LAN-to-LAN VPN

daras · July 28, 2017, 5:56am

Hello,

What rules do i need in the firewall to allow communications between the two LANS if i 've an SSTP or PPTP VPN ?

Thanks

pe1chl · July 28, 2017, 8:25am

That depends on what you already have in place. When there is a rule that allows Established and Related traffic (as usual)
you only need an input rule on the “server” side for the protocol you are using, e.g. TCP port 443 for SSTP and TCP port 1723
plus protocol 47 (GRE) for PPTP.
Of course those two are amongst the least-performance (and not very secure) VPN solutions so only use these when you have
some reason why you cannot use a better one, especially for LAN-to-LAN.

When you have fixed IP addresses for internet and you want a LAN-to-LAN VPN I recommend to use a GRE tunnel with IPsec protection.

daras · July 28, 2017, 8:33am

Thanks for your reply,

Do i need any ryle in the src-nat chain to bypass the masquerade rule for the 2 netwroks to communicate without any issues ?

pe1chl · July 28, 2017, 8:36am

Only with direct IPsec tunnels. With a GRE/IPsec tunnel as I recommended you don’t have that issue.
Just create an IPsec tunnel interface and specify an IPsec key on it, add a /30 address on the tunnel interface,
and set static routes for the networks on the other side. It should work, in this case probably even without any
firewall rule changes (depending on what you already have).
For best performance (to avoid fragmentation) add this mangle rule:

/ip firewall mangle add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn

terminal205 · July 28, 2017, 1:29pm

pe1chl, can you go into more depth on GRE over IPSec, or point us to a document that can help. I have been trying (unsuccessfully) for a week to pass traffic across an establish IPSec tunnel where an ASA 5505 is one end and a MT RB2011 is on the other end. I didn’t have this difficulty with a MT/FortiGate IPSec tunnel, and I thought that setup was challenging.

pe1chl · July 28, 2017, 1:33pm

Don’t use IPsec tunnel. It is complicated because you need to make NAT exceptions and your networks/masks need to match exactly or it just won’t work.
Also, routing and extension beyond the simple case of 2 routers is always a nightmare.

It is better to use GRE over IPsec transport. In a MikroTik that is easy, just create a GRE interface and enter IPsec secret.
Of course you need to set the other side to the same mode but this mode is “invented by cisco” so they support it well (although I have experience only with IOS routers, not with ASA).

terminal205 · July 28, 2017, 1:50pm

What would I need to do on the ASA side? It is my understanding is that ASA 5505 do not support GRE tunnels. If this has changed, could you point me to a document explaining the setup of GRE on the ASA side?

pe1chl · July 28, 2017, 2:08pm

I don’t know anything about ASA…