MikroTik to MikroTik VPN - OpenVPN or IPSec
If you installed RouterOS just now, and don't know where to start - ask here!

16 posts   •   Page 1 of 1
ilium007
Frequent Visitor
Frequent Visitor
 
Posts: 50
Joined: Sun Jan 31, 2010 10:58 am
Location: Brisbane, Australia

MikroTik to MikroTik VPN - OpenVPN or IPSec

by ilium007 » Sun Jan 31, 2010 11:14 am

Hi all - first post here.

I am looking to set up a number of VPN's (around 50) to my clients for the purposes of remote support. I am looking at a number of router O/S's and hardware platforms, obviously MikroTik is a strong contender at this point. I am looking at using RB750G's at client sites but have not decided on a hardware level for the core router which would be at our premises - I am looking at the RB450G but I not sure. Not all VPN's would be dialled at any one time - maybe only 1-2 at a time.

I am having difficulty finding documentation / examples of MikroTik to MikroTik VPN's - either OpenVPN or IPSec VPN's. I know the gregsowell.com site has tutorials but they all use the GUI Windows client - we are an OSX / linux house and will not be using a Windows client so I need command line examples.

I have done a fair amount of reading on the various VPN issues it seems are inherent in RouterOS. Let alone trying to implement anything using certificate based authentication. I have clients with dynamic IP addresses (consumer ADSL services) and I am starting to wonder if RouterOS is really for me.

I will be using routed tunnels and would like to know if RouterOS can be configured to dial on demand based on destination subnet.

Can anyone point me to examples or suggest if this is even the right hardware / software platform for what I am trying to achieve. Thanks in advance guys.

User avatar
mrz
MikroTik Support
MikroTik Support
 
Posts: 4079
Joined: Wed Feb 07, 2007 1:45 pm
Location: Latvia

Re: MikroTik to MikroTik VPN - OpenVPN or IPSec

by mrz » Mon Feb 01, 2010 10:29 am

gregsowell.com site has tutorials but they all use the GUI Windows client - we are an OSX / linux house and will

Most of examples in our wiki uses CLI, but if you want you can run winbox through wine on linux machines.

Ovpn reference an examples:
http://wiki.mikrotik.com/wiki/OpenVPN

Ipsec reference:
http://wiki.mikrotik.com/wiki/IPsec

Some user written examples:
http://wiki.mikrotik.com/wiki/Tunnels

Any of RouterBoards can handle 1-2 at a time.

ilium007
Frequent Visitor
Frequent Visitor
 
Posts: 50
Joined: Sun Jan 31, 2010 10:58 am
Location: Brisbane, Australia

Re: MikroTik to MikroTik VPN - OpenVPN or IPSec

by ilium007 » Mon Feb 01, 2010 12:00 pm

So - I have read all of those pages, still no MikroTik to MikroTik IPsec example from the CLI.

Also, my plan is to have configs for up to 50 VPN's but only dial on demand. Most other routers I have dealt with will only connect the VPN when they receive traffic for a particular subnet on an interface. All of the stuff I have read on the MikroTik RouterOS seems to be for site to site alway 'up' VPNs. This is an absolute show stopper for me if this does not work.

Thanks guys.

User avatar
mrz
MikroTik Support
MikroTik Support
 
Posts: 4079
Joined: Wed Feb 07, 2007 1:45 pm
Location: Latvia

Re: MikroTik to MikroTik VPN - OpenVPN or IPSec

by mrz » Mon Feb 01, 2010 12:23 pm

Maybe you can use old manual, new manual does not have examples yet
http://www.mikrotik.com/testdocs/ros/2.9/ip/ipsec.php

IpSec brings up tunnel only if it sees traffic from particular subnet.

ilium007
Frequent Visitor
Frequent Visitor
 
Posts: 50
Joined: Sun Jan 31, 2010 10:58 am
Location: Brisbane, Australia

Re: MikroTik to MikroTik VPN - OpenVPN or IPSec

by ilium007 » Mon Feb 01, 2010 2:12 pm

Ha cool - reading that now. Didn't think to look in the old user manual. Just to confirm, does the VPN dial on traffic 'from' or 'to' a specific subnet ?? I definitely have only ever seen a VPN dial on traffic 'to' a specific subnet - at least thats what I need t do here. Thanks again.

ilium007
Frequent Visitor
Frequent Visitor
 
Posts: 50
Joined: Sun Jan 31, 2010 10:58 am
Location: Brisbane, Australia

Re: MikroTik to MikroTik VPN - OpenVPN or IPSec

by ilium007 » Mon Feb 01, 2010 2:25 pm

I have read that page, the examples are much better than I have found anywhere to date. I couple of questions though. Some people have reported issues around SA flushing, is there any fix to this with the later versions of RouterOS ? Also, I think I can see now why people are having issues with dynamic IP addresses. All of my clients use ADSL connections with dynamic IP's. I have managed their VPN connections historically using DynDNS services but it looks like all of the config examples require the use of static IP's.

fewi
Forum Guru
Forum Guru
 
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: MikroTik to MikroTik VPN - OpenVPN or IPSec

by fewi » Mon Feb 01, 2010 5:52 pm

If you've got the money for it Cisco's EasyVPN makes it downright trivial to push out dynamic remote office gateways that connect back to a central headend for hub and spoke traffic.

I'm a heretic, I know.

ilium007
Frequent Visitor
Frequent Visitor
 
Posts: 50
Joined: Sun Jan 31, 2010 10:58 am
Location: Brisbane, Australia

Re: MikroTik to MikroTik VPN - OpenVPN or IPSec

by ilium007 » Mon Feb 01, 2010 10:48 pm

I have been doing IPSec VPNs to low end devices (Draytek, Billion, Linksys and Netgear) for years with dynamic ips. Why is it so hard for Mikrotik to implement?

User avatar
mrz
MikroTik Support
MikroTik Support
 
Posts: 4079
Joined: Wed Feb 07, 2007 1:45 pm
Location: Latvia

Re: MikroTik to MikroTik VPN - OpenVPN or IPSec

by mrz » Tue Feb 02, 2010 8:11 am

It is possible to set up ipsec with dynamic IPs.
On server add ipsec peer with address=0.0.0.0/0:500 and generate-policy=yes
On clients set up static configuration as in any of our ipsec examples from links above.

User avatar
nz_monkey
Forum Guru
Forum Guru
 
Posts: 1110
Joined: Mon Jan 14, 2008 2:53 pm
Location: 新西蘭

Re: MikroTik to MikroTik VPN - OpenVPN or IPSec

by nz_monkey » Tue Feb 02, 2010 8:57 am

Mikrotik's IPSEC is severely lacking, and is the main reason we still sell a large amount of other vendors hardware. (Juniper, Fortinet)

I have been pushing for a while to get it improved and have filed a formal request through the official channels to get at least VTI (virtual tunnel interfaces) support, dynamic "road warrior" support added but have been told it is not currently on their road map.

If you want these features please email support@mikrotik.com and let them know, if enough people let them know then perhaps they can push it up the queue a bit further.
http://www.mikrotik-routeros.com | Mikrotik MTCNA, MTCRE, MTCINE | Fortinet FTCNA, FCNSP, FCT | Extreme Networks ENA

gregsowell
Member Candidate
Member Candidate
 
Posts: 120
Joined: Tue Aug 28, 2007 1:24 am

Re: MikroTik to MikroTik VPN - OpenVPN or IPSec

by gregsowell » Fri Feb 19, 2010 5:46 am

I do have all of my examples in winbox, because 90% of users use winbox as opposed to CLI. I've heard of plenty of Mac users having success running winbox. Anyway, you CAN run MTK quite nicely with straight IPSec if a single side is dynamic(I covered that in my VPN video). You can actually run it quite successfully if both sides are dynamic, if you can believe it! I did a write up on it a short while ago here. http://gregsowell.com/?p=1523 This also shows one how to configure IPIP tunnels w/ IPSec when both sides are dynamic. I used a great script off of the wiki(loving the wiki BTW).
Hit my blog for video tutorials of Mikrotik and Cacti.
Just so I look as cool as everyone else ->CCNA / CCNP / CCIE W / MCNA / MCRE / Certified Trainer / A+ / N+ / Partridge in pear tree<- man I love being pretentious! :P

ilium007
Frequent Visitor
Frequent Visitor
 
Posts: 50
Joined: Sun Jan 31, 2010 10:58 am
Location: Brisbane, Australia

Re: MikroTik to MikroTik VPN - OpenVPN or IPSec

by ilium007 » Tue Oct 19, 2010 3:45 pm

Does anyone know if road warrior IPSec VPM support has gotten better in the latest RouterOS releases. The lad time I looked at this was early this year and have continued using low end WRT54GL routers instead.

Moogman
just joined
 
Posts: 11
Joined: Sat Nov 24, 2012 3:03 am

Re: MikroTik to MikroTik VPN - OpenVPN or IPSec

by Moogman » Thu Nov 29, 2012 2:57 pm

Is this a bug?

I have settet up a IPSEC VPN with automatic generated policy:
The first policy is generated twice?

Unbenannt.jpg
Unbenannt.jpg (76.18 KiB) Viewed 9398 times



IPSEC needs much inprovement.

Capability for dynamic IPs on the initiator and the responders side!
Changable ID Type for responder and initiator.

Even the cheap Netgear routers are able to do this :-)

And we would need a dyndns client with changeable update server.

ATM i have issues that the DNS-CACH is not resolving any name.


Yours Andreas

ilium007
Frequent Visitor
Frequent Visitor
 
Posts: 50
Joined: Sun Jan 31, 2010 10:58 am
Location: Brisbane, Australia

Re: MikroTik to MikroTik VPN - OpenVPN or IPSec

by ilium007 » Thu Nov 29, 2012 3:29 pm

Almost two years on... glad I didnt wait before going back to dd-wrt where simple things work..

marianparlors
just joined
 
Posts: 1
Joined: Sun Jul 20, 2014 5:11 pm

Re: MikroTik to MikroTik VPN - OpenVPN or IPSec

by marianparlors » Sun Jul 20, 2014 5:14 pm

VPN is very useful when you have a dislocated office, but it requires that at least one location has static IP addresses.

http://www.primovpn.net/

minas1985
just joined
 
Posts: 6
Joined: Fri Jul 18, 2014 4:11 pm

Re: MikroTik to MikroTik VPN - OpenVPN or IPSec

by minas1985 » Mon Jul 21, 2014 4:58 pm

Hi to all from me also. I Also made a post asking a help.
Can someone helps me please??

viewtopic.php?uid=72494&f=13&t=87145&start=0


:)

16 posts   •   Page 1 of 1

Who is online

Users browsing this forum: No registered users and 14 guests

It is currently Mon Nov 24, 2014 5:32 am