RB1000 VPN offloading feature

Rockyboa · July 31, 2009, 1:07am

Hi,

We just bought some Mikrotik hardware and I just read that the RB1000 is having IPSec tunnel dedicated hardware, thats pretty cool and would really benefit from that. I would like to know which tunnel are supported by this feature, is PPTP, OVPN, L2TP and IPsec use the offloading engine?

Also, would like to know if dynamic tunnel are now supported since most of our remote site have dynamic IPs. Can someone point me out a tutorial on how to establish a really simple tunnel using a RB450 with dynamic IP and a RB1000U with a static IP.

We allready put v4.0b3, should we go back to v3.27 , we had no issue yet with the beta.

Thank you

Sabrina

mrz · August 3, 2009, 1:09pm

Only IpSec tunnels encryption is hardware accelerated.

Simple pptp tunnel:
Server (RB1000):
/ppp secret add name=test local-address=1.1.1.1 remote-address=2.2.2.2
/interface pptp-server server set enabled=yes

Client:
/interface pptp-client add connect-to=x.x.x.x user=test

where x.x.x.x public ip address of RB1000.

Rockyboa · August 5, 2009, 2:02am

Thanks for the reply.

Will experiment with pptp, but some says it is less secure than Ipsec, would I achieve higher perfomrance using pptp on my RB1000?

But like I said would like prefer using IPSec hardware offloading feature of the RB1000. So is dynamic IP supported at the remote location, using RB450?

I followed the Ref manual v3 example IPsec Between two Masquerading MikroTik Routers, but the tunnel is not building up. Do you have some info in the manual on how to diagnose my issues with logs?

Sabrina

nik247 · August 5, 2009, 9:11am

I try find same solution.

mrz · August 5, 2009, 10:12am

Yes, Ipsec is possible with dynamic IP’s.
You have to set generate-policy=yes and set remote peers address to 0.0.0.0

Rockyboa · August 11, 2009, 11:18am

Those are very good info and pointers I will try as soon as my vacation are over. Again, can someone with good knowledge in tunnelling technology using Mikrotik router would be able to give me a very easy to understand pros and cons of each of them, like I said we plan to use a pure Mikrotik solution from site to site and some mobile users, mostly for admin task may need to connect inside the VPN too. Performance is important since we are planning 4000 tunnels from different micro sites (1 to 5 users) on our RB1000 using RB450.

Thank you again.

Sabrina

Rockyboa · August 26, 2009, 9:40pm

IPSec is working fine, but unable to make it work with dynamic IP at remote site.

Remote Site: /ip ipsec export

/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m
name=default pfs-group=modp1024
/ip ipsec peer
add address=69.x.x.122/32:500 auth-method=pre-shared-key dh-group=modp1024
disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1
enc-algorithm=3des exchange-mode=aggressive generate-policy=yes
hash-algorithm=md5 lifebytes=0 lifetime=1d nat-traversal=no
proposal-check=obey secret=mysecret send-initial-contact=yes

Primary Site: /ip ipsec export

/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m
name=default pfs-group=modp1024
/ip ipsec peer
add address=0.0.0.0/32:500 auth-method=pre-shared-key dh-group=modp1024
disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1
enc-algorithm=3des exchange-mode=aggressive generate-policy=yes
hash-algorithm=md5 lifebytes=0 lifetime=1d nat-traversal=no
proposal-check=obey secret=mysecret send-initial-contact=no

Question his do I still need to create policy or generatepolicy should just do that?

Sabrina

mrz · August 27, 2009, 5:33am

On a remote site you need to add static policy.
Otherwise ipsec will not know what policy to generate on the primary site.

Rockyboa · August 27, 2009, 7:29pm

ahrg, usually I’m pretty good without needing to ask spoon feeding me the procedure. But again I’ll need help and hopefully this will be helpfull for some other people. I deleted the policy on the remote site and check the generate policy, that works, but strangely it created not one, nor two but three Dynamic policy on the primary site with only one remote MT 450 establishing the connection.

As soon as I change, in the primary site, the IP address of the peer to 0.0.0.0, and the SA Src Address in the remote policy to 0.0.0.0 I get into trouble… I read again the ref manual and try to change the policy level to other settings without better result…

Again here are my new export

Primary Site:
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m
name=default pfs-group=modp1024
/ip ipsec peer
add address=0.0.0.0/32:500 auth-method=pre-shared-key dh-group=modp1024
disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1
enc-algorithm=3des exchange-mode=main generate-policy=yes hash-algorithm=
md5 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=
mysecret send-initial-contact=no

Remote Site:
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m
name=default pfs-group=modp1024
/ip ipsec peer
add address=69.x.x.122/32:500 auth-method=pre-shared-key dh-group=modp1024
disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1
enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=
md5 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=
mysecret send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.213.0/24:any
ipsec-protocols=esp level=require priority=0 proposal=default protocol=
all sa-dst-address=69.x.x.122 sa-src-address=0.0.0.0 src-address=
192.168.214.0/24:any tunnel=yes

Again TY

Sabrina

Rockyboa · August 27, 2009, 7:37pm

Solved it, my mistake, peer needs to be 0.0.0.0/0 not 0.0.0.0/32 to all accept connections. Hope this will help others.

But still need explanation why it creates 3 dynamic policies (noticed that 2 are identical - src: remote ste dst: primary site)

Sabrina