IPsec/GRE between sites w/ MT (again...)

Hello!

As someone with basic knowledge of switching and routED protocols, I’m asking for some (OK, maybe more ) help.

I have a few personal sites, all of which using MikroTIks. Now I need a secure tunnels between these sites of mine. For that I choose to use GRE in IPsec. My idea is to use GRE for the ‘heavy lifting’ and use IPsec only for encryption.

Having these 2 below in mind, what approach will work?

• 1 site (site A) is connected via LTE modem. As you know, all inbound traffic is filtered at telco, i.e. I cannot initiate a tunnel TO this site.
• site A sometimes gets its IP changed from telco side, as it’s connected to Internet via LTE modem. This will surely break the tunnels (not a biggie) but config-wise it’s a bit unclear for me.

I have a mix of SOHO MikroTiks on my sites. Can I use strong crypto while sacrificing performance, as none of my Tiks has built-in HW offload for IPsec?

What are the pitfalls and limitations in my case? How should I configure the sites properly for all this to work? I’ll post a Visio drawing later on for some more details.

TIA!

Hello,

You can use L2TP/IPSec for your tunnels. Then your LTE will work as client and will not care of dynamic IP.

Hello!

Thanks for writing back!

Given that Cisco AnyConnect is working just fine over the same mobile connections, I too believe it’s possible to use IPsec over mobile.

My other questoins and thoughts still remain, though.

For example, how should I configure the non-LTE-site when I wouldn’t know what IP will my ISP assign my LTE-site? → If my LTE-site builds the IPsec tunnel, when will my non-LTE-site know the ‘real’ IP of the LTE-site? → If my non-LTE-site has traffic to send over to the LTE-site, how will this traffic pass through ISP NAT/PAT/firewall, as it isn’t ‘associated’ in advance?

Please don’t hate on me much, I’m obviously a n00b. If I knew all this I wouldn’t be posting here in a first place, right?