Site to Site VPN - which is best?

I need to set-up a site to site VPN between various Mikrotik routers. The requirement is that every PC on the respective LANs needs to be able to connect to servers on the other remote LANs. There will be DNS servers on each site to save me adding static DNS entries. These VPNs will be over the Internet so encryption and authentication is critical. There are max 50 users per LAN.

I understand that IPSec is a bit clutsy at the moment but please convince me it isn’t. I also understand that PPTP is mainly used for a end user to connect to a remote LAN so perhaps this is out. L2TP will need to use IPSec so perhaps this is also out? I don’t know if IPIP will do this as I read somewhere (aussie zoo said this) that IPIP doesn’t offer any encryption at all.

I don’t want to bridge everything so EOIP is out the question.

I don’t know enough about VRF (in fact nothing at this stage). I’ve set-up other Site to Site VPNs using Draytek routers so I know this is possible with IPSec but having dived into the search function, I’m a bit hesitant to use IPSec on the Mikrotiks.

I would appreciate any feedback on which is the best option given my requirements.

Thanks.

IPSec is the best however requires more knowledge and maintenance (hand holding to clear SA for some reason).

L2TP is probably the next best. Single UDP port thru the firewalls on the net. Always stable. 128 bit MPPE encryption without using IPSec. I personally choose L2TP, especially now that you can change the MRRU.

Thanks Sam. I don’t know enough about L2TP, especially MRRU but google is my friend. I see there’s an example in the manual so I think I’ll try this first. So you say that I can use encryption without having to add IPSec?

This is very good news indeed.

Thanks again.

Thanks Sam.

Got this working ok. I didn’t have to fiddle with either firewall as I’m don’t have a forward chain drop rule (yet). Is this correct?

Tell me, what are issues surrounding the ability to change the MRRU?