Hi, I have RB750GL with working L2TP/IPsec VPN. The only (but huge) problem is when some user tries to connect to the VPN from an IP address from which someone else is already connected. In that case, existing tunel gets killed.
Our users connect from same location very often (eg. conferences, hotels…), we now have this working on D-Link DFL router, but we need to replace it with RB.
I found note on wiki, stating that only one IPSec session can be established through NAT, whether it applies to this situation, and (if so) how is it possible that the Dlink DFL works, but RB does not?!
Well, if you’re at the same hotel etc, then almost certainly all of you are behind a NAT device.
I’m not sure how the D-Link devices handles it, but MTK isn’t going to cut it in the situation you describe.
OpenVPN should do reasonably well in TAP [ethernet] mode though.
It’s more work to setup, and docs here are horrible. [Sorry to bring bad news.]
But I’ve recently evaluated every possibility and for my setup, OpenVPN was the only RW capable VPN on RoS I was willing to roll out.
Just my opinion of course, but I don’t think L2TP is adequately secure on RoS for road-warrior support. [Without getting into too much technical detail, it’s a result of not having an IPSec --policy match in RoS.]
So, IMO, the only reliable [kind-of] road-warrior VPN protocol on RoS is OpenVPN.
PPTP: Inscure [see cloudcracker]
L2TP discussed above: Also, if they connect with straight L2TP without the IPSec wrapper then I believe that negotiation is also vulnerable to the cloudcracker attack.
IPSec for Road-warriors. Without a working ipsec policy match, you have to simply allow all traffic from any WAN address to any LAN address. [Crazy as hell.]
SSTP: Seemingly unstable in recent versions of RoS. Also only supported for Vista/Win7, not XP.
So, again, IMO that leaves OpenVPN which has it’s fair share of really ugly warts on RoS too. But it’s the least ugly of all the step-children.
