I have some basic knowledge about Mikrotik/RouterOS systems but need little help to configure VPN connections for “offices” …
Hardware will be:
Main office we will use:
1x RB1100AHx4 Dude Edition
2x WAN (PPPoE - Static IP)
Remote offices will use:
1xRB953GS-5HnT-RP
For WAN connections there will be diffenernt options:
2x LTE Huawei ME909u-521 (Dynamic IP)
1x WAN (Static IP)
or
1x LTE Huawei ME909u-521 (Dynamic IP)
1x WAN (Static IP)
or
1x LTE Huawei ME909u-521 (Dynamic IP)
Each location have own local subnet for example:
Main office XXX.YYY.0.QQQ/22
Office 1 XXX.YYY.10.QQQ/24
Office 2 XXX.YYY.11.QQQ/24
Office 3 XXX.YYY.12.QQQ/24
Office 4 XXX.YYY.13.QQQ/24
…
Im try make failover connection with routes and L2TP/IPSEC but do not work ok, because VPN connection is terminated and reastablished…
So now questions:
1.) How I can make that remote office use WAN connections as load balancing for VPN?
2.) Which VPN type I can use?
3.) Is there some feature which can link WAN’s together(They have static and dynamic IP’s) and I can put VPN over it?
Nobody can’t help me?
I don’t need detailed description of configuration, but some hint like: make wan load balancing with this and this and then vpn connection with this…
You would need to stick the connections to always one route so the VPN is always reestablished over the second wan when the first wan is down. It’s not good idea to force load balancing on packet level between unequal lines as you need to put the packets in order on the second side… So use faster line as primary and slower line as backup.
jarda thanks for your answer.
Im ask this because on market are some products which offer this(peplink) and we test them and work ok…
Reestablishing VPN is problematic, because we use some old applications which can’t be updated and fail when there is no communication to server… If total speed is limited to 2x slowest interface speed this is not problem(For example WAN is 10Mbit, LTE is 50Mbit and we get total 2x 10Mbit is OK) only thing which I would like to get is that VPN is not reestabilished or connection to server is not broken…
Ok. I understand your concern. Maybe someone else could point you in the right direction. Just note that bandwidth has almost nothing to do with time that packet needs to pass from one side to another. The different delay times of different lines make the balancing problematic because the waiting for the packets and queueing them until the missing ones arrive (or not) is stopping whole communication. I can imagine you open two eoip tunnels one for each line and use bonding on them. It may be working.
Because you have dynamic IP addressing from the LTE connections you cannot directly do GRE in MikroTik because they don’t support that well (sure scripting can but blah).
I don’t see the problem with having both connections online. The trick with L2TP / IPSec is that traffic passing the link is what causes it come online. Additionally it only supports unicast traffic. This means that if the connection goes down in order for it to be reestablished traffic must be generated that meets the criteria for encryption (interesting traffic, ipsec policy). Say you do this test with ICMP (ping). If you send 2 pings, the first one will be lost while the tunnel establishes usually.
That said, you want routing to work appropriately. This can be done with different AD (metric) static routes and check-gateway but I prefer using a dynamic protocol. The only way to do this over L2TP/IPSec is to use something like BGP or static neighbors in OSPF because of the lack of multicast. You can then apply a preference or costing to the links to control which link is used. In BGP you’d be able to prepend the AS path for the least preferred link (I’m guessing the LTE one) and use local preference locally to prefer egressing the non-LTE interface. OSPF may be a little more difficult.
You may find it entirely easier to put GRE under L2TP/IPSec for the dynamic IP VPNs and GRE wrapped in IPSec for the static locations. MTU will need to be adjusted accordingly but this would give you permanent GRE interfaces you could add to easier protocol like OSPF and perform all of your routing there.
Like most problems, I can think of a handful of ways to solve your design requirements. It just depends on what you feel is the best fit for you. Because of familiarity I personally would lean towards a solution with GRE w/keep-alive. It’s just the way I think and personally I don’t feel the MTU loss would be overly harmful to overall operations just keep it above 1280 and you’re good.
Either way, let routing handle failure operations and that will help hide or obfuscate that from less loss tolerant applications.
Thanks for all answers.
I still waiting devices so I can’t test recommended options and ask new questions or report results… First I will try GRE with IPSEC …
