When we create site to site VPN's with Juniper and Fortinet firewalls we always use Tunnel Interfaces. e.g. the IPSEC vpn terminates as a tunnel interface. This allows the use of firewall policies as the selectors instead of having to use proxy-id's and makes things a whole lot tidier.

Is it possible to do this with Mikrotik ?

Hi nz_monkey

From my understanding it's not possible, which is a shame since that way is very easy to work with. However I don't think the way that netscreen does this is completely RFC compliant.

I would also (at the moment) recommend you to stay away from ipsec on router-os since I have experienced some serious problems with them that has yet to be fixed.

Hi Hippo, I did a lot of research last night and came the the same conclusion.

IPSec in routeros is over-complicated and uses a lot of terms that are not used by other firewalls, e.g. instead of using "DH-Group 2" like everything else under the sun they use "modp 1024", it is also lacking a few features like PFS options and clear labeling of Phase1 and Phase2 options, instead calling Phase2 "Policies", and Phase1 "Peers"

Also, almost everything supports IPSec route based vpn's e.g. Watchguard, Netscreen/Juniper SSG, Fortigate's, Cisco it is a shame that Mikrotik do not, as we use IPSec this way at thousands of customer sites.

It would be fantastic to be able to either:
- Create a tunnel interface under "interfaces" then bind it to the Phase1 object
or
- Tick a box in the Phase1 object and have a tunnel interface automatically created

Regards,



Andrew

IPSec in routeros is over-complicated and uses a lot of terms that are not used by other firewalls, e.g. instead of using "DH-Group 2" like everything else under the sun they use "modp 1024", it is also lacking a few features like PFS options and clear labeling of Phase1 and Phase2 options, instead calling Phase2 "Policies", and Phase1 "Peers"

Andrew, if what you describe is correct (your synonyms) then you've cleared up a lot of confusion for me with regards to IPSec.

Thank you.

Yes, they are correct.

Good to hear my rant helped someone!

Thanks Andrew.

nz_monkey:

I was under the impression that you couldn't use route based vpn's with Cisco. I thought you could only either use access-list based vpns with Cisco or somesort of IPSEC-transport + ipip. If you have the time, could you please show me or give me a link on how to configure Cisco with a route based vpn?

br
Hippo

It is as easy as:

!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key uKaiPteNhah address 203.152.XXX.XXX
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile P1
set transform-set ESP-3DES-SHA
set pfs group2
!
!
!
!
!
interface Tunnel0
description IPSEC tunnel to Drury SSG140
ip address 172.31.1.18 255.255.255.252
tunnel source Dialer0
tunnel destination 203.152.XXX.XXX
tunnel mode ipsec ipv4
tunnel protection ipsec profile P1
!

At the remote end of that is a Juniper SSG140, we are running RIPv2 over it for routing.

Enjoy.


Andrew

Hmm, that looks interesting. What is the mode of the ipsec, tunnel or transport?

And, would you mind posting the configuration for the netscreen side as well?

br
Hippo

I would say it will be tunnel mode.

The netscreen end is easy, just create a Tunnel interface under the "Network Interfaces" menu, a Gateway (P1), a Autokey (P2) and then in the advanced part of the Autokey select the tunnel interface. Then create a static route to the remote network via the tunnel interface and it will work.

I have just created a post in the "v4.0 Feature Request(s)" thread, I would appreciate it if anyone interested in having better IPSEC options could post their support in it.

http://forum.mikrotik.com/viewtopic.php?f=1&t=21357


Regards,



Andrew