Unfortunately - no.Hi All,
Would you buy more RouterOS devices/licences if these features were added ?
Ouch. That is sad to hear. We have had generally very good experiences with RouterOS, certainly we find no more bugs than we find on other vendors platforms.After wrestling with MT bugs for 5 years, we opted to upgrade to Cisco end-to-end.
Once that's done, the last Mikrotik will be smashed with a sledge hammer.
Until then, I'm stuck with an ipsec tunnel that drops on a regular basis.
Hi Maris,Currently RADIUS support for xauth is not implemented.
In the wiki I think you mixed up IP ranges while creating the policy templates. SRC should be DST and vice versa.xauth and split tunnel examples are added in the wiki
http://wiki.mikrotik.com/wiki/Manual:IP ... _Mode_Conf
Hmmm.... Wiki update may be required here as these commands are definitely not in RoS 5.0+We have added initial mode-cfg support in version v6rc13. If anyone wants to test and suggest other needed mode-cfg features.
Unfortunately this has low cross-vendor inter-op. VTI is common on Cisco, Fortigate, Juniper SSG, Juniper SRX, Palo Alto Networks, Vyatta.If you want tunnel interface run ipsec in transport mode and ipip or gre over it.
ipsec 0 8.5% ipsec 1 1.5% ipsec 2 0% ipsec 3 0% ipsec 4 29.5% ipsec 8 0% ipsec 9 0% ipsec 12 1% ipsec 19 0.5% ipsec 20 0% ipsec 21 0% ipsec 23 1% ipsec 25 0.5% ipsec 27 0.5% ipsec 29 0.5% ipsec 30 24% ipsec 35 0%
agree, probably MT just need to "put them together" and call it VTIuntil that iPiP over IPSEC works very very good for me
Nope, that's a different beast. People also want VTI interoperability with other vendors.agree, probably MT just need to "put them together" and call it VTI
Isn't that just GRE over IPsec transport?Nope, that's a different beast. People also want VTI interoperability with other vendors.agree, probably MT just need to "put them together" and call it VTI
Basically, what people usually call VTI is a semi-separate IPsec stack bound to a virtual interface (hence VTI = virtual tunnel interface). The VTI IPsec policies are always 0.0.0.0/0 -> 0.0.0.0/0 and (contrary to the classic policy-based IPsec) the traffic to encrypt is selected by routing (what's going out the tunnel interface) rather then policy (because VTI IPsec policy matches everything).
The end result is similar in both cases (with the only exception GRE+IPsec will lead to a slightly lower tunnel's MTU as compared to IPsec VTI), however GRE+IPsec will not interoperate with, for instance, Cisco VTI, some cloud providers and other VTI implementations. To my knowledge, what people often call VTI has never been standardized, but still is relatively widely used, nevertheless.Isn't that just GRE over IPsec transport?
Ah I thought that GRE over IPsec was a Cisco invention and quite often used in Cisco configs.The end result is similar in both cases (with the only exception GRE+IPsec will lead to a slightly lower tunnel's MTU as compared to IPsec VTI), however GRE+IPsec will not interoperate with, for instance, Cisco VTI, some cloud providers and other VTI implementations. To my knowledge, what people often call VTI has never been standardized, but still is relatively widely used, nevertheless.
IKEv2 is in RouterOS 6.38Is ability to configure IKEv2 tunnel as client to Strongswan in RouterOS 6.38?
Are you talking about a roaming client or a site-to-site VPN? You can find all the necessary information here in the wiki.How configure it as client?
IPSec VTI +2 here alsoVTI +2 (me and a friend of mine)
GRE over IPsec transport doesn't work for the purpose of running OSPF with pfSense or Cisco on the other end.If you want tunnel interface run ipsec in transport mode and ipip or gre over it.
No clue. I've tried countless times to run OSPF over GRE between MikroTik and pfSense. Ultimately the routers will form full adjacencies but the routes never gets installed in the routing table on the MikroTik end.Why not?? That should be no problem!
(of course assuming you can configure the other end to the same settings)
yes it should be implemented in the next update !
Given how trivial it is to implement VTI now that they are running a 5.x Kernel in RouterOS v7beta I do not understand why it has not been delivered. It is certainly a lot less work than adding Wireguard or updating OpenVPN.With the prevalence of IKEv2 everywhere in the last few years, VTI is indeed a must-have now.
The fact that people have been asking in this topic for VTI for 8 years hopefully shows there is a substantial demand for it.
I'm not really hearing their moaning here, they kind of have the privilege to dictate who is going to swap the device to get the job done. You know what I mean...[cut].. I suppose the users of Cisco and Juniper routers are also whining ..[cut]..
That is incorrect! The overhead for IPIP/IPsec and "VTI" is exactly the same.Adding IPSEC on top of a tunnel interface like GRE/IPIP is a huge overhead
IPsec test results for MT routers are shown for IPsec in tunnel modeThe overhead for IPIP/IPsec and "VTI" is exactly the same.
Can you provide proof in the form of test results on a gigabit network? (gre+ipsec vs. pure ipsec tunnel mode, file copy throughput results and profile results)I exclusively use GRE/IPsec and I do not have that experience.
Hi pe1chl.I can almost guarantee that there never will be VTI in RouterOS v6!
We can only hope that it will become available in RouterOS v7.
In the meantime, consider using GRE or IPIP tunnels over IPsec transport, that provides an equivalent solution.
Of course you have to know that VTI in fact is a trick, introduced by one router vendor and copied by some others.
There is a whole history behind that. It is much like requesting from all vendors that they implement proprietary protocol extensions made by Microsoft.
As said many times before: when you want THAT, just make an IPIP or GRE tunnel and enable IPsec security on it. That does the same thing.I do want VTI too as it is easier to understand the "standard" routing principles than the policy one. I think it will be easier to get a overview of what is happening in the device when IPsec behaves just like any other interface. Easier to setup firewall rules based on interfaces.
good luck passing across NATAs said many times before: when you want THAT, just make an IPIP or GRE tunnel and enable IPsec security on it. That does the same thing.I do want VTI too as it is easier to understand the "standard" routing principles than the policy one. I think it will be easier to get a overview of what is happening in the device when IPsec behaves just like any other interface. Easier to setup firewall rules based on interfaces.
Well, in my cases, most of the time I'm not in charge of the IPsec service in the other end so that argument falls flat at least for me Sorry I was not looking to hear people explaining how to solve this or that, my question would have been stated differently then...As said many times before: when you want THAT, just make an IPIP or GRE tunnel and enable IPsec security on it. That does the same thing.I do want VTI too as it is easier to understand the "standard" routing principles than the policy one. I think it will be easier to get a overview of what is happening in the device when IPsec behaves just like any other interface. Easier to setup firewall rules based on interfaces.
Some of these NAT unfriendly protocols can be used with IPsec with just a click on a checkbox and typing a passphrase in MT and now they are NAT compatiblegood luck passing across NAT
As said many times before: when you want THAT, just make an IPIP or GRE tunnel and enable IPsec security on it. That does the same thing.
the advantage with ipsec is NAt traversal well known features
Useless to report that here. Report the number of units you planned to buy and have canceled to sales@mikrotik.com, then it may have an effect.unsubscribing, since I do not even care anymore. moved back to fortigates because of this crap.
yea, sureIPSEC improvement is here, its called wireguard ;-P
Hello Team, I hope you are all fine.
I have some problem with my Ipsec vpn between multiple sites. my 5 sites are connected with same ISP through MIKROTIOK ROUTER IPSEC TUNNEL. sites are a,b,c,d,e. a site is my head office and b,c,d,e sites is my clients(branches). all clients are connected with head office (a) through ipsec tunnel and working properly.But problem is that (b) not connected to (c,d,e) and (c) not connected to (b,d,e) and (d) not connected to (b,c,e) and (e) not connected to (b,c,d). Other words is (b,c,d,e) are not connected to eachother. All sites have different subnets.
Kindly give me some help that what i do work on my head office mikrotik router (a).
Although i was add subnet on routes opetion of my branches. but issed are same.
Regards
Sohaib
MikroTik is moving from the business market to the home market. Routers to be supplied by ISPs, maybe some devices used internally to ISPs.I am evaluating various solutions, but it is surprising that MikroTik does not support VTI, which is widely used and easy to manage in the industry. I don't understand why MikroTik insists on not developing this feature, especially it's an enterprise product.
Thanks for updating this post pe1chl. I've come across posts several times that you helped the community and me.Well, I tried again using a support desk request, but the status still is "At the moment, there is no plan to add this functionality,., but we will see if it can be supported in the future."
"At the moment, there is no plan to add this functionality"I'd be forced to ditch RouterOS and use something else. Do I have to say that it would break my heart?
That assumes you control both ends, and the other end supports GRE as well (lots of platforms don't).You do not need VTI to solve that problem! Simple GRE/IPsec tunnels and automatic routing will do it.
Yes, and when you want to buy a new car, don´t do it. Buy an horse-drawn carriage you can reach your destination also.You do not need VTI to solve that problem! Simple GRE/IPsec tunnels and automatic routing will do it.
Yes sure, but at the moment the situation simply is that GRE/IPsec and some other technologies work on MikroTik routers, and VTI does not. And there are no plans to make it working.Yes, and when you want to buy a new car, don´t do it. Buy an horse-drawn carriage you can reach your destination also.You do not need VTI to solve that problem! Simple GRE/IPsec tunnels and automatic routing will do it.
Sorry, but it makes no sense to always repeat 'use GRE/IPSec' when remote site doesn´t support it as told many times before. And it makes also no sense to repeat the history of VTI.
It simple is used in many many configurations.
Holy crap, 12 years just in this forum post.This topic is open for 12 years, other similar topics maybe even longer.
And still no way to avoid using a dual-stack.Holy crap, 12 years just in this forum post.This topic is open for 12 years, other similar topics maybe even longer.
Of course, I don't know whether this was just written there so that I wouldn't ask about the status any more...Oskars K.12 minutes ago
Hello
VTI might be implemented in a timely matter. But also, we cannot discuss that.
Thanks
Your request status changed to Waiting for support.
1 hour ago
Wolfgang Meibers
Wolfgang Meibers 1 hour ago
That was not the question. I was asking for someone who knows or decides which features will or will not be implemented and when this will happen. I am aware that you can't / don't want to answer that.
Well, I can understand that. VTI is not something that internet operators would use.I can't imagine any major internet operators and distributors that MK has never discussed with them about VTI support.