least in enterprises. Neither has Wireguard.
For me that means, that someone more like the SOHO user belongs to the target audience of MikroTik, which is sad, given all the other features they have, but OK, if they choose to do so.
I just thought that they would want to keep up with what's going on in the enterprise environment, given that much of their featureset isn't exactly for SOHO users. But meh, what do I know.

Fortinet and Cisco are Enterprise-class products. Nobody in their right mind would ask them to implement something like OpenVPN or Wireguard. Maybe either of them will get popular in the Enterprise area and when the day comes, Fortinet and Cisco will implement it to not lose customers.
 
lfoerster
newbie
Posts: 37
Joined: Mon Mar 07, 2022 1:29 pm

Re: IPSec VTI

Mon Mar 14, 2022 6:03 pm

VTI interacts perfectly fine with Cisco's VTI solution or pfSense/OPNsense:
https://administrator.de/contentid/398932
 
User avatar
barts
just joined
Posts: 8
Joined: Fri May 24, 2019 6:57 am

Re: IPSec VTI

Wed Jun 08, 2022 4:02 am

Yes, VTI support please!
 
bakshtay
just joined
Posts: 2
Joined: Thu Nov 08, 2018 11:55 am

Re: IPSec VTI

Sun Jan 22, 2023 2:52 pm

Сommunity waiting 7 years enterprise standard IPsec VTI. Instead they introduce useless features like ROSE-storage. ((
 
azzurro
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Mon Jan 17, 2022 2:55 am

Re: IPSec VTI

Sun Jan 22, 2023 3:03 pm

MT could at least let us know/update us whether it is on some kind of roadmap...

Please!
 
zanswer
just joined
Posts: 4
Joined: Tue Oct 03, 2017 2:50 pm
Location: Siberia

Re: IPSec VTI

Sun Jan 22, 2023 3:12 pm

+1 for IPsec VTI Support.
 
koxle
just joined
Posts: 3
Joined: Tue Jan 25, 2022 7:40 pm

Re: IPSec VTI

Mon May 01, 2023 10:18 am

+1 for IPsec VTI Support.
 
Ephiopez
just joined
Posts: 8
Joined: Sat Aug 10, 2019 4:13 pm

Re: IPSec VTI

Fri May 05, 2023 3:59 pm

+1!
 
A3logicsusa
just joined
Posts: 1
Joined: Fri May 05, 2023 4:26 pm

Re: IPSec VTI

Fri May 05, 2023 4:31 pm

 
dakobg
Member Candidate
Member Candidate
Posts: 120
Joined: Mon Nov 06, 2017 8:58 am

Re: IPSec VTI

Thu Aug 24, 2023 9:03 am

I think ros7 must go to GA and everything on the current roadmap for it is stable, but I really hope Mikrotik will not forget about VTI in some point ...
2y latter.. please provide ipsec vti support, regards
 
Halesk2k
just joined
Posts: 20
Joined: Sat Sep 08, 2018 4:13 pm

Re: IPSec VTI

Thu Aug 24, 2023 12:01 pm

A solution that is very close to VTI is to protect a GRE tunnel through an IPSec transport. The only difference is, afaik, you loose few bytes of the GRE header. But in term of feature, it's like a VTI.
 
azzurro
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Mon Jan 17, 2022 2:55 am

Re: IPSec VTI

Thu Aug 24, 2023 12:06 pm

the issue is interoperability with other endpoints.
for example once i wanted to build gre over ipsec with a fortigate but the fortigate had a hard time and struggled with GRE, it made tons of CPU load on it, while pure IPSEC would have been hw-accelerated and lightning fast.

and you can't always just replace everything with mikrotiks, for obvious reasons.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPSec VTI

Thu Aug 24, 2023 12:13 pm

True, but you also cannot implement every type of VPN that others suggest to you, for obvious reasons.
 
azzurro
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Mon Jan 17, 2022 2:55 am

Re: IPSec VTI

Thu Aug 24, 2023 12:17 pm

true, but dude, please don't refer to VTI as "every type of VPN" like it is some exotic thing.
i don't know any other serious vendor these days who doesn't implement VTI.

to be honest, mikrotiks are versatile AF and implement like every piece of whatnot but VTI of all things still doesn't exist in ROS?
Glad we have an SSTP server in ROS, THAT was important.
 
User avatar
own3r1138
Forum Veteran
Forum Veteran
Posts: 727
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: IPSec VTI

Thu Aug 24, 2023 12:49 pm

36fc2361959b56bad15a97bdeff62b5f.jpg
You do not have the required permissions to view the files attached to this post.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPSec VTI

Thu Aug 24, 2023 2:17 pm

true, but dude, please don't refer to VTI as "every type of VPN" like it is some exotic thing.
It is exotic in the market for MikroTik devices. Ok, maybe not so much now as it was a couple of years ago, but still most MikroTik users demand OpenVPN or Wireguard, not IPsec.
 
azzurro
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Mon Jan 17, 2022 2:55 am

Re: IPSec VTI

Thu Aug 24, 2023 3:52 pm

so, if IPSEC is that exotic, please tell me why there is so many threads about it and why is mikrotik working hard on supporting hw-acceleration for IPSEC wherever possible and why is mikrotik improving their ipsec implementation all the time?

how do you know, what types of vpn are being requested by mikrotik users? do you have access to usage statistics, have you spoken to mikrotik employees who know the stats?

i think you may be captured in your perspective a bit.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPSec VTI

Thu Aug 24, 2023 4:24 pm

so, if IPSEC is that exotic, please tell me why there is so many threads about it and why is mikrotik working hard on supporting hw-acceleration for IPSEC wherever possible and why is mikrotik improving their ipsec implementation all the time?

how do you know, what types of vpn are being requested by mikrotik users? do you have access to usage statistics, have you spoken to mikrotik employees who know the stats?

i think you may be captured in your perspective a bit.
Well, just like you judge the demand for VTI by the number of forum threads about it, I judge the demand for OpenVPN and Wireguard by their respective threads on the forum. Those numbers are way higher than for VTI.

Don't understand me wrong, I also need VTI here for one specific purpose, but I can understand that not every request can be granted.
Also, I think part of those that want VTI will realize only after it has been implemented that in fact they require other unimplemented protocols as well to match what others demand from them (like NHRP).
 
azzurro
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Mon Jan 17, 2022 2:55 am

Re: IPSec VTI

Thu Aug 24, 2023 4:32 pm

wait, I never said VTI would have a higher demand/forum thread count than OpenVPN or Wireguard.
We were talking about IPSEC in general, which you downplayed.

Again, I do not want to accept VTI being referred to as "granting/responding to every request". That always sound to me like people would be requesting mikrotik to support some arbitrary, exotic alien technology nobody uses. But as I mentioned earlier, VTI is widely used and supported and IMHO vastly superior to what mikrotik is doing currently.

i sincerely hope that they'll implement it one day.

regarding the other protocols you mentioned, like NHRP, I can't tell, I just want interfaces :P
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPSec VTI

Thu Aug 24, 2023 5:07 pm

regarding the other protocols you mentioned, like NHRP, I can't tell, I just want interfaces :P
When you think that VTI just means "standard IPsec tunnel but with virtual interfaces instead of policies on existing interfaces": that is not really true, read back above to e.g. explanation by "doneware".
Sure it is handy to have a virtual interface for your tunneled traffic, but MikroTik already supports that: IPIP over IPsec transport.
That works with other standard routers. Same for GRE over IPsec transport, that has the advantage of also supporting IPv6, Multicast etc.
But that still is not the same as VTI.
 
azzurro
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Mon Jan 17, 2022 2:55 am

Re: IPSec VTI

Thu Aug 24, 2023 5:27 pm

as I have mostly interop inconveniences with fortigates, I can't resort to ip-ip or gre, as these often can't be hw offloaded on the smaller fortigate models, whereas IPSEC VTI can.
 
User avatar
woland
Member
Member
Posts: 310
Joined: Mon Aug 16, 2021 4:49 pm

Re: IPSec VTI

Tue Aug 29, 2023 11:30 am

It is exotic in the market for MikroTik devices. Ok, maybe not so much now as it was a couple of years ago, but still most MikroTik users demand OpenVPN or Wireguard, not IPsec.
Well, apologies, OpenWRT again :) :
https://openwrt.org/docs/guide-user/ser ... based_vpns

Every device used with OpenWRT has VTI support... So I don´t think VTI is exotic in the market of home/soho routers for power users!

On "enterprise" routers/firewalls/toasters VTI is a long established feature by every vendor I know of.

I´m optimistic however: MT brought a lot of great new features with ROS7. I will probably live to see VTI, not only BFD and ISIS.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPSec VTI

Tue Aug 29, 2023 11:53 am

IS-IS is probably a feature requested by a large (potential) customer. I see no reason why MikroTik developers would suddenly decide to add another routing protocol (while the coding of the existing routing protocols is not finished) just by themselves. So sales has come by and said "we can sell 10000 routers when we have IS-IS".

Similarly, when sales would come by and say "we can sell 100000 additional routers when we have IPsec VTI" it probably will be in the next beta.
As indeed, the underlying open source IPsec software already supports it, it is just a matter of writing the proper RouterOS configuration layer.
(unless of course they have forked the software 15 years ago and did not track the development, but I do not think that is the case as other "newer" IPsec features like IKEv2 got added in that timeframe)
 
azzurro
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Mon Jan 17, 2022 2:55 am

Re: IPSec VTI

Tue Aug 29, 2023 11:58 am

yeah well, I've just switched back to a Fortigate 60F from my RB5009 and I'm not looking back.
Very sad but I was just fed up of the IPSEC implementation in ROS. Route based IPSEC is such a charm to work with!

I'm not considering putting ROS routers anywhere in the near future where I need IPSEC, not as long as routed IPSEC is non-existent in ROS.
 
onnoossendrijver
Member
Member
Posts: 488
Joined: Mon Jul 14, 2008 11:10 am
Location: The Netherlands

Re: IPSec VTI

Tue Aug 29, 2023 12:16 pm

Agreed.. IPsec without VTI is terrible.
I really don't understand why it is not available yet. _ALL_ VPN's I use and manage ( about 2000, I work for some governmental agency ) are route based.
 
User avatar
woland
Member
Member
Posts: 310
Joined: Mon Aug 16, 2021 4:49 pm

Re: IPSec VTI

Tue Aug 29, 2023 12:19 pm

yeah well, I've just switched back to a Fortigate 60F from my RB5009 and I'm not looking back.
eur
Yeah, that´s a nice device, but that would cost any end user around 1k EUR with just the basic license.
The RB5009 comes for 25% of that price! Also the 60F has only 1 Gbps ports.
 
azzurro
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Mon Jan 17, 2022 2:55 am

Re: IPSec VTI

Tue Aug 29, 2023 12:32 pm

sure, that's why I bought the RB5009 in the first place.
but it turned out that different features were more important than like having an SFP+ port.
also, I bought mine used for EUR 350. Also, you can get a 40F which is still as powerful (if not more powerful) as a RB5009 and that is obtainable well under 1k.
 
azzurro
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Mon Jan 17, 2022 2:55 am

Re: IPSec VTI

Tue Aug 29, 2023 3:24 pm

ok, this is it people, no plans but they'll "consider it".

bye bye for good for any edge routers, mikrotik...
Hello,
Thank you for contacting MikroTik Support.
At the moment there are no plans to change IPSEC functionality, thanks for your request we will consider such implementation.
Best regards,
Oskars K.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPSec VTI

Tue Aug 29, 2023 3:56 pm

Agreed.. IPsec without VTI is terrible.
I really don't understand why it is not available yet. _ALL_ VPN's I use and manage are route based.
Yeah mine too, but they are GRE/IPsec which provides the same functionality. With MikroTik routers that works well. It is only the cross-manufacturer support that is a problem.
 
sc0ch
just joined
Posts: 2
Joined: Tue Mar 07, 2023 11:23 am

Re: IPSec VTI

Sun Feb 18, 2024 9:51 am

Joininig the request for the IPsec VTI feature. Needs as air.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPSec VTI

Mon Jun 17, 2024 6:30 pm

Well, I tried again using a support desk request, but the status still is "At the moment, there is no plan to add this functionality,., but we will see if it can be supported in the future."
 
h2desk
just joined
Posts: 18
Joined: Wed May 24, 2023 8:11 pm

Re: IPSec VTI

Mon Jun 17, 2024 8:48 pm

Well, I tried again using a support desk request, but the status still is "At the moment, there is no plan to add this functionality,., but we will see if it can be supported in the future."
Thanks for updating this post pe1chl. I've come across posts several times that you helped the community and me.

Where do you make this resource request? Is it open? Maybe the community will fill their box with requests. LOL...

I don't know if I'm unique, but I always look at the changelogs of the beta versions and there's never the gold feature. Maybe with the pleas they will listen.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1611
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: IPSec VTI

Mon Jun 17, 2024 9:11 pm

A tip if you really need a VTI interface in your business: open a support ticket and describe a genuine use case that could motivate Mikrotik to move forward with developing this. Just posting in this user forum won't probably accomplish much.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPSec VTI

Tue Jun 18, 2024 9:16 am

Well, as I wrote I filed it as a support desk feature request. Anyone can do that. It may be more effective than adding "+1" here.
Not as a business case, but it would help me to have this for our VPN tunnel to Microsoft Azure.
Now, I use a small dedicated Linux VM on our ESXi server, maybe I'll try to make it a container.
But the configuration in libreswan is so trivially simple (and I think *swan also originally was the base for RouterOS IPsec) that I hope that MikroTik would at some time add it and save me an external IP, which is quite scarce in our /29 network.
 
h2desk
just joined
Posts: 18
Joined: Wed May 24, 2023 8:11 pm

Re: IPSec VTI

Tue Jun 18, 2024 5:15 pm

Exactly my idea and that's what I did, open a ticket via email with the following subject: Resource request - Tunnel Interface (VTI)

I explained my motivations. I hope that community demand changes Mikrotik's stance on the feature.

One of the main reasons is with Cloud providers too, we cannot use, for example, BGP with them and other small reasons.

Our case is the same, solving it paleatively with Linux, in my case I use Strongswan. But I would love to see it directly on RouterOS, it takes away one more point from my infrastructure to monitor and manage.
 
Nightowl82
newbie
Posts: 28
Joined: Fri Feb 09, 2024 9:52 pm

Re: IPSec VTI

Sat Nov 02, 2024 10:35 pm

Any new information/feedback from mikrotik regarding this?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10529
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPSec VTI

Sun Nov 03, 2024 11:54 am

Any new information/feedback from mikrotik regarding this?
Yes, they told me it is not planned.
At the moment, there is no plan to add this functionality,., but we will see if it can be supported in the future.

That was in june 2024.
And that has been the status for at least 10 years now.

Who is online

Users browsing this forum: BartoszP, mada3k and 32 guests