MikroTik

Posted: **Tue Apr 10, 2018 7:44 pm**

Hi there,
i am searching for the best vpn-standart to realise a layer 2 vpn tunnel between 1 headstation and 2-3 substations.
Those substations a connectet redudand to the headstation and using ospf.

It should be much secure as possible and made no problems if the routing from ospf changes.

Layer3 VPN is likley no option.

I already played around with openvpn tap but i can't get it working correctly, the connection established but no traffic going trough the tunnel.

Thanks for your help!

Posted: **Tue Apr 10, 2018 10:00 pm**

Insufficient requirements listed.

"Which VPN is best?" is likely to a religious question. Many people could be harmed in the overheated arguments about that. It's the same as "vi" vs "emacs".

If you can fully explain what you are trying to accomplish (who should be able to communicate with who and what all the network links are), we *may* be able to give you a few ways to accomplish the task and you can pick the best method for you.

Posted: **Tue Apr 10, 2018 10:48 pm**

I wouldn't think so. Because for L2 VPN the options are limited as far as I know.

What I need is L2 Transparenz between head and substation. And that secure.
The bandwidth I had to go through this tunnel is very small.
Max. 1mbit. (limited by the wan connections)

So what you need more?

Posted: **Wed Apr 11, 2018 4:20 pm**

EoIP over IPsec. If optical links between cities would be yours, then VPLS.

Posted: **Wed Apr 11, 2018 8:55 pm**

Yes I have optical links. But I won't use mpls or vpls.
Today I tried eoip + ipsec secret with rstp and multiple links. It works fine.

I also tried openvpn with tap tunnel and rstp it also works very well. (aes256)

So if I understand you correctly you would prefer eoip over ipsec instead of eoip with ipsec secret.

It would be nice if it would be possible to adjust the encryption with eoip and secret. But you can only use 3des,aes128 and sha1

Thanks!

Posted: **Thu Apr 12, 2018 10:11 am**

I meant EoIP + IPsec secret. Default is sha1/aes128cbc.

Posted: **Thu Apr 12, 2018 6:14 pm**

Is there any possibility to increase the encryption if I use eoip + ipsec secret?

Sha1 is already know as vulnerable. And as far as I know routeros support's sha256 and more.

Thanks

Gesendet von meinem HUAWEI GRA-L09 mit Tapatalk

Posted: **Fri Apr 13, 2018 12:59 pm**

No. Then use custom IPsec profile.

Posted: **Fri Apr 13, 2018 4:06 pm**

So you mean at first ipsec side to side and then over that eoip? Correct?
Thanks!

Posted: **Sun Apr 15, 2018 4:47 pm**

Why do you want L2? It will mean all broadcasting data will also go across link

Posted: **Mon Apr 16, 2018 5:07 pm**

So you mean at first ipsec side to side and then over that eoip? Correct?
Thanks!

Correct

Posted: **Tue Apr 17, 2018 7:19 am**

@czfan

Yes I know, that's what I need. I'm running very special components behind the tiks and those need L2 transparency.
Otherwise they need to be rekonfigured an that's a really really hard job now and can issue instability.

Gesendet von meinem HUAWEI GRA-L09 mit Tapatalk

MikroTik

What L2-VPN should be used?

What L2-VPN should be used?

Re: What L2-VPN should be used?

Re: What L2-VPN should be used?

Re: What L2-VPN should be used?

Re: What L2-VPN should be used?

Re: What L2-VPN should be used?

Re: What L2-VPN should be used?

Re: What L2-VPN should be used?

Re: What L2-VPN should be used?

Re: What L2-VPN should be used?

Re: What L2-VPN should be used?

Re: What L2-VPN should be used?