hello,
We have a vpn topology where we route traffic through a few main offices over the vpn. We use open vpn and are moving to l2tp. With open vpn we can router sub office networks over the vpn here is an example:
office 3 has a vpn connection to office 1. We route traffic to 192.168.100.0/24 through office 1. This works with open vpn but with l2tp it only routes the local 10.0.1.0/24 network. So each router would need its own vpn connection to each site. Is there a way to traverse subnets with l2tp like we do with open vpn?
It is possible with the help of staric routes but more details are needed - which router(s) is/are L2TP server(s)? How exactly are all the routers connected with each other? A simple diagram would be best
Here is a link to a simple map https://wheelerwire-my.sharepoint.com/:i:/p/wheelert/Eb5NlOq7lGJMk-J2n0ZOV2oBwuTA51T5MxLyVWMtRPrtrg?e=Maa0c6
right now we have SSTP vpn connections between sites and we use static routes and everything routes. so 10.0.1.0/24 routes through 10.0.2.1 and and all sites have access. When I change the tunnels to l2tp 10.0.1.0/24 can route to 10.0.2.0/24 but not any 192 addresses like with the old tunnel. If I switch it back and update the routes to use the sstp it all works.
I went from openvpn (no udp support in Tik) to ipsec (hardware encryption) to wireguard. Wireguard blows ipsec with hardware encryption out of the water in terms of performance. And configuration Mikrotik to Mikrotik is a snap.
I still use ipsec for road warriors (IKEv2 and certificates) and I am struggling with a very remote site on Wireguard where the wg facility crashes after failed handshakes due to bad connectivity and stops retrying. This is the only situation where I’m considering to go back to l2tp over ipsec.
That said, you should NOT implement obsolete VPNs. Moving multiple offices with their VPNs into production is a hassle that can turn outright painful and take weeks to iron out depending on the size of the network. Worse, the network is bound to grow over time and building on top of obsolete protocols will bring only extra pain when it becomes time to replace the “new” vpn solution.
As others mentioned, do yourself a favor and ditch plain l2tp. If you have to do l2tp, do it over ipsec. But try and implement newer tech.
That said, l2tp presents itself as an interface so you can easily assign addresses to it and then add static routes.
Back to the main point, I’ll write down a list of all the possible route combinations for each and every router, so that everything is accessible through anything. The OP will decide what is needed and what not
I actually did a comparison. Nothing scientific, just did some bandwidth tests under matching conditions and watched throughput and cpu usage on both routers. My reasoning was the same as Larsa’s. “Hey, if they put a chip on this board to do all the heavy lifting, ipsec should be a walk in the park for the cpu, right?”. Wrong. Total overhead for ipsec amounts to MORE work than wg’s overhead+software encryption combined. Again, I haven’t documented neither the tests nor the results so your mileage may vary. But that was my conclusion, hence moving to WG most of my customers’ VPN links.
As far as using interfaces for gateways iirc there’s a couple of downsides and only a single upside to using interfaces as gateways. There was an article in the wiki about it but I can’t find it right now. Some 8 or 9 years ago I remember using interfaces for gateways and something was off with routing. It was an extended network and we would have random dropouts. Like no explanation whatsoever, everything was fine, then some link would drop offline and take half the network with it. We sunk days of work into that bug and narrowed it down to issues with the routes themselves. If an interface cut out only for a few seconds the routes became invalid, backup routes came up but then some packets would loop and crash all the other links. I believe the behavior changed with ROS7 and the introduction of routing tables and what not but I learned my lesson. Less is more and build your routes the right way. Easier troubleshooting and less chance of strange things happening.
@thecat12 that is exactly how I do the routing as I said it works with other vpn tunnles but the l2tp/ipsec tunnels only route to the connected subnet even if the routes are set. I can double check the setup but that is the main issue
The only times I have seen gateways IPs not used ( aka interface name ) vice gateway LANIP, is wireguard and PPPoE wan connections ( talking routes here ).
In mangles and other config locations, interface name should work.