Community discussions

Topic Author
Posts: 30
Joined: Mon Oct 12, 2015 2:37 pm

What VPN tech with dynamic routing behind NAT?

Mon Jul 08, 2019 11:23 am

Hello, I have a scenario where I need a backup connection over LTE. The LTE connection has a private IPv4 from provider , and is subjected to change any time.

I have the LtAP from mikrotik, and I need to setup a VPN with dynamic routing to play together with a VyOS router.
Mikrotik behind NAT, dynamic IP.
VyOS has static public IP

I need dynamic routing (OSPF prefered).

What I have thought of, and does not meet my criteras are;
- OpenVPN does not work, because it uses only TCP.
- IPSEC with VTI interfaces does not exist on RouterOS
- Authorizing peer with "My-ID" works, but then I don't know how to use dynamic routing.

I don't know know if GRE interfaces will work when mikrotik side is behind NAT.

Any other options that works for with mikrotik and vyos?

So far my only option I know is to use an EdgeRouter instead, and create a link to the LtAP, because there both OpenVPN with UDP, and IPSEC VTI or Wireguard works just fine.
Forum Guru
Forum Guru
Posts: 3495
Joined: Mon Dec 04, 2017 9:19 pm

Re: What VPN tech with dynamic routing behind NAT?

Mon Jul 08, 2019 10:09 pm

To use dynamic routing protocols along with IPsec on Mikrotik, you need a tunnel like GRE or IPIP encrypted using IPsec. Depending on your preferences and also on what is on the remote end, you may want to configure GRE or IPIP over IPsec and OSPF at the LtAP, or you may configure all of that on VyOS and just use the LtAP as one of the WAN links for the VyOS. I don't know whether VyOS supports virtual IPsec interfaces (which means you wouldn't need GRE or IPIP as the tunnel mode of the IPsec SA would be sufficient) or whether it uses IPsec policies.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
Forum Guru
Forum Guru
Posts: 1101
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: What VPN tech with dynamic routing behind NAT?

Wed Jul 10, 2019 6:17 am

You can use L2TP/IPSEC behind a NAT with little problems and leverage PPP for authentication and telling multiple clients apart. You can leverage either BGP or OSPF with static neighbors over that directly. If you really just want to use a dynamic routing protocol that does not require static neighbors you need to support multicast. With L2TP/IPSEC you can then layer a GRE tunnel under the L2TP/IPSEC tunnel and run OSPF on the GRE tunnel without any special configurations. This of course creates a double encapsulation concern.

My preferred alternative is to leverage IPv6. Most mobile networks (at least here in the states) will provide static public IPv6 addressing (global unicast) alongside their CGN IPv4 addressing. You run IPv4 if you must inside a tunnel that is IPv6 on the outside (GRE) and IPSEC can encrypt that tunnel with little issue. This of course requires IPv6 on your head-end too. This is a much easier and more efficient method in my mind. That said I personally have not tested MikroTik's LTE related devices for IPv6 support but other major manufacturers have no problem as long as the carrier supports it.
User avatar
Posts: 53
Joined: Wed Nov 23, 2016 7:39 am

Re: What VPN tech with dynamic routing behind NAT?

Wed Jul 10, 2019 8:18 am


If you want to use Dynamic Routing Protocols like OSPF, and also you want to connect your local network, you need to use GRE tunnel, cause it can pass the Multicast traffic, So this one important reason that you need to use Dynamic Routing Protocol through the tunnel.

Who is online

Users browsing this forum: Bing [Bot] and 41 guests