Community discussions

MikroTik App
 
User avatar
zlobster
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Sun Nov 20, 2016 2:47 pm

IPsec/GRE between sites w/ MT (again...)

Sun Sep 09, 2018 3:31 pm

Hello!

As someone with basic knowledge of switching and routED protocols, I'm asking for some (OK, maybe more :D) help.

I have a few personal sites, all of which using MikroTIks. Now I need a secure tunnels between these sites of mine. For that I choose to use GRE in IPsec. My idea is to use GRE for the 'heavy lifting' and use IPsec only for encryption.

Having these 2 below in mind, what approach will work?
- 1 site (site A) is connected via LTE modem. As you know, all inbound traffic is filtered at telco, i.e. I cannot initiate a tunnel TO this site.
- site A sometimes gets its IP changed from telco side, as it's connected to Internet via LTE modem. This will surely break the tunnels (not a biggie) but config-wise it's a bit unclear for me.

I have a mix of SOHO MikroTiks on my sites. Can I use strong crypto while sacrificing performance, as none of my Tiks has built-in HW offload for IPsec?

What are the pitfalls and limitations in my case? How should I configure the sites properly for all this to work? I'll post a Visio drawing later on for some more details.

TIA!
 
User avatar
evince
Member
Member
Posts: 355
Joined: Thu Jul 05, 2012 12:11 pm
Location: Harzé - Belgique
Contact:

Re: IPsec/GRE between sites w/ MT (again...)

Sun Sep 09, 2018 9:16 pm

Hello,

You can use L2TP/IPSec for your tunnels. Then your LTE will work as client and will not care of dynamic IP.
 
User avatar
zlobster
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Sun Nov 20, 2016 2:47 pm

Re: IPsec/GRE between sites w/ MT (again...)

Mon Sep 10, 2018 10:58 pm

Hello!

Thanks for writing back!

Given that Cisco AnyConnect is working just fine over the same mobile connections, I too believe it's possible to use IPsec over mobile.

My other questoins and thoughts still remain, though.

For example, how should I configure the non-LTE-site when I wouldn't know what IP will my ISP assign my LTE-site? -> If my LTE-site builds the IPsec tunnel, when will my non-LTE-site know the 'real' IP of the LTE-site? -> If my non-LTE-site has traffic to send over to the LTE-site, how will this traffic pass through ISP NAT/PAT/firewall, as it isn't 'associated' in advance?

Please don't hate on me much, I'm obviously a n00b. :lol: If I knew all this I wouldn't be posting here in a first place, right?

Who is online

Users browsing this forum: ACHim, Google [Bot], syahpian and 48 guests