Vpn site to site behind ISP router

pulzpulz · June 30, 2023, 4:57pm

Hello everyone,

context:
vpn should be used by branches to access a webserver on main site and phones (with only lan support) to access phone server on main site.

i need to implement a vpn site2site behind, but i’m struggling finding info.
vpn server is behind another mikrotik (closed, property of ISP). I’ve asked to open some ports (50,51 tcp+udp, 500,1701,4500 udp that are the ones i found in online material for forwarding ipsec+l2tp), but i cannot instantiate a connection to my MK ipsec+l2tp (i can connect to vpn server from lan from windows 10 client, but cannot from outside)

1)Are these port forwarding valid for routerOS implementation of IPSEC+L2TP?
2) I implemented by ppp → l2tp server, is this correct way?
3) are better ways to implement this kind of vpn (wireguard etc)?
4) given that i need to connect another 2 sites to same main one (a star configuration i think), are these requests legit or i miss more things?

thank you

McGremlin · June 30, 2023, 5:21pm

Hi.

Is ISP Mikrotik your gateway or do you have your own Mikrotik gateway in your network which is connected to ISP (WAN)?

wiseroute · July 2, 2023, 3:02pm

hello pulzpulz,

instantiate a connection to my MK ipsec+l2tp (i can connect to vpn server from lan from windows 10 client, but cannot from outside)

one thing you need to know first, which router do the nat/masquerade for your lan? the isp cpe router or your router?

second, you need to know whether your lan is behind cgnat or not :

if yes, then outside branch can’t initiate vpn to your router. you need to initiate the vpn to that branch or try to use cloud based vpn server.

if not behind cgnat - then the only problem is your isp router.

hope this helps.

pulzpulz · July 3, 2023, 8:02am

1 mikrotik from ISP (closed, i cannot access. I can request port forwarding, rules etc)
1 mikrotik that is ours connected downstream in bridge mode

pulzpulz · July 3, 2023, 8:04am

ISP router does nat.
i’ve a public ip, so i think it’s not a cgnat problem (am i wrong?)

wiseroute · July 3, 2023, 2:32pm

hello pulzpulz,

ISP router does nat.

from there, i just would like to ask you whether you subscribed to your isp managed service?

because not that i don’t want to help you, but I think your requirements will be much easier for you to work with your isp in this matter. just let them know what you want and let them do the work for you.

hope this helps.