Is this IPSec setting correct?

B

brar2018-03-16 17:13:06

Mikrotik

brar, 2018-03-16 17:13:06

Set up according to the article.
Here is the config from there.

/interface ipip
add !keepalive local-address=62.105.149.228 mtu=1450 name=Tunnel1 remote-address=90.154.106.114
/ip address
add address=192.168.252.38/30 interface=Tunnel1 network=192.168.252.36
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc
add enc-algorithms=aes-256-cbc name=AES-256
/ip ipsec peer
add address=90.154.106.114/32 enc-algorithm=aes-256 nat-traversal=no secret=OstecGPkey
/ip ipsec policy
add dst-address=90.154.106.114/32 proposal=AES-256 protocol=ipencap sa-dst-address=90.154.106.114 sa-src-address=62.105.149.228 src-address=62.105.149.228/32
/routing ospf network
add area=backbone network=192.168.252.36/30
add area=backbone network=192.168.88.0/24

The tunnel and IPSec works. Everything is great.
But there are doubts. Why are external addresses specified in ipsec policy, and not local subnets of both ends?
Also, if you configure IPSec directly in the IPIP tunnel settings, then the speed between hosts is 30% higher than according to the above settings, that is, the question arises regarding the resource consumption of such a setting. (Perhaps this is because aes-128 is used with dynamic ipsec.)
And with this setup (through OSPF) it will be easier to add other subnets to the infrastructure, as far as I understand?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

P

poisons, 2018-03-16
@brar

There are 2 modes of operation of ipsec - transport and tunnel. In your case, transport is used.
Quite a logical conclusion.
if you run ipsec in tunnel mode, then no OSPF will work, it needs an interface.