Management VPNs

nikc · June 15, 2018, 9:52am

Hi All.

I am trying to figure out if what I want to achieve is possible, and how complex it might be !!

I have a number of customers we put LTE links in, fairly standard config, SXT LTE and something like a HAP AC in each site.

What I would like to do is be able to monitor each of these sites and the kit on the site via the Dude running on a CHR i have running in AWS.

There are some challenges other than my lack of knowledge:

Each of the SXT LTEs gets a CGNAT IP
The devices behind the SXTs are on a mix of IPs

What i think I am trying to achieve probably looks a bit like this:

So to recap, what I would like to do is:

Monitor all devices from the dude on the CHR
Via the CHR be able to connect and remotely manage these devices (upgrades etc)

Anyone out there able to give me some pointers ?

Thanks

Nik

Anumrak · June 15, 2018, 10:17am

Establish IPsec with each site, add routes to and back routes to each LAN of remote offices(or just run OSPF), run SNMP.

nikc · June 15, 2018, 11:04am

Thanks for the reply, so are you saying just a straight IPsec (L2TP server on the CHR and L2TP on the clients?) with routes opposed to policies would do the job ?

Thanks

Anumrak · June 15, 2018, 1:34pm

Yes, just L2TP over IPsec with static routes. Don’t forget not to masq your local subnets. Or, if all your equipment is MikroTik, then you can create gre over ipsec with static routes.

pe1chl · June 15, 2018, 1:36pm

L2TP over IPsec could be trouble when all those remote systems are behind the same or a couple of CGNAT.
In that case it could be safer to use the (otherwise inferior) TCP tunnels like SSTP or OVPN.
As this is a low-bandwidth situation it will likely work OK.

nikc · June 15, 2018, 4:33pm

Ok cheers - will go have a read up on SSTP and OVPN.

sindy · June 16, 2018, 4:21pm

Or you can use a GRE tunnel over manually configured IPsec, which means you can manually set tunnel mode for the IPsec transport and thus avoid problems with multiple clients behind the same NAT.

pe1chl · June 16, 2018, 4:35pm

Sure, but that is a complicated solution that does not scale well.
SSTP has terrible performance under load (so does OpenVPN over TCP) but for purposes like some light remote management and monitoring it is fine.
Setting up an SSTP tunnel per remote device is quite simple, just create the server and a network for it (on a loopback) and add a user for each
remote device with username, password and remote IP address. On the remotes just setup the SSTP with user and password.
This assumes the SSTP will be made to the router that also runs the Dude. If not, there will be the additional issue of setting a route.

idlemind · June 24, 2018, 1:42pm

IPv6 is free in AWS I believe. That may be a way to escape the CGNAT. That said I think SSTP is your best solution. Even with IPv6 SSTP or L2TP/IPSEC would be a more flexible and light configuration. If only MikroTik had DMVPN.

nikc · June 24, 2018, 6:20pm

Exactly what I have done, super easy and stable so far.

I didn’t however create the loop back network… I just specify local and remote for each user and it seems to work fine… Though RoMon sadly doesn’t work…

Sent from my ONEPLUS A5010 using Tapatalk

pe1chl · June 24, 2018, 6:58pm

Using a separate network on a loopback interface makes it easier to write firewall rules for your management network.
Other than that, it is not required.

RoMon requires L2 connectivity. It could work over EoIP but it is unwise to deploy EoIP unless absolutely necessary.