Hello everybody,

Here is the situation and sorry for a longer intro/description here.

We have following setup - five sites, let's call them Core Sites, in four different continents. For each site we need to have 3 to 5 site-2-site IPSec VPNs from clients connecting to the Core Site - each client will connect only to the Core Site in its own geographical area. We also need for to stretch L2 across - using encapsulation of L2 traffic inside IPSec. Now each Core Site also needs to connect IPSec connection to other Core sites to have full mesh config. It comes as as 10 concurrent IPsec tunnels for each Core site to maintain.

Then, we need boxes which are connecting to the Core Sites to form IPSec and L2 stretch tunnels.Until this year we've been using Cisco's 1900 for Core Site server and 800 series for remote vpn boxes.

Now due to budgetary restraints we've been told to to replace this setup. I did my research and seems Mikrotek boxes supposed to do the above setup while offering high performance/price ratio. However, I still have several questions and would appreciate if you can help me:

1. I really want to run a VM for each Core Site as a headend/IPSEC VPN termination option. Does Cloud Hosted Router has all the functionality of the physical boxes? I will need minimum 4 interfaces for the VM, one external, one DMZ, one admin and one for VLAN trunk with 200 VLANs

2. Has any of you have an experience running L2 over IPsec using mikrotik boxes and what was the experience? I mainly am concerned about tunnel stability, We can't use pure L2TPv3 or GRE because the only ports/protocols available in our environment for tunneling is IPSec. Currently we encapsulate L2TPv3 inside IPSec but it has its own drawbacks - high CPU usage at 800 series boxes due to IP fragmentation. Does mikrotik boxes have way to manage/handle it?

3. Very desirable but not required - SSL/TLS VPN with VLAN support, currently we are using F5 APM for it. Our setup is to following - at core (as mentioned above) we have about 200 VLANs. In each VLAN there are number of VMs. User connects to VPN web page (using browser or standalone client), provides username, password and key. Username and password is authenticated using Active Directory and key is used to determine in which VLAN the user will be placed. After successful authentication the user is getting IP address from the destination VLAN and can interact with devices there.
Is above setup possible with mikrotik boxes?

4. Finally - mapping external IP address to internal with URL/content rewriting and URL filtering using whitelist/blacklist. Is such option available at mikrotik boxes?

Thanks.