Community discussions

MikroTik App
just joined
Topic Author
Posts: 8
Joined: Mon Mar 25, 2013 8:06 pm

Most efficient way to Site-2-Site IPsec with L2TP

Sun May 27, 2018 8:24 pm

Hey Guys,

i'm currently planning on an IPSec Installation with the following Specs:

- Central VPN Concentrator (Static IP)
- 20+ Remote Mikrotik Clients (Dynamic and Static IP)
- Some peers can have both, an Static OR an Dynamic IP (Failover)
- RoadWarrior Login on the Central VPN Concentrator (Apple iOS and Windows 10)

My current Idea is making L2TP Tunnels to the VPN Concentrator and then make Policies for every Network Combination - but this is a bit Pain in the Ass.

Do you know any better Way to achive, that all the Traffic going from the Client through the L2TP Tunnel will be encrypted without opening the Proposal too much?
User avatar
Forum Guru
Forum Guru
Posts: 5943
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Most efficient way to Site-2-Site IPsec with L2TP

Sun May 27, 2018 8:48 pm

I would only use LT2P for road warrior (laptop connection) and straight ipsec for any router to router type connections.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
Forum Guru
Forum Guru
Posts: 6660
Joined: Mon Dec 04, 2017 9:19 pm

Re: Most efficient way to Site-2-Site IPsec with L2TP

Sun May 27, 2018 9:07 pm

I feel that something is missing in the picture at my side or at yours.

First, if you use L2TP over IPsec, you can forget about policies as they only handle the L2TP transport packets and the ROS creates them automatically. Using ppp profiles and l2tp server bindings, you can configure fixed private IPs and fixed interface names for the local ends of the tunnels to remote sites, so you'll use usual routing. So you "only" need to deal with the fact that at least the native Win10 client sends everything via the L2TP once it establishes it, which may not be what you want, and that it doesn't re-establish the connection fast enough when it expires (this may have changed in past weeks).

Second, what do you mean by "too open proposal"? Do you intend to keep proposals as strict as possible per client type, so you are looking for a way to have several local peers with different Phase 2 proposals, all open to unknown-in-advance remote peers, on a single public IP address?

Third, if you plan several road warriors to ever connect from behind the same public address, check this.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Baidu [Spider], Bing [Bot], eworm, Google [Bot], Hoov, madorc82, Sob, wispmikrotik and 224 guests