L2 VPN, NAT friendly + road warrior - how to?

JanRovner · February 12, 2013, 12:01pm

Hello, I am looking for a most fitting solution of a L2 VPN using RouterOS as a VPN gateway.

I would like to set up a transparent ethernet interconnection between a company headquarters LAN and branches LANs (many). There is a DHCP server on HQ’s LAN, all clients on all branches should be able to get their IP address from that DHCP server. Assume that HQ as well as branches will be equipped with Mikrotik RouterOS devices (routerboards) for that purpose.

Primary functionality requirements:

Any device (any MAC address at any branch or HQ) must be able to talk to any other, regardless its location - its up to the gateway to ensure bridging.
The VPN connection must bridge full ethernet frames (including VLAN tags and/or other stuff, if possible)

Transport requirements:

The encapsulating (wrapper) transport connection should be firewall and NAT friendly, must be initiated from the client (branch) side and must not rely on client’s addresses. The clients (branches) are all behind NAT and their VPN’s IP address can be changed at any time. It would be a benefit, if a VPN server could operate behind NAT too, but this is not a requirement.

Optional requirement - road warrior:

It would be good feature to allow a single user connection from a Windows computer (probably L2TP), behind NAT and with any IP of course. Such connected computer must be able to talk to any MAC in any location using its VPN interface.

Thank you for the tips!
Jan

tomaskir · February 12, 2013, 12:23pm

It can be done fairly easily.

You will have to use Mikrotiks at the main office and at the branch offices and use EoIP with security (through SSTP or IPSec) for the transparent L2 bridging.
For road warriors you will have to setup separate L2TP/IPSec tunneling for use with Windows/Android/iToy devices.

All will be compatible with dynamic IPs and NAT on the client side, the server side has to have static IPs.

JanRovner · February 12, 2013, 1:06pm

Thank you very much for a good tip. Yes, i know about EoIP tunnels, they work fine. However, could you please give me some basic info how to “secure them” using SSTP or IPSec ? EoIP tunnels need an IP address on both side, I assume those IP addresses will be addresses assigned to of some kind of point to point interfaces…

Thank you.
Jan

tomaskir · February 12, 2013, 1:23pm

In case of SSTP, you can have a dynamic address on the client side, and then just build a EoIP tunnel over the SSTP tunnel addresses, it will be secured with SSTP.

In case of IPSec, build the EoIP tunnel directly over the public IPs and secure with IPSec transport mode. If the client side public IP is dynamic, you will have to script a little bit to change the dynamic IP of the EoIP tunnel on the server side.

It works either way with dynamic public IPs, NAT is not a problem for SSTP and works no problem with IPSec NAT Traversal.