Hi all
I must resolve following szenario:
Site 1: company office with MTK Router and fix IP
Site 2: company office with a Internet access with MTK over Mobile Network with private IP
Site 3: company office with MTK Router and dynamic IP
I need to make Site 2 Site VPN from Site 2 to 1 and also from Site 2 to 3.
I need to establish the subnet access in both directions (Site 2 subnet and not only the Router adress is accesible from the other sites, not NAT)
Which type of VPN (LT2P, OpenVPN, or?)
Standard L2TP i configured and there are up and running, but in my understanding, i must build up the vpn from site 2 with the private IP and that will be a problem with L2TP?
Can I use the cloud service from mikrotik in the L2TP configurations?
You can use L2TP with automatically configured IPsec for that if it’s enough for you to have a single client of the same server behind the same public IP. If an endpoint of a VPN connection is on a private IP behind a NAT on which you cannot configure port forwarding (such as your mobile connection), it must actively initiate the connection and the protocol chosen must support NAT traversal, which L2TP over IPsec does.
Alternatively, you can use manually configured IPsec to provide encryption and NAT traversal to other tunneling protocols such as GRE, with the same limitation of maximum one such endpoint NATed behind the same public IP. Or you may make use of the IPIP tunneling embedded into IPsec if you don’t need dynamic protocols or if you need to have several endpoints NATed behind the same public IP.
Since there is a device with a static public IP address in your collection, I’d make it a passive responder and set the other two devices to actively initiate the connections to it, even though the logical topology of the network is different, and accept the fact that the connections between Site 3 and Site 2 would pass through Site 1. But if this is problematic for any reason (insufficient bandwidth at Site1 or Site 1 not trustworthy as a transit point between Site2 and SIte3), you can configure the connect-to of the /interface l2tp-client, as well as the address of /ip ipsec peer and remote-address of /interface gre as the domain name which the peer with dynamic address updates in DNS using the /ip cloud functionality. The dynamic peer generated if you set use-ipsec to yes in /interface l2tp-server server listens on all local addresses and accommodates to the change. If you’d want to use one of the other tunnel types, it is not so straightforward and you have to use a trick as described here - don’t worry that we deal with EoIP there, the configuration is the same for EoIP and general GRE or IPIP, only the use is different (EoIP endpoint interfaces are L2, GRE and IPIP endpoint interfaces are L3). What we don’t deal with there is NAT which means that on the NAT-less side, you have to configure IPsec manually and set the peer as a responder.
Thanks a lot. In the meantime i tried it with OpenVPN and using the cloud-DNS Name. It works perfect. Also to access the remote network devices.
Last question, are there any reasons to use an ipsec tunnel instead of the openvpn solutions? Or are both equal “quality” like security and reliability to use in this the Site2Site szenario?
Mikrotik acting as OpenVPN client doesn’t check the server certificate so MITM attacks are possible. Mikrotik’s implementation of OpenVPN only uses TCP as transport which causes various headaches where the network quality is not constantly good (so for a mobile connection I’d be really careful with it). And Mikrotik’s R&D doesn’t seem to be really focused on OpenVPN so these issues persist for years.