MikroTik – Major changes and additions to IPSEC in RouterOS

For the last few months in 2018, MikroTik support has been working on a number of changes to the IPSEC protocol in RouterOS.


Considering the fact that MikroTik produces one of the most inexpensive platforms with IPSEC hardware acceleration, this is very encouraging.


If you go to the 6.44beta50 you’ll see the following comment:


Important note!!! Backup before upgrade!
Due to major IPsec configuration changes in RouterOS v6.44beta39+ (see changelog below), it is advised to make a backup before upgrading. Regular downgrade will still be possible as long as no changes in IPsec peer menu are done.

Here is a list of some of the changes MikroTik has made to IPSEC in recent weeks.


Changes in this release:

!) ipsec - added new "identity" menu with common peer distinguishers;
*) ipsec - improved invalid policy handling when a valid policy is uninstalled;

Other changes since v6.43.7:

*) ipsec - added account log message when user is successfully authenticated;
*) ipsec - added basic pre-shared-key strength checks;
*) ipsec - added new "remote-id" peer matcher (CLI only);
*) ipsec - allow to specify single address instead of IP pool under "mode-config";
*) ipsec - fixed active connection killing when changing peer configuration;
*) ipsec - fixed stability issues after changing peer configuration (introduced in v6.43);
*) ipsec - hide empty prefixes on "peer" menu;
*) ipsec - made dynamic "src-nat" rule more specific;
*) ipsec - made peers autosort themselves based on reachability status;
*) ipsec - moved "profile" menu outside "peer" menu (CLI only);
*) ipsec - properly detect AES-NI extension as hardware AEAD;
*) ipsec - removed limitation that allowed only single "auth-method" with the same "exchange-mode" as responder;
*) rb3011 - implemented multiple engine IPsec hardware acceleration support;
*) tunnel - properly clear dynamic IPsec configuration when removing/disabling EoIP with DNS as "remote-address";

from: https://mikrotik.com/download/changelogs/testing-release-tree


Some of the more noteworthy additions are the addition of an identity menu which allows for templates to be built to support common attributes.


Also, the note on the RB3011 that remarks “implemented multiple engine IPsec hardware acceleration support” is worth mentioning because it appears MikroTik is working on enabling even more capacity for hardware offload by leveraging multiple engines.


Considering IPSEC is a critical element for cloud connectivity, this is great news coming out of MikroTik. We will do another update in 2019 to see how much further MikroTik has come with IPSEC support.