There are plenty of VPN technologies implemented on ROS, even if most of them are appeared to be software-based. For some RB models (as per http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Hardware_encryption, these are RB1000, RB1100AHx2 and all CloudCoureRouter series boards) it is known that they have hardware accelerated AES built-in, but it gives me nothing when it comes to realize which VPN technology to use to maximize throughout. I suspect IPSec is the best, but it run between static IPs, which is not the case somtime.
To be more specific, if I built corporate star-like VPN scheme (like 20-30 clients with RB 2011 or even RB 951 as a spokes and an CloudCore router as a hub), where hub may have static IP and spokes may not, what’s the best approach?
I can use OpenVPN, pp2p or l2tp as a client-to-server, and I suspect clear IPSec won’t work (but I can modify its config with scripts which will be kind of ugly), how can I use hardware to accelerate my VPNs?
May I also ask the reverse question: what’s the best approach to get best throughout in VPN?
IPsec is currently the only technology that support hardware-accelerated encryption. The use of dynamic IPs on you “client” (branch-office) devices is not a problem at all (and does not actually require any scripting), provided you have static IP on your central VPN end-point device.
May I please ask for a little advice how to archive it? IPSec used to ask for IP of “other” side on both ends, so if I set static IP as second end on spoke then how can I set up that on hub?
Or I can use IPSec on l2tp link and bind that client to given static IP within l2tp, but I suspect that’s a bit too heavy config, isn’t it?
PPTP with CHAP is fastest, as per the tile of the post. But a gotcha is that you need to prevent fasttrack from working on VPNs cos it screws them up and you get slow speeds surprisingly. I use the mangle to mark traffic on VPN interfaces in+out with connection-mark “DontFasttrack” (use an interface list) and then in the Fasttrack firewall rule use !DontFasttrack connection-mark. And viola - super speeds!
Of course PPTP is deemed insecure these days so caution is advised.
Really nice solution! Btw, on CCRs the processing power is so amazingly good you may not care for fasttrack at all. But anyway, good way out for non-top devices!