Hello,
I need to connect small branch LAN to the HQ LAN.
HQ LAN is connected to the internet using Mikrotik router with public static IP.
Branch LAN is connected to the internet via 4G LTE Router (TP-Link Archer MR200).
Router is IPSec capable and PPTP/L2TP/IPsec pass through (NAT forwarding) + other features.
Router IP assigned by ISP is private from range 10.xxx.xxx.xxx. It means it is behind ISP router with NAT.
Public IP of ISP router is changing each time the 4G LTE Router is disconnected/reconnected to the 4G network.
So question is: How can I connect these two LANs (how to configure the routers) ? Faster solution is better.
Is the IPsec VPN possible when branch router is behind ISP NAT and ISP public IP is dynamic?
In case of needed I can use in branch LAN another Mikrotik router (hAP lite).
This is your starting point for pure IPsec, this one is for IPsec-encrypted L2TP where most of the IPsec configuration is automagically created by Mikrotik itself and routing behaves the “normal” way, so it is simpler and thus faster to set up at Mikrotik side than pure IPsec. The price to pay is more overhead bytes in the packets so less space for payload.
I cannot tell you how to set up either variant on the TP-link end so you may have to experiment (logging of ipsec and l2tp events at Mikrotik side will help you identify and resolve eventual issues) or you may disable VPN handling at TP-link side completely and let the hAP mini behind it do the job if you need to have it up and running really fast. Multiple NATs along the way do not matter, just don’t expect too much bandwidth if you run encryption on hAP mini (no idea what Mikrotik model you use at the HQ end, though).
