Mmm, interesting situation, I can't think what you would do really, IPSEC doesn't have an interface as such like PPTP for example, I don't know what the reason could be either that AWS want that or how it would work, IPSEC is IPSEC, it simply encrypts the traffic between the endpoints based on your policy, why you would need some type of other address at either end is bit strange. Glad you got it sorted though, perhaps somebody else might know a bit more about such a situation and be able to provide more advice. Regards Paul -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Karl Auer Sent: Saturday, 25 June 2016 9:12 PM To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] virtual interfaces in ROS? On Sat, 2016-06-25 at 20:09 +1000, Paul Julian wrote:
HI Karl, are you actually creating a VPN is it is just some type of tunnel ?
Amazon calls it a VPN. The remote end is an AWS VPC (private addressing only), the local end is my MikrotTik router with my home network behind it. An IPsec tunnel joins them. Is that a VPN or just some type of tunnel? :-)
You can create a virtual ethernet interface in RouterOS, perhaps this is what you are looking for, but my thoughts would have been around a bridge interface.
Yes - the issue is "connecting" these to the IPsec tunnel. Amazon supplies an "outside" addresses and an "inside" address for the AWS end. The "outside" address at my end is my router's Internet-facing interface address, and Amazon provides an "inside" address for my end. The two "inside" addresses are from the same /30 IPv4 network. Key point: Traffic for the remote VPC must be routed over the "inside" address at the AWS end. The way I originally had it working was simply to place my "inside" address on the same interface as my "outside" address. Worked fine; I had an IPsec policy that covered traffic from my "inside" address to the AWS "inside" address, an IPsec policy that covered traffic from anywhere to the remote VPC, and a static route that sent traffic for the VPC via the AWS "inside" address. But I've done some more experimenting and it seems that I don't need to configure the "inside" addresses supplied by Amazon at all! I widened the IPsec policy for traffic to the AWS "inside address" to cover any source, removed the local "inside" address completely, and everything still works just fine. But I'd still like to know whether it's possible to somehow attach a virtual interface of some sort to an IPsec tunnel. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 6D59 8AE6 810D 44E3 7626 7040 4DD6 F89F 3053 4774 Old fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au