Joined: Sun Jan 31, 2010 9:58 am Posts: 50
Karma: 0
Location: Brisbane, Australia
Hi all - first post here.
I am looking to set up a number of VPN's (around 50) to my clients for the purposes of remote support. I am looking at a number of router O/S's and hardware platforms, obviously MikroTik is a strong contender at this point. I am looking at using RB750G's at client sites but have not decided on a hardware level for the core router which would be at our premises - I am looking at the RB450G but I not sure. Not all VPN's would be dialled at any one time - maybe only 1-2 at a time.
I am having difficulty finding documentation / examples of MikroTik to MikroTik VPN's - either OpenVPN or IPSec VPN's. I know the gregsowell.com site has tutorials but they all use the GUI Windows client - we are an OSX / linux house and will not be using a Windows client so I need command line examples.
I have done a fair amount of reading on the various VPN issues it seems are inherent in RouterOS. Let alone trying to implement anything using certificate based authentication. I have clients with dynamic IP addresses (consumer ADSL services) and I am starting to wonder if RouterOS is really for me.
I will be using routed tunnels and would like to know if RouterOS can be configured to dial on demand based on destination subnet.
Can anyone point me to examples or suggest if this is even the right hardware / software platform for what I am trying to achieve. Thanks in advance guys.
Joined: Sun Jan 31, 2010 9:58 am Posts: 50
Karma: 0
Location: Brisbane, Australia
So - I have read all of those pages, still no MikroTik to MikroTik IPsec example from the CLI.
Also, my plan is to have configs for up to 50 VPN's but only dial on demand. Most other routers I have dealt with will only connect the VPN when they receive traffic for a particular subnet on an interface. All of the stuff I have read on the MikroTik RouterOS seems to be for site to site alway 'up' VPNs. This is an absolute show stopper for me if this does not work.
Joined: Sun Jan 31, 2010 9:58 am Posts: 50
Karma: 0
Location: Brisbane, Australia
Ha cool - reading that now. Didn't think to look in the old user manual. Just to confirm, does the VPN dial on traffic 'from' or 'to' a specific subnet ?? I definitely have only ever seen a VPN dial on traffic 'to' a specific subnet - at least thats what I need t do here. Thanks again.
Joined: Sun Jan 31, 2010 9:58 am Posts: 50
Karma: 0
Location: Brisbane, Australia
I have read that page, the examples are much better than I have found anywhere to date. I couple of questions though. Some people have reported issues around SA flushing, is there any fix to this with the later versions of RouterOS ? Also, I think I can see now why people are having issues with dynamic IP addresses. All of my clients use ADSL connections with dynamic IP's. I have managed their VPN connections historically using DynDNS services but it looks like all of the config examples require the use of static IP's.
Joined: Tue Aug 11, 2009 2:19 am Posts: 7737
Karma: 327
If you've got the money for it Cisco's EasyVPN makes it downright trivial to push out dynamic remote office gateways that connect back to a central headend for hub and spoke traffic.
Joined: Sun Jan 31, 2010 9:58 am Posts: 50
Karma: 0
Location: Brisbane, Australia
I have been doing IPSec VPNs to low end devices (Draytek, Billion, Linksys and Netgear) for years with dynamic ips. Why is it so hard for Mikrotik to implement?
It is possible to set up ipsec with dynamic IPs. On server add ipsec peer with address=0.0.0.0/0:500 and generate-policy=yes On clients set up static configuration as in any of our ipsec examples from links above.
Mikrotik's IPSEC is severely lacking, and is the main reason we still sell a large amount of other vendors hardware. (Juniper, Fortinet)
I have been pushing for a while to get it improved and have filed a formal request through the official channels to get at least VTI (virtual tunnel interfaces) support, dynamic "road warrior" support added but have been told it is not currently on their road map.
If you want these features please email support@mikrotik.com and let them know, if enough people let them know then perhaps they can push it up the queue a bit further.
Joined: Tue Aug 28, 2007 12:24 am Posts: 118
Karma: 10
I do have all of my examples in winbox, because 90% of users use winbox as opposed to CLI. I've heard of plenty of Mac users having success running winbox. Anyway, you CAN run MTK quite nicely with straight IPSec if a single side is dynamic(I covered that in my VPN video). You can actually run it quite successfully if both sides are dynamic, if you can believe it! I did a write up on it a short while ago here. http://gregsowell.com/?p=1523 This also shows one how to configure IPIP tunnels w/ IPSec when both sides are dynamic. I used a great script off of the wiki(loving the wiki BTW).
_________________ Hit my blog for video tutorials of Mikrotik and Cacti. Just so I look as cool as everyone else ->CCNA / CCNP / CCIE W / MCNA / MCRE / Certified Trainer / A+ / N+ / Partridge in pear tree<- man I love being pretentious!
Joined: Sun Jan 31, 2010 9:58 am Posts: 50
Karma: 0
Location: Brisbane, Australia
Does anyone know if road warrior IPSec VPM support has gotten better in the latest RouterOS releases. The lad time I looked at this was early this year and have continued using low end WRT54GL routers instead.
Users browsing this forum: andreas140265 and 2 guests
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot post attachments in this forum
Login |
HOME
