Please can IPSec VTI be considered for RouterOS v7?

The Linux kernel has had support since 2012:
http://git.kernel.org/cgit/linux/kernel ... c617c68059

I know the same can be done manually with IPSec+GRE but it is a huge deal with larger installs and one is more prone to making mistakes.

Cheers

This has been requested countless times.

See http://forum.mikrotik.com/viewtopic.php?f=2&t=65734

Thanks, I must have a bad memory, I had even posted in that thread!

I also would like to see this feature. Also it would be good to be able to create Virtual Interfaces in general (as you can in Linux) and not only for MetaRouters or KVM.

Thanks, I must have a bad memory, I had even posted in that thread!

Ha ha.

Hopefully Mikrotik have not forgotten this request

2019 AD, November 15, Strongswan have a stable implementation of VTI...
Request still pending.

Bump. We need VTI support!

Yes, VTI support please, policy tunneling is not very user friendly to setup, I rather use traditional routing.

Not to mention that this would allow interop with many other router vendors IPSEC VTI based tunneling solutions.

Not to mention that this would allow interop with many other router vendors IPSEC VTI based tunneling solutions.

They are adding VTI is my understanding. I think the issue probably is if they add it now, while RouterOS v6 is still being updated, it is much more work for them to manage both code bases because the RouterOS v7 ipsec code will diverge from the RouterOS v6 ipsec code making it a lot harder to keep the code bases in sync with the same fixes. So they are likely waiting until RouterOS v7 stable comes out before they add this, as at that point, they will no longer need to make updates to RouterOS v6 as frequently.

Not to mention that this would allow interop with many other router vendors IPSEC VTI based tunneling solutions.

Ehm, I could be wrong here but my understanding is that VTIs are purely a local thing, the tunnel or other end does not know about if VTI is used or not at the opposite end. VTI should allow you to add a virtual interface in a hw/L2 like manner but will still only pass L3 traffic. Just as the policies. Policies vs VTI/routing is just cosmetic, both will do the same but in different configuration ways.

Not to mention that this would allow interop with many other router vendors IPSEC VTI based tunneling solutions.

VTI should allow you to add a virtual interface in a hw/L2 like manner but will still only pass L3 traffic.

yes and no. it has to support also multicast transport (for OSPF to work) which is not possible with policies.
also the encapsulation is different, consider the figure below.

I think ros7 must go to GA and everything on the current roadmap for it is stable, but I really hope Mikrotik will not forget about VTI in some point ...

Earlier this year I sent an email to Mikrotik support asking if VTI was going to be included in ROS v7 as I had some customer projects coming up that needed VTI support. On Aug 30th, 2021, I received a reply stating "Unfortunately, currently there are no short term plans to implement this feature in RouterOS."

Bummer

Well I hope then in 2031 we will see it in ros8 beta

add, please

+ need to be added

Hi,
+1 as VTIs are great for usability and flexibility, and supported by most other vendors for a good reason!
Thanks!

Woland

Personally I would find mGRE & NHRP more useful.

We use IPIP or GRE instead of VTI, but I agree that when doing mesh'es it's gets problematic, but thats just IPSec.

Indeed in a situation where you would "need" VTI, it would be possible to use IPIP or GRE with the same functionality, only unfortunately not compatible with others.
To setup a fully-meshed tunnel network, both have the same issues of scalability, solvable only with protocols like NHRP.

I fully expect the "VTI +1 whining" to shift to "NHRP PLEASE!" once it is implemented, maybe MikroTik understand that as well and put VTI low on the work list because of that.

It's natural, new things are invented, they are useful, competitors have them, people see it there and want them too, it will never end. It's not possible to add everything, but once something evolves into "everyone else has it", you can't ignore it forever.

Yes, but the issue with VPN protocols is "there is always one more", even when it is not better there are always people who want to have it.
It is a prime example the famous quote "The nice thing about standards is that you have so many to choose from; furthermore, if you do not like any of them, you can just wait for next year's model."

It's natural, new things are invented, they are useful, competitors have them, people see it there and want them too, it will never end. It's not possible to add everything, but once something evolves into "everyone else has it", you can't ignore it forever.

yes but VTI is not "everything". it is how ipsec has been done by most of the major vendors for about a decade. rather first keep up on the ipsec implementation before heading over to new-fangled rubbish wankery crap like wireguard or zeroconf.

the lack of VTI support is a major showstopper and we would have the opportunity for hundreds of customers buying mikrotik, but now they have to go to cisco or fortinet.

the lack of VTI support is a major showstopper and we would have the opportunity for hundreds of customers buying mikrotik, but now they have to go to cisco or fortinet.

Are you sure that when VTI is implemented, you will not come back with "VTI is nice, now we need to have NHRP"?
Of course these hundreds of customers must be on networks where there already is Cisco or Fortinet, or else they could setup their network in a way
that MikroTik already supports (e.g. GRE/IPsec). So I find it hard to believe that you will not need another specific protocol once you have VTI, and
likely that is NHRP.

the lack of VTI support is a major showstopper and we would have the opportunity for hundreds of customers buying mikrotik, but now they have to go to cisco or fortinet.

Are you sure that when VTI is implemented, you will not come back with "VTI is nice, now we need to have NHRP"?

yes, because I don't need NHRP (although it would be nice). But do you know what would be even nicer? ADVPN: https://community.fortinet.com/t5/Forti ... a-p/195698
but in kind of static networks you do not need any dynamic routing protocol. what you do want though, is having the flexibility of routing traffic through sites if necessary and to be able to do dialup vpn to a hub site from a site where you only have dynamic wan ip addresses, while still having a fully routed and fully connected site, without any additional effort...

Even if there are folks out there who would want NHRP after they got VTI - what's the issue with that? Baby steps, one after the other. RouterOS is already an extremely cool, versatile and powerful solution and they keep making it better every day. I'm just suggesting to keep a bit of a focus on de-facto industry-standard stuff which can bring the Tiks up to the next level of versatility. Interoperability is a good thing, look at Microsoft as an example. They interopped with everything and then inhaled everything from within the structure.

Of course these hundreds of customers must be on networks where there already is Cisco or Fortinet, or else they could setup their network in a way
that MikroTik already supports (e.g. GRE/IPsec). So I find it hard to believe that you will not need another specific protocol once you have VTI, and
likely that is NHRP.

well, they are on Cisco and Fortinet (and others), but obviously every now and then you gotta re-evaluate and every now and then you have the opportunity to switch vendors. Now, that RouterOS, after the community asking for that features for years, still doesn't support VTI, MikroTiks are out of scope immediately.

yes, because I don't need NHRP (although it would be nice). But do you know what would be even nicer? ADVPN: https://community.fortinet.com/t5/Forti ... a-p/195698

ADVPN is the marketing name for a VPN network based on VTI and NHRP. At least at Cisco it is. probably Fortinet is the same.

well, they are on Cisco and Fortinet (and others), but obviously every now and then you gotta re-evaluate and every now and then you have the opportunity to switch vendors. Now, that RouterOS, after the community asking for that features for years, still doesn't support VTI, MikroTiks are out of scope immediately.

I recommend you with any vendor to only look at what they offer TODAY and not at what is being demanded in the forums or even what is being promised by the vendor.
It does not matter what is being asked for, there is always something else on demand.

MikroTik have paid attention to those that demanded Wireguard and (to a lesser extent) OpenVPN improvements.
Probably the average customer of MikroTik is very happy with that and does not care so much about VTI or NHRP.
But you know what: go to Cisco and Fortinet and ask them to support OpenVPN or Wireguard and see how quickly THEY have added it to their routers!

I recommend you with any vendor to only look at what they offer TODAY and not at what is being demanded in the forums or even what is being promised by the vendor.
It does not matter what is being asked for, there is always something else on demand.

That's what I'm doing.

MikroTik have paid attention to those that demanded Wireguard and (to a lesser extent) OpenVPN improvements.
Probably the average customer of MikroTik is very happy with that and does not care so much about VTI or NHRP.
But you know what: go to Cisco and Fortinet and ask them to support OpenVPN or Wireguard and see how quickly THEY have added it to their routers!

You are mixing things up here. IPSEC has been used for ages in the industry. OpenVPN not so much, at least in enterprises. Neither has Wireguard.
For me that means, that someone more like the SOHO user belongs to the target audience of MikroTik, which is sad, given all the other features they have, but OK, if they choose to do so.
I just thought that they would want to keep up with what's going on in the enterprise environment, given that much of their featureset isn't exactly for SOHO users. But meh, what do I know.

Fortinet and Cisco are Enterprise-class products. Nobody in their right mind would ask them to implement something like OpenVPN or Wireguard. Maybe either of them will get popular in the Enterprise area and when the day comes, Fortinet and Cisco will implement it to not lose customers.

VTI interacts perfectly fine with Cisco's VTI solution or pfSense/OPNsense:
https://administrator.de/contentid/398932

Yes, VTI support please!

Сommunity waiting 7 years enterprise standard IPsec VTI. Instead they introduce useless features like ROSE-storage. ((

MT could at least let us know/update us whether it is on some kind of roadmap...

Please!

+1 for IPsec VTI Support.

+1 for IPsec VTI Support.

+1!

Please go through https://networklessons.com/cisco/ccie-r ... -interface

I think ros7 must go to GA and everything on the current roadmap for it is stable, but I really hope Mikrotik will not forget about VTI in some point ...

2y latter.. please provide ipsec vti support, regards

A solution that is very close to VTI is to protect a GRE tunnel through an IPSec transport. The only difference is, afaik, you loose few bytes of the GRE header. But in term of feature, it's like a VTI.

the issue is interoperability with other endpoints.
for example once i wanted to build gre over ipsec with a fortigate but the fortigate had a hard time and struggled with GRE, it made tons of CPU load on it, while pure IPSEC would have been hw-accelerated and lightning fast.

and you can't always just replace everything with mikrotiks, for obvious reasons.

True, but you also cannot implement every type of VPN that others suggest to you, for obvious reasons.

true, but dude, please don't refer to VTI as "every type of VPN" like it is some exotic thing.
i don't know any other serious vendor these days who doesn't implement VTI.

to be honest, mikrotiks are versatile AF and implement like every piece of whatnot but VTI of all things still doesn't exist in ROS?
Glad we have an SSTP server in ROS, THAT was important.

true, but dude, please don't refer to VTI as "every type of VPN" like it is some exotic thing.

It is exotic in the market for MikroTik devices. Ok, maybe not so much now as it was a couple of years ago, but still most MikroTik users demand OpenVPN or Wireguard, not IPsec.

so, if IPSEC is that exotic, please tell me why there is so many threads about it and why is mikrotik working hard on supporting hw-acceleration for IPSEC wherever possible and why is mikrotik improving their ipsec implementation all the time?

how do you know, what types of vpn are being requested by mikrotik users? do you have access to usage statistics, have you spoken to mikrotik employees who know the stats?

i think you may be captured in your perspective a bit.

so, if IPSEC is that exotic, please tell me why there is so many threads about it and why is mikrotik working hard on supporting hw-acceleration for IPSEC wherever possible and why is mikrotik improving their ipsec implementation all the time?

how do you know, what types of vpn are being requested by mikrotik users? do you have access to usage statistics, have you spoken to mikrotik employees who know the stats?

i think you may be captured in your perspective a bit.

Well, just like you judge the demand for VTI by the number of forum threads about it, I judge the demand for OpenVPN and Wireguard by their respective threads on the forum. Those numbers are way higher than for VTI.

Don't understand me wrong, I also need VTI here for one specific purpose, but I can understand that not every request can be granted.
Also, I think part of those that want VTI will realize only after it has been implemented that in fact they require other unimplemented protocols as well to match what others demand from them (like NHRP).

wait, I never said VTI would have a higher demand/forum thread count than OpenVPN or Wireguard.
We were talking about IPSEC in general, which you downplayed.

Again, I do not want to accept VTI being referred to as "granting/responding to every request". That always sound to me like people would be requesting mikrotik to support some arbitrary, exotic alien technology nobody uses. But as I mentioned earlier, VTI is widely used and supported and IMHO vastly superior to what mikrotik is doing currently.

i sincerely hope that they'll implement it one day.

regarding the other protocols you mentioned, like NHRP, I can't tell, I just want interfaces

regarding the other protocols you mentioned, like NHRP, I can't tell, I just want interfaces

When you think that VTI just means "standard IPsec tunnel but with virtual interfaces instead of policies on existing interfaces": that is not really true, read back above to e.g. explanation by "doneware".
Sure it is handy to have a virtual interface for your tunneled traffic, but MikroTik already supports that: IPIP over IPsec transport.
That works with other standard routers. Same for GRE over IPsec transport, that has the advantage of also supporting IPv6, Multicast etc.
But that still is not the same as VTI.

as I have mostly interop inconveniences with fortigates, I can't resort to ip-ip or gre, as these often can't be hw offloaded on the smaller fortigate models, whereas IPSEC VTI can.

It is exotic in the market for MikroTik devices. Ok, maybe not so much now as it was a couple of years ago, but still most MikroTik users demand OpenVPN or Wireguard, not IPsec.

Well, apologies, OpenWRT again :
https://openwrt.org/docs/guide-user/ser ... based_vpns

Every device used with OpenWRT has VTI support... So I don´t think VTI is exotic in the market of home/soho routers for power users!

On "enterprise" routers/firewalls/toasters VTI is a long established feature by every vendor I know of.

I´m optimistic however: MT brought a lot of great new features with ROS7. I will probably live to see VTI, not only BFD and ISIS.

IS-IS is probably a feature requested by a large (potential) customer. I see no reason why MikroTik developers would suddenly decide to add another routing protocol (while the coding of the existing routing protocols is not finished) just by themselves. So sales has come by and said "we can sell 10000 routers when we have IS-IS".

Similarly, when sales would come by and say "we can sell 100000 additional routers when we have IPsec VTI" it probably will be in the next beta.
As indeed, the underlying open source IPsec software already supports it, it is just a matter of writing the proper RouterOS configuration layer.
(unless of course they have forked the software 15 years ago and did not track the development, but I do not think that is the case as other "newer" IPsec features like IKEv2 got added in that timeframe)

yeah well, I've just switched back to a Fortigate 60F from my RB5009 and I'm not looking back.
Very sad but I was just fed up of the IPSEC implementation in ROS. Route based IPSEC is such a charm to work with!

I'm not considering putting ROS routers anywhere in the near future where I need IPSEC, not as long as routed IPSEC is non-existent in ROS.

Agreed.. IPsec without VTI is terrible.
I really don't understand why it is not available yet. _ALL_ VPN's I use and manage ( about 2000, I work for some governmental agency ) are route based.

yeah well, I've just switched back to a Fortigate 60F from my RB5009 and I'm not looking back.

eur
Yeah, that´s a nice device, but that would cost any end user around 1k EUR with just the basic license.
The RB5009 comes for 25% of that price! Also the 60F has only 1 Gbps ports.

sure, that's why I bought the RB5009 in the first place.
but it turned out that different features were more important than like having an SFP+ port.
also, I bought mine used for EUR 350. Also, you can get a 40F which is still as powerful (if not more powerful) as a RB5009 and that is obtainable well under 1k.

ok, this is it people, no plans but they'll "consider it".

bye bye for good for any edge routers, mikrotik...

Hello,
Thank you for contacting MikroTik Support.
At the moment there are no plans to change IPSEC functionality, thanks for your request we will consider such implementation.
Best regards,
Oskars K.

Agreed.. IPsec without VTI is terrible.
I really don't understand why it is not available yet. _ALL_ VPN's I use and manage are route based.

Yeah mine too, but they are GRE/IPsec which provides the same functionality. With MikroTik routers that works well. It is only the cross-manufacturer support that is a problem.

Joininig the request for the IPsec VTI feature. Needs as air.

Well, I tried again using a support desk request, but the status still is "At the moment, there is no plan to add this functionality,., but we will see if it can be supported in the future."

Well, I tried again using a support desk request, but the status still is "At the moment, there is no plan to add this functionality,., but we will see if it can be supported in the future."

Thanks for updating this post pe1chl. I've come across posts several times that you helped the community and me.

Where do you make this resource request? Is it open? Maybe the community will fill their box with requests. LOL...

I don't know if I'm unique, but I always look at the changelogs of the beta versions and there's never the gold feature. Maybe with the pleas they will listen.

A tip if you really need a VTI interface in your business: open a support ticket and describe a genuine use case that could motivate Mikrotik to move forward with developing this. Just posting in this user forum won't probably accomplish much.

Well, as I wrote I filed it as a support desk feature request. Anyone can do that. It may be more effective than adding "+1" here.
Not as a business case, but it would help me to have this for our VPN tunnel to Microsoft Azure.
Now, I use a small dedicated Linux VM on our ESXi server, maybe I'll try to make it a container.
But the configuration in libreswan is so trivially simple (and I think *swan also originally was the base for RouterOS IPsec) that I hope that MikroTik would at some time add it and save me an external IP, which is quite scarce in our /29 network.

Exactly my idea and that's what I did, open a ticket via email with the following subject: Resource request - Tunnel Interface (VTI)

I explained my motivations. I hope that community demand changes Mikrotik's stance on the feature.

One of the main reasons is with Cloud providers too, we cannot use, for example, BGP with them and other small reasons.

Our case is the same, solving it paleatively with Linux, in my case I use Strongswan. But I would love to see it directly on RouterOS, it takes away one more point from my infrastructure to monitor and manage.

Any new information/feedback from mikrotik regarding this?

Any new information/feedback from mikrotik regarding this?

Yes, they told me it is not planned.
At the moment, there is no plan to add this functionality,., but we will see if it can be supported in the future.

That was in june 2024.
And that has been the status for at least 10 years now.