Community discussions

MikroTik App
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 206
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

MikroTik to MikroTik VPN - OpenVPN or IPSec

Sun Jan 31, 2010 10:14 am

Hi all - first post here.

I am looking to set up a number of VPN's (around 50) to my clients for the purposes of remote support. I am looking at a number of router O/S's and hardware platforms, obviously MikroTik is a strong contender at this point. I am looking at using RB750G's at client sites but have not decided on a hardware level for the core router which would be at our premises - I am looking at the RB450G but I not sure. Not all VPN's would be dialled at any one time - maybe only 1-2 at a time.

I am having difficulty finding documentation / examples of MikroTik to MikroTik VPN's - either OpenVPN or IPSec VPN's. I know the gregsowell.com site has tutorials but they all use the GUI Windows client - we are an OSX / linux house and will not be using a Windows client so I need command line examples.

I have done a fair amount of reading on the various VPN issues it seems are inherent in RouterOS. Let alone trying to implement anything using certificate based authentication. I have clients with dynamic IP addresses (consumer ADSL services) and I am starting to wonder if RouterOS is really for me.

I will be using routed tunnels and would like to know if RouterOS can be configured to dial on demand based on destination subnet.

Can anyone point me to examples or suggest if this is even the right hardware / software platform for what I am trying to achieve. Thanks in advance guys.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7041
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: MikroTik to MikroTik VPN - OpenVPN or IPSec

Mon Feb 01, 2010 9:29 am

gregsowell.com site has tutorials but they all use the GUI Windows client - we are an OSX / linux house and will
Most of examples in our wiki uses CLI, but if you want you can run winbox through wine on linux machines.

Ovpn reference an examples:
http://wiki.mikrotik.com/wiki/OpenVPN

Ipsec reference:
http://wiki.mikrotik.com/wiki/IPsec

Some user written examples:
http://wiki.mikrotik.com/wiki/Tunnels

Any of RouterBoards can handle 1-2 at a time.
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 206
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Re: MikroTik to MikroTik VPN - OpenVPN or IPSec

Mon Feb 01, 2010 11:00 am

So - I have read all of those pages, still no MikroTik to MikroTik IPsec example from the CLI.

Also, my plan is to have configs for up to 50 VPN's but only dial on demand. Most other routers I have dealt with will only connect the VPN when they receive traffic for a particular subnet on an interface. All of the stuff I have read on the MikroTik RouterOS seems to be for site to site alway 'up' VPNs. This is an absolute show stopper for me if this does not work.

Thanks guys.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7041
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: MikroTik to MikroTik VPN - OpenVPN or IPSec

Mon Feb 01, 2010 11:23 am

Maybe you can use old manual, new manual does not have examples yet
http://www.mikrotik.com/testdocs/ros/2.9/ip/ipsec.php

IpSec brings up tunnel only if it sees traffic from particular subnet.
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 206
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Re: MikroTik to MikroTik VPN - OpenVPN or IPSec

Mon Feb 01, 2010 1:12 pm

Ha cool - reading that now. Didn't think to look in the old user manual. Just to confirm, does the VPN dial on traffic 'from' or 'to' a specific subnet ?? I definitely have only ever seen a VPN dial on traffic 'to' a specific subnet - at least thats what I need t do here. Thanks again.
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 206
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Re: MikroTik to MikroTik VPN - OpenVPN or IPSec

Mon Feb 01, 2010 1:25 pm

I have read that page, the examples are much better than I have found anywhere to date. I couple of questions though. Some people have reported issues around SA flushing, is there any fix to this with the later versions of RouterOS ? Also, I think I can see now why people are having issues with dynamic IP addresses. All of my clients use ADSL connections with dynamic IP's. I have managed their VPN connections historically using DynDNS services but it looks like all of the config examples require the use of static IP's.
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: MikroTik to MikroTik VPN - OpenVPN or IPSec

Mon Feb 01, 2010 4:52 pm

If you've got the money for it Cisco's EasyVPN makes it downright trivial to push out dynamic remote office gateways that connect back to a central headend for hub and spoke traffic.

I'm a heretic, I know.
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 206
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Re: MikroTik to MikroTik VPN - OpenVPN or IPSec

Mon Feb 01, 2010 9:48 pm

I have been doing IPSec VPNs to low end devices (Draytek, Billion, Linksys and Netgear) for years with dynamic ips. Why is it so hard for Mikrotik to implement?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7041
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: MikroTik to MikroTik VPN - OpenVPN or IPSec

Tue Feb 02, 2010 7:11 am

It is possible to set up ipsec with dynamic IPs.
On server add ipsec peer with address=0.0.0.0/0:500 and generate-policy=yes
On clients set up static configuration as in any of our ipsec examples from links above.
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 2096
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: MikroTik to MikroTik VPN - OpenVPN or IPSec

Tue Feb 02, 2010 7:57 am

Mikrotik's IPSEC is severely lacking, and is the main reason we still sell a large amount of other vendors hardware. (Juniper, Fortinet)

I have been pushing for a while to get it improved and have filed a formal request through the official channels to get at least VTI (virtual tunnel interfaces) support, dynamic "road warrior" support added but have been told it is not currently on their road map.

If you want these features please email support@mikrotik.com and let them know, if enough people let them know then perhaps they can push it up the queue a bit further.
 
gregsowell
Member Candidate
Member Candidate
Posts: 128
Joined: Tue Aug 28, 2007 1:24 am
Contact:

Re: MikroTik to MikroTik VPN - OpenVPN or IPSec

Fri Feb 19, 2010 4:46 am

I do have all of my examples in winbox, because 90% of users use winbox as opposed to CLI. I've heard of plenty of Mac users having success running winbox. Anyway, you CAN run MTK quite nicely with straight IPSec if a single side is dynamic(I covered that in my VPN video). You can actually run it quite successfully if both sides are dynamic, if you can believe it! I did a write up on it a short while ago here. http://gregsowell.com/?p=1523 This also shows one how to configure IPIP tunnels w/ IPSec when both sides are dynamic. I used a great script off of the wiki(loving the wiki BTW).
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 206
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Re: MikroTik to MikroTik VPN - OpenVPN or IPSec

Tue Oct 19, 2010 3:45 pm

Does anyone know if road warrior IPSec VPM support has gotten better in the latest RouterOS releases. The lad time I looked at this was early this year and have continued using low end WRT54GL routers instead.
 
Moogman
just joined
Posts: 13
Joined: Sat Nov 24, 2012 2:03 am

Re: MikroTik to MikroTik VPN - OpenVPN or IPSec

Thu Nov 29, 2012 1:57 pm

Is this a bug?

I have settet up a IPSEC VPN with automatic generated policy:
The first policy is generated twice?
Unbenannt.jpg

IPSEC needs much inprovement.

Capability for dynamic IPs on the initiator and the responders side!
Changable ID Type for responder and initiator.

Even the cheap Netgear routers are able to do this :-)

And we would need a dyndns client with changeable update server.

ATM i have issues that the DNS-CACH is not resolving any name.


Yours Andreas
You do not have the required permissions to view the files attached to this post.
 
ilium007
Member Candidate
Member Candidate
Topic Author
Posts: 206
Joined: Sun Jan 31, 2010 9:58 am
Location: Newcastle, Australia

Re: MikroTik to MikroTik VPN - OpenVPN or IPSec

Thu Nov 29, 2012 2:29 pm

Almost two years on... glad I didnt wait before going back to dd-wrt where simple things work..
 
minas1985
just joined
Posts: 6
Joined: Fri Jul 18, 2014 4:11 pm

Re: MikroTik to MikroTik VPN - OpenVPN or IPSec

Mon Jul 21, 2014 4:58 pm

Hi to all from me also. I Also made a post asking a help.
Can someone helps me please??

http://forum.mikrotik.com/viewtopic.php ... 45&start=0


:)
 
User avatar
enggheisar
Trainer
Trainer
Posts: 20
Joined: Sun Mar 29, 2015 10:12 am
Location: Austin, TX
Contact:

Re: MikroTik to MikroTik VPN - OpenVPN or IPSec

Mon May 08, 2017 8:58 pm

/ip pool
add name=IPSECVPN ranges=172.31.0.2-172.31.0.31
This is the Best and simple config for apple device
/ppp profile
add change-tcp-mss=yes local-address=172.31.0.1 name=ipsec remote-address=IPSECVPN use-encryption=yes

/ppp secret
add name=test password=test profile=ipsec

/interface l2tp-server server
set default-profile=ipsec enabled=yes ipsec-secret=1234567890 use-ipsec=yes

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des

/ip ipsec peer
add address=0.0.0.0/0 dpd-interval=2s enc-algorithm=3des exchange-mode=main-l2tp generate-policy=port-override secret=1234567890

Who is online

Users browsing this forum: mszru, shadarim and 38 guests