Community discussions

MikroTik App
 
rogerioqueiroz3l
just joined
Topic Author
Posts: 5
Joined: Tue May 26, 2020 2:57 am

VPN Site - Site + Road Warrior

Sat Jul 18, 2020 1:25 am

good night

I have a situation a few days ago and I cannot find the solution.

I have been running several VPNs site-site without any problem, but I came across a new situation.

A customer has three offices and I made them communicate via VPN, but I need him to connect remotely to one of these points and from there he can go to the other two, without having to disconnect from one VPN to connect to another.

I've tried it via IPSEC, via EoIP, and nothing. The communication between the three works normally, but when I connect the notebook in one of these offices, I can only access the network I connected.

Apparently he doesn't find the route to the other locations.

Help me please.

10.10.0.0/16 - External Devices
10.11.0.0/16 - Office 1
10.12.0.0/16 - Office 2 (Receiving VPN Connections)

Route to 10.12.50.197 - Road Warrior -> Office 2
1 6 ms 6 ms 6 ms 10.10.50.250
2 5 ms 5 ms 5 ms 10.12.50.197

Route to 10.11.50.195 - Road Warrior -> Office 1
1 5 ms 4 ms 5 ms 10.10.50.250
2 * * * Request timed out.
 
rogerioqueiroz3l
just joined
Topic Author
Posts: 5
Joined: Tue May 26, 2020 2:57 am

Re: VPN Site - Site + Road Warrior

Mon Jul 20, 2020 5:21 am

Someone?
 
rogerioqueiroz3l
just joined
Topic Author
Posts: 5
Joined: Tue May 26, 2020 2:57 am

Re: VPN Site - Site + Road Warrior

Wed Aug 26, 2020 6:26 am

Please.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN Site - Site + Road Warrior

Wed Aug 26, 2020 7:47 am

Unsurprisingly, it seems that something is wrong with your config. When you show it or accurately describe it to someone else, maybe you'll get useful advice.

And yes, you need proper routes. If RW clients get addresses from another subnet, then everything has to have routes to it. In case your site to site VPNs are policy-based IPSec, their policies must include all combinations of sources and destinations that should be transferred over them.
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: VPN Site - Site + Road Warrior

Wed Aug 26, 2020 8:30 am

... and thats exactly why I prefer to run GRE/EoIP through IPSec - keeping the policy is as simple as possible. Internal IP traffic is then going through normal routing process and you can even easily match interfaces for VPN traffic in firewall instead of using "WAN" port as with IPSec.
 
rogerioqueiroz3l
just joined
Topic Author
Posts: 5
Joined: Tue May 26, 2020 2:57 am

Re: VPN Site - Site + Road Warrior

Mon Sep 28, 2020 10:50 pm

... and thats exactly why I prefer to run GRE/EoIP through IPSec - keeping the policy is as simple as possible. Internal IP traffic is then going through normal routing process and you can even easily match interfaces for VPN traffic in firewall instead of using "WAN" port as with IPSec.
Have you ever done that? Can you explain to me how you did it?
 
neutronlaser
Member
Member
Posts: 445
Joined: Thu Jan 18, 2018 5:18 pm

Re: VPN Site - Site + Road Warrior

Mon Sep 28, 2020 11:06 pm

Pay for consultant.
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: VPN Site - Site + Road Warrior

Tue Sep 29, 2020 3:41 am

Have you ever done that? Can you explain to me how you did it?
Of course. Otherwise I wouldn't talk about it :D

One of my current setups is following:
https://app.diagrams.net/#Uhttps%3A%2F% ... 3Ddownload
https://drive.google.com/file/d/1pqnKtG ... sp=sharing

I included only config relevant to this EoIP/IPsec. I did not include config related to LAN or management networks as well as IPsec config related to Site "P" (its just ordinary config compatible with cisco's requirements and will be soon replaced by another EoIP once i get more mikrotiks)

Notice that each site requires bit of "preparation" - create the mesh, assign IP and add firewall rule to accept everything coming from VPN.
Then, for each tunnel, there is relevant config which will create IPsec peer and policy, EoIP tunnel, port to mesh, firewall rule for outgoing data and route.

Now, two things which may be hard to understand:
why do I run EoIP when it creates additional overhead? Well, because then my policies are simple enough to avoid accidental misconfiguration. All internal data flows through normal routing process into EoIP or Mesh.
Why Mesh and what the heck is it? Another overpreparation. Right now, I can send data from Site "R" to "T" and it will just work because mesh will take care of it. (i already do that for management networks). If the amount of data is large enough, I will just create another tunnel directly between R-T so data does not flow through "C". In addition, I can have more redundant EoIP tunnels (e.g. backup mobile connection, direct WLAN etc) and it will create one big L2 network.
But why mesh and not bridge? Well, bridges don't like loops. They create spanning tree topology to prevent loops. With Mesh, loops are not an issue because mesh runs path discovery and transfers the data in a shortest possible way.

Is it ideal? Far from it. Does it work? Oh yeah baby!

EDIT 2020-10-12 :
Alrighty, I was playing bit more with it and I realized that Mesh's reliability depends highly on keep-alive function of the EoIP tunnels. That's why it worked excellent in the lab, but may not work as expected in the reality. My mistake was, that I was testing the fail-over by disabling EoIP interfaces. Disabling or changing running state will trigger instant response and that works great. However, trouble is, that the running state may not be changed instantly (depends on keep-alive settings, which by default takes 10*10 seconds and that is unacceptable) if the encryption or physical link fails.
I still believe there is something beneficial in running a simple site-to-site policy for symmetrical virtual interface (GRE/EoIP/IPIP/WireGuard) instead of "simple" policy for all data, because you separate tunnel and routing. (which makes it less prone for mistakes) However, I will no longer claim this is a bulletproof solution or that it has instant fail-over capability. The fail-over still happens but it is not instant and there may be packet loss.
 
rogerioqueiroz3l
just joined
Topic Author
Posts: 5
Joined: Tue May 26, 2020 2:57 am

Re: VPN Site - Site + Road Warrior  [SOLVED]

Wed Nov 04, 2020 5:13 pm

I managed to make it work.

I created GRE / IPSec tunnels between the branches by placing IPs on the interfaces and creating routes between the networks.

So when Road Warrios connect via L2TP / IPSec to the head office router using the Windows client itself, they are able to access all other networks.

I had managed to do this by interconnecting the branches by L2TP / IPSec, but although the PING was good, the bandwidth was horrible, and as I was unable to resolve this issue I ended up arriving at this GRE / IPSEC solution.
 
infopid
just joined
Posts: 1
Joined: Thu Jan 26, 2023 8:14 pm

Re: VPN Site - Site + Road Warrior

Thu Jan 26, 2023 8:16 pm

I have the same problem.
Can you explain how solved it?

Who is online

Users browsing this forum: Amazon [Bot], Bing [Bot], emunt6, Google [Bot], GoogleOther [Bot], Renfrew and 81 guests