acx1100 use inline-service for ipsec (tunnel mode) which is limited only for inbound encryption, however we still can be happy with functionality ( but not in all cases )
We will reuse our lab design (except frr) and logical systems configuration as base configuration
All remote ipsec endpoints are not directly connected to acx1100!
| IPsec endpoint | Public IP | Local networks (ipsec encrypted) |
| acx1100 (LRC) | 172.20.13.1 | 10.0.0.0/30 (for gre/ospf all logical systems networks) |
| neo4 | 172.20.13.20 | 192.168.168.0/24 (podman netowrk) |
| mikrotik chr | 172.20.13.30 | 192.168.30.0/24 (pc1 network), 192.168.31.0/24 (pc2 netowrk) |
acx1100
I strongly suggest to check the following links in order to understand the configurations in this lab
- service set – inline-services
- ipsec – here we can find good ipsev overview also ipsec service configuration guideline
- ipsec rules those rules create ipsec tunnel also act as policy what traffic to be encrypted
NEO4 (Strongswan)
NEO4 is linux arm64 sbc (ex frr 🙂 ) with podman container. We will create ipsec tunnel with strongswan and will encrypt podman containers network and acx1100 – LRC network.
Mikrotik (ros 7)
Mikrotik router actually is a node in GNS3 virtual machines. We will create GRE tunnel between mikrotik and LRC and will encrypt it with IPSEC. GRE tunnel will be used for OSPF.
Also we will see what is working and what not with this ipsec/gre scenario!