Normunds, thanks for taking a look! =)Wow, this is so great! Thank you for that and I hope everyone enjoys it.
Ha, thanks Fosben.Nice one! very good work
Thanks Pilgrim...I aims to please...heh.Awesome great stuff.
Thanks,
rgs Pilgrim
Crown...thanks...I'm honored to see this is your first post...heheRealy it's great.
Thanks gregsowell.
what, Greg doesn't have any MikroTik certificates? Janis says you were in his classJust so I look as cool as everyone else
HA! Normands I have my MCNA, MikrotikCNA...Even if I had some M$ certs I would deny it...hehehehewhat, Greg doesn't have any MikroTik certificates? Janis says you were in his classJust so I look as cool as everyone else
Xezen,good work do you have anything on mikrotik and squid as i see that there is lots of info on your webpage
NP Titius. Just by me lunch next time I'm in your neck of the woodsThank you very much
Hey Gregsowell.
Many, many thanks for all the work you have put in to produce these.
For someone like me, struggling and starting with Mikrotik they are a great help.
I'm hoping I can find a solution to my VPN routing issue in your latest one
Long may you continue and thanks again - your help is greatly appreciated.
Jack.
Myron,hi gregg
i follow your ipsec video tutorial this afternoon and i try my 2 mik router with public static ip each, but it doesnt handshake the log shows nothing, router a ROS 3.30 <<<>>> ROS 4.2 or incompatible in deffrent version of ROS?
im gonna reconfig tonight gregg i update you soon whats result anyway thanks for replyMyron,hi gregg
i follow your ipsec video tutorial this afternoon and i try my 2 mik router with public static ip each, but it doesnt handshake the log shows nothing, router a ROS 3.30 <<<>>> ROS 4.2 or incompatible in deffrent version of ROS?
If you went to system->logging-> and added IPSec to go to memeory, then saw nothing in the logs while testing, you most likely don't have a policy configured correctly. When you try and ping via winbox, specify source interface and test...does it say packet rejected? Did you add the src-nat accept?
Greg
hi gregg heres my setupim gonna reconfig tonight gregg i update you soon whats result anyway thanks for replyMyron,hi gregg
i follow your ipsec video tutorial this afternoon and i try my 2 mik router with public static ip each, but it doesnt handshake the log shows nothing, router a ROS 3.30 <<<>>> ROS 4.2 or incompatible in deffrent version of ROS?
If you went to system->logging-> and added IPSec to go to memeory, then saw nothing in the logs while testing, you most likely don't have a policy configured correctly. When you try and ping via winbox, specify source interface and test...does it say packet rejected? Did you add the src-nat accept?
Greg
regards
/ip firewall nat
add action=accept chain=srcnat comment="nat bypass" disabled=no out-interface=ether1 dst-address=10.0.0.0/8 place-before=0
Hilton, hello.Hi Greg
Great work here, thanks very much. I just have one question if I may?
My set-up is site A connecting to sites B and C and both VPNs are IPSec. All have dynamic IP addresses and I managed to get these to work with the use of a script to resolve the dynamic host names of the respective sites.
When the connection drops to one of the remote sites, these are re-established by manually flushing the installed SAs. How could I flush the installed SA for only one of the VPNs? I don't want to drop the one that is still up?
Thanks again.
/ip ipsec policy set numbers=0 sa-dst-address=[:resolve remote.host.tld]
/ip ipsec peer set numbers=0 address=[:resolve remote.host.tld]
CoolHi Greg
Thanks for the quick response.
Firstly here is the script. It's VERY basic which makes me wonder what I forgot?
I run this on both sides.Code: Select all/ip ipsec policy set numbers=0 sa-dst-address=[:resolve remote.host.tld] /ip ipsec peer set numbers=0 address=[:resolve remote.host.tld]
I have set the DPD to 10 seconds with a max failure of 2. Let's see what happens.
Say that after you have seen the video...hehehe I'm hoping this one is as useful as the others!Thanks Greg!
Hilton, I'm glad to see you are so concerned with my personal well being...heheheCan't wait to the cat nail you
Doctor,hii greg thnx for ur effort .. i have a ques , i provide internet to clients of about 100 , my prob is that whenever a problem occurs in a single client all others are affected , high latency ping times are shown , even wireless links are affected with latency , but when i block this client everything works fine .. my ques is how to isolate each client on network so that no one is affected ?
I don't see how IPIP over IPSec makes any sense to use.
One of IPSec's drawbacks is that it can only encapsulate unicast packets, which means that you cannot send broadcasts or multicasts over IPSec tunnels. Many routing protocols require multicast packets, and many other applications require broadcasts to function right. One of IPSec's advantages is that it provides excellent security.
A common solution to this conflict of interests is to first encapsulate the traffic in a tunneling protocol that can tunnel broadcasts, multicasts and unicasts (such as GRE, for example, or EoIP on RouterOS). Those the original packets are now encapsulated in the packets of the tunnel, and those tunnel packets are unicast, so you can send them across an IPSec tunnel - effectively sending broadcasts and multicasts over IPSec by adding another layer of abstraction.
IPIP is limited to unicast IPv4 only, so I don't see what you gain by wrapping your packets in IPIP before sending them across IPSec. IPIP provides absolutely no security whatsoever, so IPSec+IPIP is exactly as secure as IPSec by itself since the only security provided is coming from the IPSec portion.
You cannot ever gain stability from adding more tunnel layers as communication is going to be as stable as the least stable tunneling protocol used. If IPIP were more stable than IPSec then the combination would still be as stable as IPSec is by itself. If IPIP were less stable than IPSec the combination would be as stable IPIP is by itself.
I don't see how IPIP over IPSec makes any sense to use.
One of IPSec's drawbacks is that it can only encapsulate unicast packets, which means that you cannot send broadcasts or multicasts over
Hope that helps explain the concepts adequately.
Hope that helps explain the concepts adequately.
wow!! fully detailed information and excellent explanation fewi, damn now i know the flow, function and combination in tunneling method.
thanks fewi
Pretty great assessment fewi! IPIP actually can transmit multicast, so it it suitable for dynamic routing. I've done ipip tunnels with ipsec encryption and running pim inside!I don't see how IPIP over IPSec makes any sense to use.
One of IPSec's drawbacks is that it can only encapsulate unicast packets, which means that you cannot send broadcasts or multicasts over IPSec tunnels. Many routing protocols require multicast packets, and many other applications require broadcasts to function right. One of IPSec's advantages is that it provides excellent security.
A common solution to this conflict of interests is to first encapsulate the traffic in a tunneling protocol that can tunnel broadcasts, multicasts and unicasts (such as GRE, for example, or EoIP on RouterOS). Those the original packets are now encapsulated in the packets of the tunnel, and those tunnel packets are unicast, so you can send them across an IPSec tunnel - effectively sending broadcasts and multicasts over IPSec by adding another layer of abstraction.
IPIP is limited to unicast IPv4 only, so I don't see what you gain by wrapping your packets in IPIP before sending them across IPSec. IPIP provides absolutely no security whatsoever, so IPSec+IPIP is exactly as secure as IPSec by itself since the only security provided is coming from the IPSec portion.
You cannot ever gain stability from adding more tunnel layers as communication is going to be as stable as the least stable tunneling protocol used. If IPIP were more stable than IPSec then the combination would still be as stable as IPSec is by itself. If IPIP were less stable than IPSec the combination would be as stable IPIP is by itself.
Hope that helps explain the concepts adequately.
The Mikrotik wiki does refer to RFC2003 - I read that and while it does mention that multicast tunneling for the purposes of getting routing protocols across tunnels can be a motivation, that is the only mention I can find.IPIP kind of tunnels is the simplest one. It has the lowest overhead, but can incapsulate only IPv4 unicast traffic, so you will not be able to setup OSPF, RIP or any other multicast-based protocol.
I was unaware that IPIP can do multicast.
The Linux Foundation IPIP documentation claims they can only do unicast IPv4:
http://www.linuxfoundation.org/collabor ... /tunnelingThe Mikrotik wiki does refer to RFC2003 - I read that and while it does mention that multicast tunneling for the purposes of getting routing protocols across tunnels can be a motivation, that is the only mention I can find.IPIP kind of tunnels is the simplest one. It has the lowest overhead, but can incapsulate only IPv4 unicast traffic, so you will not be able to setup OSPF, RIP or any other multicast-based protocol.
Do you have any insight on why the Linux Foundation says it can't be done?
I'm genuinely curious. I usually use EoIP or GRE
I have way too much karma. But work lets me idle here all day...you have too little, given the rather awesome videos in this thread, and your other posts. I'm looking forward to your MUM troubleshooting presentation.
I'll play with IPIP in a lab some tomorrow.