cipher AES-256-CBC auth SHA1 proto tcp #must tcp, udp not supported by Mikrotik # tls-auth #no support auth SHA1 # Only md5 or SHA1 is supported by Mikrotik comp-lzo #not support
Hello my friend. If both "routers" are "inside" network (not public IP) and you can't redirect ports, is IMPOSSIBLE" for reaching each other. Both are inside and is not possible to communicate directly both.
The only "way" is finding somebody with a public IP allowing you to connect BOTH router to HIS router and cross the traffic in the "middle" router.
I agree. There is no way VPN could work without public IPYou can't access Mikrotik router if it's behind NAT (which is owned by ISP).
But you can open the tunnel from your Mikrotik to VPN server, especially if you have another Mikrotik router with public IP. And I mean this: viewtopic.php?f=23&t=169538
Correct, the only way and easiest way pay for internet plan with public IPPay the upgrade for the public IP.
The netname from cloud updates every 60 seconds and will work just fine for DNS resolving to reach your router...ONCE YOU HAVE A PUBLIC IP.
Thanks for the solution. I'm thinking about this in a whole month. And you are right Vultr is the cheapest VPS I found so farI am in the same scenario and solved by:
|Site 1| --> |Internet| --> |Ubuntu OpenVPN| --> |Site 2|, |Site 3|, |Site 4| All of them can ping the other sites.
1. Use VPS (Ubuntu LTS) with a static public IP. --> Mine is vultr.com get the cheapest VPS that give you a static IPv4
2. Install OpenVPN
3. Connect Mikrotik as client to the Ubuntu Server
4. Configure routing between sites
Keep in mind that you should learn to setup OpenVPN in Linux, it will take a couple of days but it is worth the trouble.
If you need help then PM me.
Thanks for the solution. I'm thinking about this in a whole month. And you are right Vultr is the cheapest VPS I found so far
Have you tried OpenVPN Cloud? or AWS free tier + OpenVPN
how likely ipsec pass through NAT between 2 private IP?Depending on how the NATs in question behave, in particular whether the source port of a UDP packet sent from your router's WAN IP is kept as the packet goes through the NATs all the way to the public IP, it may be possible to establish an IPsec tunnel between the two devices. The source port must be kept unchanged for both devices which want to talk to each other in order that this worked.
interesting. I see the other post, and I don't find any cons in your tutorial. but I'm still learning about it
Just FYI - Mikrotik ROS can be installed on x86_64 hardware, and I mean virtual machine. What I am trying to say that you can setup RouterOS on VPS, I've done it in Linode. Monthly cost of your instance + single purchase of ROS licence ($40 for L4) and you can setup VPN in your familiar ROS environment. :) But using Linux distro, like Debian, you can setup your own ipsec/ike2 VPN server using Strongswan, but it would be significantly harder if you've never done it before...
And if you decide to use Mikrotik ROS, you can follow the same guide I've shared few comments up. Basically you can end up having a public IP for your router which is behind NAT. EoIP on top of IPSEC/IKE2. :) P.S. Don't go for OpenVPN - it's slow.
I have a positive experience with "normal" ISPs and a negative one with mobile ones, which do not keep the original port.how likely ipsec pass through NAT between 2 private IP?
I've looked at that topic too, and unless I've missed something, the responder (server) must have a public IP or port-forwarding from a public IP must be possible. So not applicable for your case.interesting. I see the other post, and I don't find any cons in your tutorial. but I'm still learning about it
User still has to purchase VPS with public IP in order to have public IP. Linode was just an example (that's what I've been using). This way user can have ROS running somewhere in DC:I've looked at that topic too, and unless I've missed something, the responder (server) must have a public IP or port-forwarding from a public IP must be possible. So not applicable for your case.