Hi,
I'm not able to get working different proposal in IPsec then 'default' with IPIP or EoIP tunnel. I tried create IP matching template, putting it on first place, anyway still 'default' one is picked.
I want to have CHR connected using AES-CTR and some MikroTik devices connected to CHR using AES-CBC. When I have both CBC and CTR on CHR in 'default' proposal (to allow CBC for other devices), then between CHR is automatically picked also CBC.
Some idea how to solve this?
Thanks
Marek
Re: IPIP/EoIP with IPsec non-default proposal[SOLVED]
If you just set a non-emptyipsec-secretvalue in the/interface eoiprow, and let RouterOS create the IPsec configuration for you dynamically, it uses the defaultprofilefor phase 1 and the defaultproposalfor phase 2, full stop. To use another profile/proposal, you have to create the peer, identity, and policy manually, and for the manually created peer and policy, you may set a profile and proposal of your choice (and for the identity, you may assign a policy template group of your choice if a policy is to be generated dynamically, but that's typically out of scope of EoIP encryption using IPsec).
The easiest way to have all the other parameters of the manually configured peer and policy set properly, the easiest way is to add these manually configured elements as copies of the dynamically created ones. Keep the dynamic creation in place and do
/ip ipsec peer add name=my-eoip-peer copy-from=[find address=ip.of.remote.eoip] address=some.bogus.ip
/ip ipsec identity add copy-from=[find secret=your-eoip-ipsec-secret] peer=my-eoip-peer
/ip ipsec policy add copy-from=[find sa-dst-address=ip.of.remote.eoip] peer=my-eoip-peer
Then, set theipsec-secretin the/interface eoiprow to an empty string, the dynamically created items will disappear.
Last step:
/ip ipsec peer set my-eoip-peer address=ip.of.remote.eoip
This way, you've created 1:1 copies of the three elements properly linked together but configured statically. Now you can adjust their settings to match your needs.
The easiest way to have all the other parameters of the manually configured peer and policy set properly, the easiest way is to add these manually configured elements as copies of the dynamically created ones. Keep the dynamic creation in place and do
/ip ipsec peer add name=my-eoip-peer copy-from=[find address=ip.of.remote.eoip] address=some.bogus.ip
/ip ipsec identity add copy-from=[find secret=your-eoip-ipsec-secret] peer=my-eoip-peer
/ip ipsec policy add copy-from=[find sa-dst-address=ip.of.remote.eoip] peer=my-eoip-peer
Then, set theipsec-secretin the/interface eoiprow to an empty string, the dynamically created items will disappear.
Last step:
/ip ipsec peer set my-eoip-peer address=ip.of.remote.eoip
This way, you've created 1:1 copies of the three elements properly linked together but configured statically. Now you can adjust their settings to match your needs.
Re: IPIP/EoIP with IPsec non-default proposal
@sindy: thanks a lot, i'll try this, had no idea it's possible
Re: IPIP/EoIP with IPsec non-default proposal
works like a charm, thanks a lot sindy
If you just set a non-emptyipsec-secretvalue in the/interface eoiprow, and let RouterOS create the IPsec configuration for you dynamically, it uses the defaultprofilefor phase 1 and the defaultproposalfor phase 2, full stop. To use another profile/proposal, you have to create the peer, identity, and policy manually, and for the manually created peer and policy, you may set a profile and proposal of your choice (and for the identity, you may assign a policy template group of your choice if a policy is to be generated dynamically, but that's typically out of scope of EoIP encryption using IPsec).
The easiest way to have all the other parameters of the manually configured peer and policy set properly, the easiest way is to add these manually configured elements as copies of the dynamically created ones. Keep the dynamic creation in place and do
/ip ipsec peer add name=my-eoip-peer copy-from=[find address=ip.of.remote.eoip] address=some.bogus.ip
/ip ipsec identity add copy-from=[find secret=your-eoip-ipsec-secret] peer=my-eoip-peer
/ip ipsec policy add copy-from=[find sa-dst-address=ip.of.remote.eoip] peer=my-eoip-peer
Then, set theipsec-secretin the/interface eoiprow to an empty string, the dynamically created items will disappear.
Last step:
/ip ipsec peer set my-eoip-peer address=ip.of.remote.eoip
This way, you've created 1:1 copies of the three elements properly linked together but configured statically. Now you can adjust their settings to match your needs.