i setup a multi location site2site VPN Setup with 6 Clients via 4G LTE Connection:
Headquater has a fixed ip and Cloudcore Router.
6x Client Site with RBM11G Board with Huawei 4G LTE Card.
I setup a L2TP Connection from the clients to the Headquater Server. Over this
i configured a GRE / IPSec Tunnel. The setup workes good.
But some times (once a month) i can´t reach a client via the GRE Tunnel. In this case i diasabel and enable the
gre interface to this client at headquater onece and the connection commes up.
At the moment i think about to write a skript that disable / enabel the interface to fix the prob.
Do you think there is a other way to fix the problem?
The GRE runs hidden inside the L2TP so the problem that mobile operators (or anyone else who uses NAT in the network) cannot handle GRE properly is irrelevant.
But I am a bit surprised by the layering of the protocols, GRE over IPsec over L2TP is a) unusual and b) one layer too much, it would be enough to tunnel GRE over IPSec directly (without L2TP), so you would waste less bandwidth on overhead.
And c), it is also hard to debug the way it is configured now.
The problem with the 4g link is, i can´t get public dynamic or static ip. Only internal IP in provider network behind firewall.
So i decided to use l2tp for this purpose. But i want to route easy via ip routes, so i use gre
No problem with this, but you don’t need to put L2TP below IPsec to get past NAT if the “mobile” devices (I have no idea what MG11 is, and worse than that, uncle Google doesn’t help either) support IKEv2 (which can do NAT traversal by default) or NAT-T extension to IKE. The rest (GRE encapsulated into IPsec) remains unchanged in this case, but you get rid of the L2TP encapsulation.
If you need L2TP as the outer envelope because the MG11 boards do not support NAT-T or IKEv2, OK, I’ve got it.
Well, I’m not so long in the Mikrotik world to realize that So in this case, you should have no problem to run IPsec with IKEv2 between the machines, and tunnel GRE via the IPsec in ESP tunneling mode. At least it would be a different stack of encapsulations so it might behave better.
For this config, I use L2TP/IPsec (with a modified IPsec server setup, peer definition has generate-policy=port-override instead of generate-policy=port-strict),
and on the L2TP each client has a different account with a static local IP address.
On the server I have BGP configured for all used local addresses (passive mode) and on the clients BGP is configured as well.
Thus all routing is automatically established without having to use static routes.
