Setup is one Site with MT Router with static public IP. The other Sites should become some HAPs with ETH1 configured as WAN with DHCP. So the second Sites public IPs are not static and it‘s nated in every case. So i configured 1 Peer on Site one with no IP Adress for remote site. The first VPN could establish, the second, with second Peer not because they will try everytime to use the first peer configured on site 1.
Phew its complicated to explain please forgive my bad english.
Site1 (Main Site)
Site2-X (Client Sites) with HAP as Network and VPN Gateway behind NAT
Maybe somone knows Best Practice Site1 Peer and Policie Config?
In my Setup i have IPSec site to site where both sides are behind dynamic ip addresses. I use dyndns on both sides to establish connection. You can simply use the dyndns address in the peer config instead of the ip address.
As long as only one side is behind NAT, it doesn’t matter. If both sides are behind NAT, it depends on the NAT. Read this excellent post about it: http://forum.mikrotik.com/t/new-option/143342/2
Hi MrHae,
Lucky for you one Site has public ip static: so you can do the VPN Server-Client, with the MT with the static ip always listen and the HAP as the initiator, as a Roadwarrior-like configuration
Yes thats not the Problem, Problem ist if i want to Setup a second, third, fourth VPN to this Router with Public ip.
Cause for that i’ll configure a second (thrid, fourth,…) peer, identity and policy to match BUT the Router just trys to connect to first peer in list, get wrong Identity to check, got false PSK and failure. If i set the same PSK for all Client connections so i would get Problem with Policy–>Peer and the Networks.
I tried to separate the connections by FQDN or ID in the Identity but i think the way ist “Client Router” Connects–> Peer → Peer is connected with ONE Identity and with ONE Policy so wrong Peer wrong Peer → wrong Identity = wrong FQDN or ID and it doesnt try the second Peer and so on…
It all depends on if you use IKEv1 of IKEv2, if you want to use separate keys for each peer, if you can live with L2TP over IPsec or not, and what method you want to use to route the traffic.
So there are many variables.
I use L2TP/IPsec with a single key for everyone, but a different username/password for each peer. I use BGP to route the correct subnets to/from each peer.
It works fine with multiple clients over NAT, but not when mutltiple clients are behind the same public IP.
It is also possible to us IKEv2 with identities configured for each peer (and you can use different keys) but the routing and NAT is always an issue with those IPsec subnet tunnels.
I tried to separate the connections by unidentifiyable Endpoints but if i just have ONE Peer for NAT devices (so in my eyes) the all come in over this peer (IKE2), after that i have separate Identities for that peer with different PSK and can select by manual configured fqdns