K
K
kodi2014-09-11 16:41:10
VPN
kodi, 2014-09-11 16:41:10

Why put ipsec in ipip?

The classic scheme for combining two subnets using two Mikrotiks.
But it is not yet clear why they raise ipip and encrypt it with ipsec, if we can prescribe in the ipsec policy that packets with a source address are the addresses of our network, with a destination address are the addresses of the remote network, the outgoing interface address is our external interface address , packet destination address - the address of the external interface of the remote side.
In the form of a Mikrotik config, it looks like this:
/ip ipsec policy print
0 src-address=192.168.1.0/24 src-port=any dst-address=192.168.2.0/24 dst-port=any protocol=all action=encrypt level= require ipsec-protocols=esp tunnel=yes
sa-src-address=77.77.77.77 sa-dst-address=88.88.88.88 proposal=proposal1 priority=0
Those. all parameters are there. Where else and what else is the ipip interface for? If, in fact, there is a route and there are addresses from where and where to drive the packet.

Answer the question

In order to leave comments, you need to log in

2 answer(s)
C
Cool Admin, 2014-09-11
@kodi

Let's go in order. Why use IPSec at all - in order to protect traffic going through public (or not) networks. Make the possibility of intercepting, decrypting or compromising traffic minimal. Tunnels such as OpenVPN and IPSec are suitable for these purposes (everything else is either proprietary or breaks with a bang).
IMHO, oVPN is more suitable for landing clients, and IPSec for connecting networks.
Farther. IPSec is capable of operating in two modes, tunnel and transport.
The one that you described - tunnel - after the first packet with data matching the policy conditions appears - the tunnel rises and remains open until the traffic goes on or the timeout does not kill it. Tunnel mode is good because, indeed, it has set up policies and everything works as if by itself.
Transport mode - connects traffic going between two points - between two devices - without building a tunnel. Those. just (de)encryption of packets. And to build a tunnel, you will need to use IPIP separately, or L2TP, or any other Point to Point protocol.
What the hell do we need this for? For example, if you have not two separate networks connected, but several on each side (in this case, you need a policy in X*Y). Or maybe you are building multiple connectivity, when it is impossible to unequivocally say through which Peer this or that network is available (for example, with ospf inside). Or maybe your tunnel is not chasing IP traffic (but telephony or multicast or FoIP or ATAIP). Or maybe you are also running l2 packets (for example, you bridged two offices and they have a common addressing - with a short distance, it’s quite a solution). And sometimes you need to rebuild the network without resetting all active tunnels (which is impossible in the previous case). In general, using IPSec transport is much more convenient.

K
Kirill Vasiliev, 2014-10-04
@vasilevkirill

I would answer a little differently.
the lifted tunnel under ipsec, is necessary only to reduce the number of ipsec policies.
Since traffic is encapsulated in the tunnel, we can block any routes. and in the IPsec policies, register only two ip addresses =)
If you are really interested, then look at the implementation of such a scheme as "IPsec over GRE in loopback", as soon as you understand the scheme, you will immediately understand why IPSec tunnels are made

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question