I’m upgrading a private corporate network with Mikrotik routers. The headquarter has static public IP, but some of the branch sites have a broadband connection with shared public IP (the client gets private dynamic IP). Currently I’m using OpenVPN as the VPN connection. The problem is, OpenVPN use lots of CPU resources and as the network gets bigger I need to use dynamic routing protocol such as OSPF. I have tried configuring it but seems like OSPF doesn’t work with OpenVPN on Mikrotik.
Is it possible to use IPSec VPN to connect those branch sites?
Sure, look at the “road warrior” setup at the Mikrotik’s IPsec manual page for starters. With certain authentification modes, you can even have multiple initiators (clients) connecting to the responder (server) from behind the same public IP.
Just bear in mind that
for same encryption algorithm and cipher strength, IPsec only loads the CPU less than OpenVPN (hence has a higher throughput if the CPU is the bottleneck) if the device has hardware support for that cipher. There is a table in the IPsec manual of Mikrotik which tells you what ciphers are implemented in hardware on which model.
dynamic routing protocols such as OSPF need regular routing tables to work with, so you need to use the IPsec to encrypt IPIP or GRE tunnels, and in principle you can use OpenVPN for the same purpose.
Don’t get me wrong - in no case I’m advocating the use of OpenVPN rather than IPsec, it’s just that for the points you emphasize, there may not be as much difference between the two as you expect. If the hardware hasn’t been ordered yet, IPsec is definitely a better option due to the support of hardware encryption, and because it uses UDP as transport; OpenVPN as such supports it too but Mikrotik’s implementation in RouterOS 6.x doesn’t, and 7.x is still an early beta so I wouldn’t build a commercial service on it.
Thanks for the replies. FYI for existing sites we use RB750 (hEX lite) with OpenVPN and it’s used for accessing internal apps, CCTV monitoring, and transferring data between sites. The issue is mostly when transferring large data it gets very slow because of bottleneck from the CPU (about 20-25Mbps and CPU gets to 100%).
I will try implementing IPSec first on the existing hEX lites. If it doesn’t help then I will probably upgrade to routers that support HW encryption.
Understood and food luck BUT even you do the test try to avoid OVPN on versions 6.4x as they only support TCP transport instead of UDP.
That causes what is called TCP meltdown and impacts badly performance. On a 25 Mbps link using OVPN I got tops 3 Mbps BW and same link using L2TP/IPSec I got 14 Mbps throuhput