Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Two L2TP-tunnels from one WAN

Locked
 
spiketechnics
newbie
Topic Author
Posts: 34
Joined: Tue Dec 12, 2017 10:47 pm
Location: Breda

Two L2TP-tunnels from one WAN

Tue Jan 22, 2019 1:36 pm

Hi,

I've configured our RB3011UiAS (v6.43.8) to make a VPN-connection with L2TP/IPSEC.
Everything is working, but last weekend i've noticed that I only can connect with one VPN-client from same WAN.

VPN is connected on both devices, both only one has connection with the network.

Do I need to change a setting in the Mikrotik?

Best regards,
Joost Lauwen
Top
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 997
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:
Contact cdiedrich

Re: Two L2TP-tunnels from one WAN

Tue Jan 22, 2019 1:50 pm

There's nothing you did wrong.
It's the nature of ipsec-esp - the protocol does not contain any information which session it belongs to. So the edge router where your road warriors are located has no idea to which client it has to send incoming packets. Usually the first connected client wins and gets them all.

For these occasions (multiple VPN users staying at the same hotel and connecting back to the office at the same time) I added a SSTP server which works nicely. And it's more resilient when going through firewalls that are either misconfigured or blocking ipsec or other vpn on purpose.

-Chris
Top
 
spiketechnics
newbie
Topic Author
Posts: 34
Joined: Tue Dec 12, 2017 10:47 pm
Location: Breda

Re: Two L2TP-tunnels from one WAN

Wed Jan 23, 2019 10:33 am

There's nothing you did wrong.
It's the nature of ipsec-esp - the protocol does not contain any information which session it belongs to. So the edge router where your road warriors are located has no idea to which client it has to send incoming packets. Usually the first connected client wins and gets them all.

For these occasions (multiple VPN users staying at the same hotel and connecting back to the office at the same time) I added a SSTP server which works nicely. And it's more resilient when going through firewalls that are either misconfigured or blocking ipsec or other vpn on purpose.

-Chris
Hi Chris,

Thank you. I've configured the SSTP-server on the Mikrotik and it is working ok.

Only problem is that we are also using Mac OSX to establish a VPN-connection. And SSTP is default in WIndows.

Best regards,
Joost Lauwen
Top
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 997
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:
Contact cdiedrich

Re: Two L2TP-tunnels from one WAN

Wed Jan 23, 2019 10:46 am

Code: Select all
http://macappstore.org/sstp-client/
/Chris
Top
 
spiketechnics
newbie
Topic Author
Posts: 34
Joined: Tue Dec 12, 2017 10:47 pm
Location: Breda

Re: Two L2TP-tunnels from one WAN

Wed Jan 23, 2019 12:06 pm

Code: Select all
http://macappstore.org/sstp-client/
/Chris
Thanks!

I've also established an SSTP site-to-site between two Mikrotiks.
Mikrotik1:
LAN-subnet: 192.168.88.0/24
Mikrotik 2:
LAN-subnet: 192.168.99.0/24

SSTP-tunnel has LAN-subnet: 10.10.100.0/24

What do I need to configure to access computers/devices in Mikrotik1-network from the Mikrotik2-netwerk?
Top
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 997
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:
Contact cdiedrich

Re: Two L2TP-tunnels from one WAN

Wed Jan 23, 2019 12:21 pm

Just add (static) routes with the remote address of the tunnel as gateway.
as a side note: L2TP/IPsec or plain IPsec would give you much better results in a site2site tunnel - SSTP is tcp-based and sending acks back and forth has a negative impact on latency and hence throughput. Additionally, SSTP has more protocol overhead than L2TP/ipsec.
-Chris
Top
Locked

Who is online

Users browsing this forum: No registered users and 40 guests
  4. RouterOS
  5. Beginner Basics