VPN solution for small office issues

danmet · Fri Nov 27, 2020 1:35 pm

Good day, good people of Board.
I have a question regarding VPN solutions offered by Mikrotik.
I am currently working with a small company, that needs simple (working on Android and Win10) solution for VPN. (if it's somehow important - mobiles from Samsung, models S10 and S20). All users are Road Warrior.
The office has public IP address, and currently I have implemented L2TP VPN with IPSEC for them, but we have some issues with that. For a few days now, I have many tickets from different people, that VPN is inaccessible - it just don't want to connect any user. At the same time, I have been trying to connect both from PC and mobile - and none of them connected.
I have enabled full logging of IPSEC and l2tp at the moment, with export to NAS, so hopefully if it will happen again, I will have plenty of logs from that situation. For now, I can't access the site, so our solution is reboot. After reboot everything gets back to normal.
Our setup: Mikrotik hAP ac^2, with some firewall rules, running 6.47.7, with updated all packages and firmware.
Would really love any hint regarding solution.
My current important parts of config, obfuscated, below.

/ip pool
add name=VPN ranges=172.16.yy.yy-172.16.yy.yy
/ppp profile
add change-tcp-mss=yes comment="VPN MT" dns-server=172.16.xx.xx local-address=VPN name="VPN MT" remote-address=VPN use-encryption=yes
/interface l2tp-server server
set authentication=mschap2 default-profile="VPN MT" enabled=yes use-ipsec=required
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Accept allowed to router" src-address-list=allowed_to_router
add action=add-src-to-address-list address-list=VPN address-list-timeout=20s chain=input comment="port 500 for VPN - list" dst-port=500 protocol=udp
add action=accept chain=input comment="port 500 for VPN" dst-port=500 protocol=udp
add action=add-src-to-address-list address-list=Step2_VPN address-list-timeout=30s chain=input comment="port 4500 for VPN" dst-port=4500 protocol=udp src-address-list=VPN
add action=accept chain=input comment="port 4500 for VPN" dst-port=4500 protocol=udp src-address-list=VPN
add action=add-src-to-address-list address-list=VPN_5min address-list-timeout=5m chain=input comment="port 1701 for VPN" dst-port=1701 protocol=udp src-address-list=Step2_VPN
add action=accept chain=input comment="port 1701 for VPN" dst-port=1701 protocol=udp src-address-list=Step2_VPN
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix=drop_invalid
add action=accept chain=input comment="defconf: accept ICMP" in-interface-list=LAN protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN log-prefix=drop_!lan
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-mark=!ipsec connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment="Drop all the rest" log-prefix=drop
/ip firewall mangle
add action=mark-connection chain=forward comment="mark ipsec connections to exclude them from fasttrack" ipsec-policy=out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward comment="mark ipsec connections to exclude them from fasttrack" ipsec-policy=in,ipsec new-connection-mark=ipsec
/ip route
add comment="route for vpn server" distance=1 dst-address=172.16.x.x/x gateway=172.16.x.x
/ppp secret
add local-address=172.16.x.x1 name=user1 profile="VPN MT" service=l2tp
add local-address=172.16.x.x2 name=user2 profile="VPN MT" service=l2tp
add local-address=172.16.x.x3 name=user1mob profile="VPN MT" service=l2tp
add local-address=172.16.x.x4 name=user2mob profile="VPN MT" service=l2tp
add local-address=172.16.x.x5 name=user3 profile="VPN MT" service=l2tp
add local-address=172.16.x.x6 name=user3mob profile="VPN MT" service=l2tp
add local-address=172.16.x.x7 name=user4 profile="VPN MT" service=l2tp

Of course there are some more firewall rules, but none of them important here.
Right now, I am thinking, what will be the best solution, and I have 3 ideas, don't know what to stick with:

Solution 1. This board. I have some problem in config that I don't see, and some good people here will show me, what I am doing wrong/what should be changed.
Solution 2. Add some scripting in /ppp profile to restart /interface l2tp-server each time the user disconnects (in /ppp profile on-down)
Solution 3. Switch to some other VPN solution, that I haven't tried yet.

Any help will be much appreciated.

erkexzcx · Fri Nov 27, 2020 3:27 pm

Can this be related? viewtopic.php?t=132823

Mikrotik support commented that instead of dealing with all that mess one should switch to IPSEC/IKE2.

danmet · Fri Nov 27, 2020 3:50 pm

@erkexzcx Thank You for Your brief reply.
Basically, while reading through related to VPN topics at this Board, seen that topic, but.. We don't have any problem with multiple clients connected at the same time, somehow. We have accounting dept. currently working from remote location, and as they connect at the same time and work on some network based programs, they have no problem with doing some operations on programs which use MS SQL databases at all... And noone gets disconnected. Problem is only with being connected, and only sometimes. I don't have logs yet, as it aint happened after logging enabled yet.
Also, we have some 'inteligent building' stuff in there, and while the accounting dept. work, I can modify stuff there, I can even stream CCTV... And they don't get disconnected.

Switching to IPSEC/IKE2 is one of possibilities I am currently thinking of, but.. To implement that, I have to basically start over with the config, and as I have three people working from remote locations now, due to quarantine, it will be a nightmare ;(
To do that, I have to install all the certificates (users... let's say they won't know how to do that, and don't have admin privileges), so If I have no other choice, I will do that when they come back in the office, but it will take some time. And I need some brief solution, let's say, for 2 weeks, to let the people do their job.

Once again, @erkexzcx thank You for Your help ;)

erkexzcx · Fri Nov 27, 2020 4:22 pm

I've checked all your configuration once again and not sure what could it be. It's the worst type of incidents when they happen randomly...

For now I suggest providing logs from client/server regarding IPSEC/L2TP.

I have a feeling that it might happen when lifetime expires in "/ip ipsec profile" but in might be completely unrelated...

nje431 · Fri Nov 27, 2020 6:55 pm

My experience has been that ARM processors running any software newer than 6.43.16, doesn't play well with IPsec (or possibly DHCP as well). In our case that is the RB1100AHx4. We've switched to L2TP with the less than ideal Microsoft encryption to get stability. However...... Mikrotik just yesterday released 6.47.8, with improved stability for ARM devices. Perhaps that is the answer? Just speculating, since Mikrotik has not said what that fixes yet.

Cheers

gotsprings · Sat Nov 28, 2020 7:31 am

I have a hAP AC2 at home, and it connects to the CCR at my office using EoIP + IPSec.

Been stable for a few weeks.

I have one SSID here tied to the bridge the EoIP tunnel connects too. So when I need an office resource... I jump to that SSID.

sindy · Sat Nov 28, 2020 5:44 pm

Switching to IPSEC/IKE2 is one of possibilities I am currently thinking of, but.. To implement that, I have to basically start over with the config, and as I have three people working from remote locations now, due to quarantine, it will be a nightmare ;(

It should actually not be that complex, as an IKEv2 peer can coexist with an IKE one on the same address. The version of IKE protocol (and the exchange mode in case of IKE(v1)) are indicated in the initial packet, so the IPsec stack can use this information to choose between peers only differing in exchange-mode. You don't need to use the default profile, policy group, or proposal for iKEv2, so you can set your own ones.

So you can set up the IKEv2 peer and all the associated settings while the L2TP/IPsec part stays in production.

danmet · Sun Nov 29, 2020 12:51 am

@nje431 Thank You for Your post. I have had some issues with hAP ac2 in my home, e.g. with wifi disconnecting devices that are really close to AP (I have a Chromecast 3 meters from router, and it's disconnecting from time to time, or losing connection for 15-30 seconds, and I don't have that on other vendor router, that I currently have on tests). Hopefully, the new software will solve that. Am testing now at home.

@gotsprings I get Your point. For my own usage, I am currently gonna switch to tunnel on Mikrotik instead of VPN on mobile, with separate wifi, that's great idea ;) Problem is, that 3 of my users don't have public IP addresses, 2 of them have only LTE, one with high jitter (ping from 17 to 350ms), that gets disconnected many times. I don't want to admin that, not with those users (e.g. 55+ lady from accounting dept..)

@sindy Thank You very much for Your input. Tbh, I didn't knew, that those two can coexist! I am definitely gonna try that on my home router, with cloned config, and if it will be accessible, I am going to prepare that change till users will be back in the office! Thanks alot! Any hints, what shall I pay special attention to? First implementation of IKEv2 here, so any information will be highly appreciated.

As it's the weekend, nothing happened again yet. Went through logs and nothing interesting there yet, but if anything will happen, I will post the logs.

Thank You for Your contribution!

gotsprings · Sun Nov 29, 2020 4:07 am

If I were dealing with several sites...

I would have the sites call the Main router over L2TP +IPsec VPNs. So the devices that are behind carrier grade NAT are the "dialer".

gotsprings · Sun Nov 29, 2020 4:08 am

If I were dealing with several sites...

I would have the sites call the Main router over L2TP +IPsec VPNs. So the devices that are behind carrier grade NAT are the "dialer".

sindy · Sun Nov 29, 2020 10:55 am

For my own usage, I am currently gonna switch to tunnel on Mikrotik instead of VPN on mobile, with separate wifi, that's great idea ;) Problem is, that 3 of my users don't have public IP addresses, 2 of them have only LTE, one with high jitter (ping from 17 to 350ms), that gets disconnected many times. I don't want to admin that, not with those users (e.g. 55+ lady from accounting dept..)

In fact, managing the issues like frequent disconnections and LTE signal fluctuation is somewhat simpler using a router than using a PC with a USB stick plugged into it. The location of the LTE router (or its external antenna) within the home can be optimized for signal quality, and the PC location can be optimized for work convenience, leaving aside that you can use a higher gain antenna (something like the LHG LTE kit). Also the disconnections are handled automatically by RouterOS whereas on a PC you need to run some powershell scripts like this one to reconnect the VPN automatically. Plus, also important, you can control which LTE band will be used. As an example, I've got a location where the signal strength on a low-frequency, narrow-channel band is some 20 dB higher than the one on a high-frequency, wide-channel one, and the modem&network prefer signal strength to throughput. By disabling the lower band, the connection gets more stability and throughput. So you may end up with less calls from that lady, and you'll be able to diagnose issues better too, thanks to remote access to the router via the VPN (... those big airplanes go both ways...)

And as @gotsprings has mentioned, the router can also act as an initiator (client) on a non-public and/or dynamic address, like the PC/mobile clients do. This works on both L2TPoIPsec and IKEv2.

Regarding the IKEv2 setup - the description on Wiki is sufficient, just bear in mind that the windows embedded client does check the server identity from the certificate, so the certificate must indicate the actual public IP (or fqdn if available through thr public DNS) of the server. In the opposite direction, this would not be practical as the address of the initiator may be changing and is not known in advance, so identity row matching on the certificate subject itself has to be used.

One big advantage of IKEv2 is that you can push routes to the Windows embedded VPN client, which RouterOS doesn't support with other VPN types. By using IKEv2 you also avoid issues of multiple L2TPoIPsec clients behind the same public IP, which you can easily bump into occasionally and randomly with several LTE clients connecting from the same region. So the only "disadvantage" is the need to familiarize yourself with the managment of certificates.

VPN solution for small office issues

VPN solution for small office issues

Re: VPN solution for small office issues

Re: VPN solution for small office issues

Re: VPN solution for small office issues

Re: VPN solution for small office issues

Re: VPN solution for small office issues

Re: VPN solution for small office issues

Re: VPN solution for small office issues

Re: VPN solution for small office issues

Re: VPN solution for small office issues

Re: VPN solution for small office issues

Who is online