Community discussions

MikroTik App
 
juaco
just joined
Topic Author
Posts: 15
Joined: Tue Nov 09, 2010 12:15 am

VPN and ISP Wide NATed clients

Thu May 19, 2011 9:32 pm

Greetings fellow mikrotikers :)

I have the task to implement a VPN as only entry point to our network. I'm starting to read docs now, and one of the first things i notice is there are some trouble to expect with ISP-NATed clients (especially with IPSEC, would seem).

Do you have any advice/pointers on these issues? Pitfalls i may encounter? I need these items:
  • Good security
  • Potential ISP-NATd clients
  • Windows/Mac/Linux/etc clients
  • If at all possible L2 tunnelling, otherwise ability to do UDP (not TCP only)
  • Chances of auth against a centralized database (this would be awesome if possible). Specifically ADS.
  • I know this list is asking too much right now :(, but two factor is included in the requirements. We will have to use tokens.
any help will be much appreciated, thanks a lot!
 
Sanity
Member Candidate
Member Candidate
Posts: 198
Joined: Sun Mar 06, 2011 8:51 am

Re: VPN and ISP Wide NATed clients

Fri May 20, 2011 6:39 am

Greetings fellow mikrotikers

I have the task to implement a VPN as only entry point to our network. I'm starting to read docs now, and one of the first things i notice is there are some trouble to expect with ISP-NATed clients (especially with IPSEC, would seem).

Do you have any advice/pointers on these issues? Pitfalls i may encounter? I need these items:
  • Good security
  • Potential ISP-NATd clients
  • Windows/Mac/Linux/etc clients
  • If at all possible L2 tunnelling, otherwise ability to do UDP (not TCP only)
  • Chances of auth against a centralized database (this would be awesome if possible). Specifically ADS.
  • I know this list is asking too much right now, but two factor is included in the requirements. We will have to use tokens.
any help will be much appreciated, thanks a lot!
RTFM. Idecidedto go with PPTP for that reason that it still is easier to manage.

* Good security.
* Never had a problem with NAT clients in years.
* No client needed. Guess what ;) OS support it. At least Mac and WIndows do out of the box.
* Configuration - use Radius. Every AD server can be configured to act as radius server.
* Two factor also supported I think out of the box, just never used it. You will run into tons of problems with that as it WILL require drivers on the computers to log in, and THIS is not somehing I am willing to accept
 
juaco
just joined
Topic Author
Posts: 15
Joined: Tue Nov 09, 2010 12:15 am

Re: VPN and ISP Wide NATed clients

Tue Jun 14, 2011 3:26 pm

RTFM. Idecidedto go with PPTP for that reason that it still is easier to manage.

* Good security.
* Never had a problem with NAT clients in years.
* No client needed. Guess what ;) OS support it. At least Mac and WIndows do out of the box.
* Configuration - use Radius. Every AD server can be configured to act as radius server.
* Two factor also supported I think out of the box, just never used it. You will run into tons of problems with that as it WILL require drivers on the computers to log in, and THIS is not somehing I am willing to accept
I've managed to follow your advice and PPTP + radius AD AAA is working like a charm :D Thanks a lot for pointing me in the good direction.

As was expected, i face now the issue of integrating RSA tokens for two-factor. From what i've grasped in my RTFM'ing i need to use EAP for authentication with PPTP, which RouterOS doesn't seem to support (or i couldn't find how to enable it). So i'm thinking of L2TP+IPSEC. If that doesn't work i don't see what could, except for avoiding VPN methods on the router and offer directly ADS VPN over our edge (that would suck IMO).

My idea of how the auth process would work is like this:

IPSEC
client[token] ------------------->Mikrotik[auth method: rsa signature]

L2TP
client[ADS user/pass/domain] -------------------->Mikrotik[radius client to ADS server]

is it correct?

Ps: some of the doc i've found about PPTP puts some emphasis in inherent security weaknesses both in authentication methods (except some EAP based ones, but NOT for mschap1/2) and in MPPE even in 128 bits. Could this further level the balance to IPSEC/l2TP in terms of security?

Who is online

Users browsing this forum: gigabyte091, HugoCar and 66 guests