Community discussions

MikroTik App
 
dondario
just joined
Topic Author
Posts: 7
Joined: Wed Oct 02, 2019 12:00 pm

IPSec Multipoint Config

Sat Apr 03, 2021 5:56 pm

I don't know, if my solution is the Best one, therefore I ask here:

I have five locations with 6 networks as you can see in the picture.
IPSec-Multipoint.png
The IPSec VPN is fully operational since some weeks.
What I needed was, that anyone can access the Network in the Central Network 192.168.120.0/24 (Black Policies)

But now I want to provide full access from Any Network to the Any other Network.

Due to reasons I need the Star-Topology, so a packet from one end to the other end have to pass the central Router.
As this Use-Case is very limited (less than 1% of the traffic) there are no performance issues.

But what is the right way to configure the IPSec Policies?

When I do it as I thought (Red Policies for route from OHS to LIN) it is working but it will result in many Policies.

Is this the right way, or how do i have to configure the policies?
You do not have the required permissions to view the files attached to this post.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: IPSec Multipoint Config  [SOLVED]

Sat Apr 03, 2021 6:59 pm

If you want to use only policies, yes, those aren't even many since you didn't cover all the networks.
I have 16 dynamic policies on the main router, and that to cover main office + 4 branches, 1 network / location. So magic number for policies on main router seems to be (networks-1)^2, that if you want all of them to be able to "talk" to each other.
The other way would be to use any of IPIP/EoIP/GRE over IPSec. Fewer policies, other things to configure (routes etc).
Choose your poison.
 
NetWorker
Frequent Visitor
Frequent Visitor
Posts: 98
Joined: Sun Jan 31, 2010 6:55 pm

Re: IPSec Multipoint Config

Sat Apr 03, 2021 7:13 pm

I had this requierement too and solved it as follows:

I used L2TP on top of IPSec so as to have interfaces, not just policies. This in turn allowed me to use OSPF. But you can also do this with static routes. Else you can use GRE or IPIP if all your public addresses are static.

Just add a route to each destination network with gateway set to the reachable address of the central router.

This setup has the following drawbacks:
- All connections pass through the central router
- Performance penalties at the central router and connections

But also the following benefits:
- Single tunnel per office branch
- Simple firewall setups
- Performance benefits at the branch routers
- Overall simplified management
- If using OSPF or other dynamic route distribution, setup and forget. No matter if adding or removing branches/networks later on.
 
dondario
just joined
Topic Author
Posts: 7
Joined: Wed Oct 02, 2019 12:00 pm

Re: IPSec Multipoint Config

Sun Apr 04, 2021 11:01 pm

... Choose your poison.
Thanks for the explanation
... L2TP on top of IPSec
What I did not write is, that I use IPSec over L2TP, because the Routers are NATed behind another router.
It seems to complicated when I switch to L2TP over IPSec over L2TP :-)
Even if it sounds interesting.

Thanks all for the Information !!eleven

Who is online

Users browsing this forum: gogle, madstupid, patrikg and 84 guests