Community discussions

MUM Europe 2020
 
KarelVDM
just joined
Topic Author
Posts: 11
Joined: Mon Jun 24, 2019 4:31 pm

Site to Site VPN (13 Sites & 2 remote Laptops)

Sun Dec 01, 2019 11:20 am

Good Morning Everyone,

I need to do a setup for one of my clients and need some expert advice:
  • Which Mikrotik Routers are best suited for the task at hand? Head office will serve as the "VPN Server", as it is the only one that has a static ip. RB2011 for HO? HAP Lite for the Branches?
    13 Branches & 2 roaming laptops need to connect to the Head office VPN
    Roaming Laptops will be setup as Road warriors?
    From any workstation at a branch, I need to access the Application Server at any other branch. (Via Remote Desktop)
    Same Applies for the Roaming Laptops, they need to access any one of the branches' application server via Remote Desktop.
    I need to be able to get access to any one of the Mikrotik routers from within the VPN.(To change or update configuration as needed)
In the Network Topology Diagram I have IP Addresses specified, but they can be changed as necessary.
Image

Thnx in advance

Karel
 
Zacharias
Forum Guru
Forum Guru
Posts: 1075
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Site to Site VPN (13 Sites & 2 remote Laptops)

Sun Dec 01, 2019 11:30 am

Well if i had to design the same network i would choose a more powerfull router for the head office, probably one from the CCR line, like the CCR1009 and for the branch offices i would probably choose hap ac2... just quick thoughts...
You should setupt a VPN for the remote users to connect, L2TP/IPsec would be fine...
 
mkx
Forum Guru
Forum Guru
Posts: 3345
Joined: Thu Mar 03, 2016 10:23 pm

Re: Site to Site VPN (13 Sites & 2 remote Laptops)

Sun Dec 01, 2019 11:48 am

I'm with @Zacharias ... go for more powerful devices. And definitely go for devices with HW support for IPsec encryption. For branch offices that would be hAP ac2 or (if wireless is not needed) a hEX and for central office minimum would be RB4011 or, better yet, at least semi-professional device such as RB1100AHx4 or a CCR.
BR,
Metod
 
Zacharias
Forum Guru
Forum Guru
Posts: 1075
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Site to Site VPN (13 Sites & 2 remote Laptops)

Sun Dec 01, 2019 5:13 pm

@mkx, your suggestion about road warriors ?
 
mkx
Forum Guru
Forum Guru
Posts: 3345
Joined: Thu Mar 03, 2016 10:23 pm

Re: Site to Site VPN (13 Sites & 2 remote Laptops)

Sun Dec 01, 2019 8:52 pm

@mkx, your suggestion about road warriors ?
What about them? I'm not one, but if I was, I'd probably rely on IPsec implementation in SW on my device ... which in principle doesn't change any reasoning for choosing HW for central office. Or does it?
BR,
Metod
 
Zacharias
Forum Guru
Forum Guru
Posts: 1075
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Site to Site VPN (13 Sites & 2 remote Laptops)

Sun Dec 01, 2019 9:27 pm

No i dont think so...
 
mkx
Forum Guru
Forum Guru
Posts: 3345
Joined: Thu Mar 03, 2016 10:23 pm

Re: Site to Site VPN (13 Sites & 2 remote Laptops)

Sun Dec 01, 2019 9:55 pm

Just to clarify: by "I'd probably rely on IPsec implementation in SW on my device" I meant client device (e.g. laptop), not VPN server (central office router).

And I don't think that choice of particular VPN technology precludes choice of RB device type ... AFAIK RBs all support same set of VPN technologies and those devices supporting encryption in HW support same set of ciphering algorithms and key lengths (I may be well be wrong here).
BR,
Metod
 
Sob
Forum Guru
Forum Guru
Posts: 4887
Joined: Mon Apr 20, 2009 9:11 pm

Re: Site to Site VPN (13 Sites & 2 remote Laptops)

Sun Dec 01, 2019 10:57 pm

No, HW acceleration depends on device: https://wiki.mikrotik.com/wiki/Manual:I ... celeration
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
mkx
Forum Guru
Forum Guru
Posts: 3345
Joined: Thu Mar 03, 2016 10:23 pm

Re: Site to Site VPN (13 Sites & 2 remote Laptops)

Mon Dec 02, 2019 9:19 am

No, HW acceleration depends on device: https://wiki.mikrotik.com/wiki/Manual:I ... celeration

I was wrong then, thanks for steering me on the right track.
BR,
Metod
 
angriukas
newbie
Posts: 36
Joined: Fri Nov 22, 2013 9:20 am
Contact:

Re: Site to Site VPN (13 Sites & 2 remote Laptops)

Mon Dec 02, 2019 3:14 pm

I would choose IPSec tunnels.
Head office router - definitely CCR (because of hardware acceleration), depending from IPSec traffic and how many ports do you need. Cheapest is 1009 series models.
RW - notebooks with IPSec client like Shrew-soft-vpn.
Branch offices - hAP ac² because of this device also supports hardware acceleration, or maybe smallest CCR - depends from IPSec traffic.
Mentioned table https://wiki.mikrotik.com/wiki/Manual:I ... celeration would help you choose appropriate encryption algorithm with hardware acceleration.
And of course BGP, it will allow dynamic network topology.
And also management network over VLAN :)
Note regarding l2tp for RW: there is no possibility at client side to manage routes. By default whole traffic will flow via VPN tunnel. If this is ok - then no problem. Personally I do not like that. Usually I am using Shrew-soft-vpn, no issues on Windows.
 
Zacharias
Forum Guru
Forum Guru
Posts: 1075
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Site to Site VPN (13 Sites & 2 remote Laptops)

Mon Dec 02, 2019 3:17 pm

By default whole traffic will flow via VPN tunnel
It takes less than 2 seconds to change that...
 
angriukas
newbie
Posts: 36
Joined: Fri Nov 22, 2013 9:20 am
Contact:

Re: Site to Site VPN (13 Sites & 2 remote Laptops)

Mon Dec 02, 2019 3:33 pm

It takes less than 2 seconds to change that...

And what's then - manual or scripted "route add..."
Users like that ;)
 
Zacharias
Forum Guru
Forum Guru
Posts: 1075
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Site to Site VPN (13 Sites & 2 remote Laptops)

Mon Dec 02, 2019 3:40 pm

It takes less than 2 seconds to change that...

And what's then - manual or scripted "route add..."
Users like that ;)
What are you talking about ?
There is no need to add any manual routes on your L2TP client...!
The client will get his IP through the server. Thats all needeed... The client will then create a Dynamic route for that network...
 
angriukas
newbie
Posts: 36
Joined: Fri Nov 22, 2013 9:20 am
Contact:

Re: Site to Site VPN (13 Sites & 2 remote Laptops)

Mon Dec 02, 2019 3:50 pm

What are you talking about ?
There is no need to add any manual routes on your L2TP client...!
The client will get his IP through the server. Thats all needeed... The client will then create a Dynamic route for that network...

I am talking about standard Windows client, lot of routes are needed in this case.
 
User avatar
karlisi
Member Candidate
Member Candidate
Posts: 261
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: Site to Site VPN (13 Sites & 2 remote Laptops)

Mon Dec 02, 2019 4:02 pm

On Windows client it can be done manually, using Powershell or GUI.
http://eyonic.blogspot.com/2016/06/how- ... ng-in.html
---
Karlis
 
Zacharias
Forum Guru
Forum Guru
Posts: 1075
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Site to Site VPN (13 Sites & 2 remote Laptops)

Mon Dec 02, 2019 5:09 pm

What are you talking about ?
There is no need to add any manual routes on your L2TP client...!
The client will get his IP through the server. Thats all needeed... The client will then create a Dynamic route for that network...

I am talking about standard Windows client, lot of routes are needed in this case.
Lots of routes for what ?
 
idlemind
Forum Guru
Forum Guru
Posts: 1108
Joined: Fri Mar 24, 2017 11:15 pm
Location: USA

Re: Site to Site VPN (13 Sites & 2 remote Laptops)

Mon Dec 02, 2019 5:17 pm

What are you talking about ?
There is no need to add any manual routes on your L2TP client...!
The client will get his IP through the server. Thats all needeed... The client will then create a Dynamic route for that network...

I am talking about standard Windows client, lot of routes are needed in this case.
Lots of routes for what ?
Using L2TP/IPSEC will result in a tunnel all approach. You can if you want not accept a default route and use tools in the OS to steer traffic for specific networks towards the VPN. The option to add routes at the CLI on the router acting as the VPN server adds routes to it's table when the client connects. This is a method to add return traffic routes to a head-end for clients of a site to site network without a routing protocol.

The fact that the standards bodies have all tossed their hands up when it comes to providing routes to client operating systems with otherwise great VPN tech is a shame. It's definitely an opening for using things like a proper OpenVPN server or one of the proprietary solutions for remote access VPNs to have even basic split-tunneling functionality (Cisco AnyConnect, etc...).
 
Znevna
newbie
Posts: 43
Joined: Mon Sep 23, 2019 1:04 pm

Re: Site to Site VPN (13 Sites & 2 remote Laptops)

Tue Dec 10, 2019 9:36 am

Sorry to bump this thread, but, is split-tunneling in Windows 10 and RouterOS v6.46 stable working for anyone? (IKEv2)
I've caught this bug report: viewtopic.php?t=124945#p695000
Which was fixed: *) ike2 - send split networks over DHCP (option 249) to Windows initiators if DHCP Inform is received;
But, something isn't working.
Windows connects, gets the assigned VPN IP on the interface but that's it.
I sniffed packets on the router's wan interface and I can see the DHCP Inform coming from the Windows 10's VPN IP, so somehow that doesn't reach ipsec?
I even tried with all drop rules from the firewall disabled, no luck.
If I check "use default gateway on remote network" on the windows 10 TCP/IPv4 settings for that VPN connection all the traffic gets routed through the VPN, works, but not ideal.
Windows version: 1809 build 17763.864.
LE: I've tested with v6.44.6 Long Term, same thing.

Who is online

Users browsing this forum: Google [Bot], MSN [Bot] and 51 guests