Community discussions

MikroTik App
 
DarkNate
Forum Veteran
Forum Veteran
Topic Author
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Multicast over L2TP/IPSec

Tue Apr 13, 2021 2:21 pm

So basically I have a cloud instance of RouterOS 6.47.9 CHR.

It has a public IPv4 address on ether1 (also WAN interface).

1. First I couldn't get IPSec/L2TP to work with Windows 10 client, even after trying out different ciphers and options. It worked with Android and iOS, however.
2. How would I go about using something like PIM to ensure that remote clients could take advantage of UPnP/Multi-Cast traffic on the cloud instance to port forward and enable P2P networking between the clients through their local L2TP subnets?

I would definitely need some help with the implementation of both aspects of this project.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Multicast over L2TP/IPSec

Tue Apr 13, 2021 2:42 pm

So basically I have a cloud instance of RouterOS 6.47.9 CHR.

It has a public IPv4 address on ether1 (also WAN interface).

1. First I couldn't get IPSec/L2TP to work with Windows 10 client, even after trying out different ciphers and options. It worked with Android and iOS, however.
2. How would I go about using something like PIM to ensure that remote clients could take advantage of UPnP/Multi-Cast traffic on the cloud instance to port forward and enable P2P networking between the clients through their local L2TP subnets?

I would definitely need some help with the implementation of both aspects of this project.
We use this IPsec proposal and it seems to work well on all operating systems:
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des pfs-group=none
We use the MikroTik default ipsec profile, it works without modification. If you already have this it will not appear in an export:
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128,3des hash-algorithm=sha1 lifetime=1d name=\
    default nat-traversal=yes proposal-check=obey
I don't know what you are wanting when it comes to your multicast question. What is the use case here and topology? I don't think L2TP really has any special support for multicast. Are you trying to send IPTV to clients or something over L2TP?
 
DarkNate
Forum Veteran
Forum Veteran
Topic Author
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: Multicast over L2TP/IPSec

Tue Apr 13, 2021 5:49 pm

So basically I have a cloud instance of RouterOS 6.47.9 CHR.

It has a public IPv4 address on ether1 (also WAN interface).

1. First I couldn't get IPSec/L2TP to work with Windows 10 client, even after trying out different ciphers and options. It worked with Android and iOS, however.
2. How would I go about using something like PIM to ensure that remote clients could take advantage of UPnP/Multi-Cast traffic on the cloud instance to port forward and enable P2P networking between the clients through their local L2TP subnets?

I would definitely need some help with the implementation of both aspects of this project.
We use this IPsec proposal and it seems to work well on all operating systems:
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des pfs-group=none
We use the MikroTik default ipsec profile, it works without modification. If you already have this it will not appear in an export:
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128,3des hash-algorithm=sha1 lifetime=1d name=\
    default nat-traversal=yes proposal-check=obey
I don't know what you are wanting when it comes to your multicast question. What is the use case here and topology? I don't think L2TP really has any special support for multicast. Are you trying to send IPTV to clients or something over L2TP?
So here's the Topology:
Image

Client A has ISPa
Client B has ISPb

1. I want the CHR Router to act as a L2TP/IPSec server that allows client A to talk to client B
2. I want the client's multicast traffic to hit the router such as SSDP, UPnP etc
3. Reason for wanting multicast over the VPN is to enable dynamic port forwarding to work for clients behind CGNATs etc
4. Also if multicast works correctly, the clients can talk to each other as P2P devices which can ensure good latency/stability
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Multicast over L2TP/IPSec

Wed Apr 14, 2021 12:15 am

4. Also if multicast works correctly, the clients can talk to each other as P2P devices which can ensure good latency/stability
L2TP clients cannot communicate with each other directly by definition - any traffic from one client to another would have to go to your VPN concentrator CHR and back again.
 
DarkNate
Forum Veteran
Forum Veteran
Topic Author
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: Multicast over L2TP/IPSec

Thu Apr 15, 2021 12:31 am

4. Also if multicast works correctly, the clients can talk to each other as P2P devices which can ensure good latency/stability
L2TP clients cannot communicate with each other directly by definition - any traffic from one client to another would have to go to your VPN concentrator CHR and back again.
Ignoring point 4 can the other 3 things be accomplished with L2TP/IPsec?

Who is online

Users browsing this forum: Husky, rplant and 64 guests