Page 1 of 1

Most efficient way to Site-2-Site IPsec with L2TP

Posted: Sun May 27, 2018 8:24 pm
by commander86
Hey Guys,

i'm currently planning on an IPSec Installation with the following Specs:

- Central VPN Concentrator (Static IP)
- 20+ Remote Mikrotik Clients (Dynamic and Static IP)
- Some peers can have both, an Static OR an Dynamic IP (Failover)
- RoadWarrior Login on the Central VPN Concentrator (Apple iOS and Windows 10)

My current Idea is making L2TP Tunnels to the VPN Concentrator and then make Policies for every Network Combination - but this is a bit Pain in the Ass.

Do you know any better Way to achive, that all the Traffic going from the Client through the L2TP Tunnel will be encrypted without opening the Proposal too much?

Re: Most efficient way to Site-2-Site IPsec with L2TP

Posted: Sun May 27, 2018 8:48 pm
by anav
I would only use LT2P for road warrior (laptop connection) and straight ipsec for any router to router type connections.

Re: Most efficient way to Site-2-Site IPsec with L2TP

Posted: Sun May 27, 2018 9:07 pm
by sindy
I feel that something is missing in the picture at my side or at yours.

First, if you use L2TP over IPsec, you can forget about policies as they only handle the L2TP transport packets and the ROS creates them automatically. Using ppp profiles and l2tp server bindings, you can configure fixed private IPs and fixed interface names for the local ends of the tunnels to remote sites, so you'll use usual routing. So you "only" need to deal with the fact that at least the native Win10 client sends everything via the L2TP once it establishes it, which may not be what you want, and that it doesn't re-establish the connection fast enough when it expires (this may have changed in past weeks).

Second, what do you mean by "too open proposal"? Do you intend to keep proposals as strict as possible per client type, so you are looking for a way to have several local peers with different Phase 2 proposals, all open to unknown-in-advance remote peers, on a single public IP address?

Third, if you plan several road warriors to ever connect from behind the same public address, check this.