At our company with three location we want to connect three LAN networks by using IPSec tunnels. My idea is to use three RB2011UiAS-2HnD-IN routers. From ISP we can get static public IP addresses only if we set mikrotik as pppoe client. ISP will provide us with ADSL modem in bridge mode and my Mikrotik must have pppoe interface where public IP address will be obtained. My question is if I can create IPSec tunnels by using pppoe interfaces with public addresses? I do not expect ipsec bandwidth more than few Mbs(up to 5 Mbs). It will be very valuable for me if anybody have experience with this type of VPN and also if there some manual how to configure this on Mikrotik.
ppoe is just the local point-to-point protocol between your RB and your ISP.
When the link is established your RB will have a normal WAN interface for use.
Creating a site-2-site link should not impose a problem, especially with a static IP on each site/connection.
My advice for linking the three networks would be to use GRE-tunnels( two for each site, one for up- and downstream each)..
If you want to use IPSec for these links, this is easy as it it only a parameter to enable this in the GRE link setup - however the RB2011 does not come with hardware acceleration, so running a set of links across all sites could impose some stress.
Thank you very much for response Hominidae, first I will try with encription as my traffic should not be more than 5mbs max betwen locations, I expect that it should be supported by rb2011. But in case it will be much for it I will migrate to GRE
…I actually suggested the other way around.
Use GRE, as you can use GRE with or without IPSSec encryption…in case there is a performance issue, just disable IPSec für the GRE Tunnel…no migration of concepts needed.
yes, understood, but I am concerned about many overheads at packets(pppoe+gre+ipsec). Anyway I will try first GRE+Ipsec as I also mean that it is best method and will see how it will work.
pppoe overhead, you cannot overcome, but this is only the short path between your local WAN interface and your ISP.
You can try and optimize MTU on that interface.
AFAIK, these are the defaults:
TCP: 20 Byte (MTU 1452 Byte)
IP: 20 Byte (MTU 1472 Byte)
GRE: 24 Byte (MTU 1476 Byte)
PPP+PPPoE: 8 Byte (MTU 1492 Byte)
Ethernet: 26 Byte Header and CRC (MTU 1500 Byte)
ATM: 5 Byte Header (total cell 53 Byte)
So adding GRE over your PPPOE is a significant overhead, but only if you have a very small bandwidth…not a big deal, if you plan for 5Mbps throughput.
Is your ISP line symetric or asymetric?
Unless you already have the RB2011 routers I would recommend using RB750Gr3 as these are much better suited for GRE/IPsec.
Don’t bother trying to setup direct IPsec tunnels, it is a waste of effort to get that all working correctly.
Setup GRE/IPsec and set a /30 address on each of the tunnel endpoints.
Then configure static routes or setup BGP (very easy!) to get the routing.
…so each remote site will have a max download of 8Mbps, while central will see a max download from each site of 1Mbps each.
I can see while you are worried of some overhead.
Nevertheless, using GRE is your best option…just don*t try to run a SMB service accoss
My concept is that I will have core bussines app at central location and remote location will connect to server and download data from it, but data is numeric and string values and it will not generate such huge traffic. But I also will have SMB storage at cental location from which remote will download data but it will be some word and excel files and I hope that it will not big deal for GRE connection without IPSec.
When you indeed have numerical and text data you could consider looking at “/ip packing” (compression). Normally it will not be useful as today usually data is encrypted or already compressed.
When you have only certain files that you need to access read-only then you can consider using some form of mirroring (rsync, robocopy etc) to copy the files to a local server.
I have worked for a long time with a network like that. We had servers on all sites and used such methods to e.g. sync large directories during the night.
Fortunately, our company now has less locations, the links are faster, and we don’t have that many local files anymore.
