Answer the question
In order to leave comments, you need to log in
IPSec or L2TP IPSec?
Good evening everyone! Colleagues, when is it necessary to use a bunch of L2TP IPsec to build a tunnel, and when is only IPSec sufficient?
For example, what is better to use in a situation where you need to combine two offices (on both sides of Mikrotik) and why?
Answer the question
In order to leave comments, you need to log in
If you have only two offices and only one provider in each, you can use IPSec in tunnel mode.
But I would make a GRE tunnel wrapping traffic in IPSec. Bonuses - transparent routing in one table (you don't have to look into policies), the ability to connect dynamic routing, the ability to build a fault-tolerant structure.
For example, if you have two providers in one of your offices, you will have two tunnels. If one of the providers fails, the dynamic routing protocol will direct the traffic to the backup tunnel. As a result, you will have a fault-tolerant link between offices with almost imperceptible failover.
On pure IPSec tunnels, this is not easy, if not impossible.
And if you have three offices, this is generally a must-have :)
Here is an example config.
--- create GRE tunnel
/interface gre
add !keepalive local-address=***router 1 WAN IP*** name=gre1 remote-address=***router 2 WAN IP***
--- and ip-address to it
/ip address
add address=10.10.10.1/30 interface=gre1 network=10.10.10.0/30
---(IKE negotiation policy is made on certificates, you may have on pre-shared key - everyone chooses this for themselves; the main thing is that it is the same on both sides)
/ip ipsec peer
add address=***router 2 WAN IP***/32 auth-method=rsa-signature certificate=cert-vpn dh-group= modp768 dpd-interval=10s dpd-maximum-failures=3 enc-algorithm=aes-256 \
local-address=***router 1 WAN IP*** nat-traversal=no passive=yes remote-certificate=cert-endpoint
--- GRE traffic encryption policy from us to remote office
/ip ipsec policy
set 0 disabled=yes
add dst-address=***router 2 WAN IP***/32 level=unique proposal=***your encryption policy*** protocol=gre sa-dst-address=***router 2 WAN IP*** sa-src-address=***router 1 WAN IP*** src-address=\
***router 1 WAN IP***/32
--- and add a static route to the remote network
/ip route add distance=1 dst-address=***second office subnet*** gateway=10.10.10.2
--- You may also need to make a firewall rule to exchange GRE traffic between offices:
/ip firewall filter
add chain=input comment="GRE from other office" dst-address=***router 1 WAN IP*** src-address=***router 2 WAN IP*** protocol=gre
/interface gre
add !keepalive local-address=***router 2 WAN IP*** name=gre1 remote-address=***router 1 WAN IP***
/ip address
add address=10.10.10.2/30 interface= gre1 network=10.10.10.0/30
/ip ipsec peer
add address=***router 1 WAN IP***/32 auth-method=rsa-signature certificate=cert-vpn dh-group=modp768 dpd-interval=10s dpd -maximum-failures=3 enc-algorithm=aes-256 \
local-address=***router 2 WAN IP*** nat-traversal=no passive=yes remote-certificate=cert-endpoint
/ip ipsec policy
set 0 disabled =yes
add dst-address=***router 1 WAN IP***/32 level=unique proposal=***your encryption policy*** protocol=gre sa-dst-address=***router 1 WAN IP*** sa-src-address=***router 2 WAN IP*** src-address=\
***router 2 WAN IP***/32
/ip route add distance=1 dst-address=***first office subnet *** gateway=10.10.10.1
/ip firewall filter
add chain=input comment="GRE from other office" dst-address=***router 2 WAN IP*** src-address=***router 1 WAN IP* ** protocol=gre
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question