Community discussions

MikroTik App
 
MrHae
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed May 26, 2021 7:40 pm

Site to Site VPN

Fri May 28, 2021 5:48 pm

Hey Guys, i have some special Problem.

Setup is one Site with MT Router with static public IP. The other Sites should become some HAPs with ETH1 configured as WAN with DHCP. So the second Sites public IPs are not static and it‘s nated in every case. So i configured 1 Peer on Site one with no IP Adress for remote site. The first VPN could establish, the second, with second Peer not because they will try everytime to use the first peer configured on site 1.

Phew its complicated to explain please forgive my bad english.

Site1 (Main Site)
Site2-X (Client Sites) with HAP as Network and VPN Gateway behind NAT

Maybe somone knows Best Practice Site1 Peer and Policie Config?
 
DeJoe
newbie
Posts: 33
Joined: Thu May 31, 2018 4:26 pm

Re: Site to Site VPN

Sun May 30, 2021 1:07 pm

Hi.

In my Setup i have IPSec site to site where both sides are behind dynamic ip addresses. I use dyndns on both sides to establish connection. You can simply use the dyndns address in the peer config instead of the ip address.
 
MrHae
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed May 26, 2021 7:40 pm

Re: Site to Site VPN

Sun May 30, 2021 6:56 pm

whats about double nat like at LTE carriers?
 
DeJoe
newbie
Posts: 33
Joined: Thu May 31, 2018 4:26 pm

Re: Site to Site VPN

Sun May 30, 2021 7:25 pm

As long as only one side is behind NAT, it doesn't matter. If both sides are behind NAT, it depends on the NAT. Read this excellent post about it:
https://forum.mikrotik.com/viewtopic.p ... 9#p819589
 
MrHae
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed May 26, 2021 7:40 pm

Re: Site to Site VPN

Mon May 31, 2021 11:57 am

What if i come with to VPN from same public IP?

I thought if i use fqdn or ID in connection i can separate the Peers but they just check first peer an if it dont match they canel
 
User avatar
AdminAdmin123
just joined
Posts: 15
Joined: Thu May 20, 2021 12:51 pm
Location: Milano, Italy

Re: Site to Site VPN

Mon May 31, 2021 1:13 pm


Setup is one Site with MT Router with static public IP. The other Sites should become some HAPs with ETH1 configured as WAN with DHCP. So the second Sites public IPs are not static and it‘s nated in every case.
Hi MrHae,
Lucky for you one Site has public ip static: so you can do the VPN Server-Client, with the MT with the static ip always listen and the HAP as the initiator, as a Roadwarrior-like configuration
 
MrHae
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed May 26, 2021 7:40 pm

Re: Site to Site VPN

Mon May 31, 2021 3:11 pm

Yes thats not the Problem, Problem ist if i want to Setup a second, third, fourth VPN to this Router with Public ip.

Cause for that i'll configure a second (thrid, fourth,...) peer, identity and policy to match BUT the Router just trys to connect to first peer in list, get wrong Identity to check, got false PSK and failure. If i set the same PSK for all Client connections so i would get Problem with Policy-->Peer and the Networks.

I tried to separate the connections by FQDN or ID in the Identity but i think the way ist "Client Router" Connects--> Peer --> Peer is connected with ONE Identity and with ONE Policy so wrong Peer wrong Peer --> wrong Identity = wrong FQDN or ID and it doesnt try the second Peer and so on...
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Site to Site VPN

Mon May 31, 2021 3:24 pm

It all depends on if you use IKEv1 of IKEv2, if you want to use separate keys for each peer, if you can live with L2TP over IPsec or not, and what method you want to use to route the traffic.
So there are many variables.
I use L2TP/IPsec with a single key for everyone, but a different username/password for each peer. I use BGP to route the correct subnets to/from each peer.
It works fine with multiple clients over NAT, but not when mutltiple clients are behind the same public IP.
It is also possible to us IKEv2 with identities configured for each peer (and you can use different keys) but the routing and NAT is always an issue with those IPsec subnet tunnels.
 
MrHae
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed May 26, 2021 7:40 pm

Re: Site to Site VPN  [SOLVED]

Mon May 31, 2021 3:36 pm

Oh guys i've got It.

I tried to separate the connections by unidentifiyable Endpoints but if i just have ONE Peer for NAT devices (so in my eyes) the all come in over this peer (IKE2), after that i have separate Identities for that peer with different PSK and can select by manual configured fqdns

Who is online

Users browsing this forum: No registered users and 49 guests