F
F
fotonboxx2014-03-12 21:58:07
VPN
fotonboxx, 2014-03-12 21:58:07

Mikrotik\RouterOS, VPN tunnel between two offices, each with two links - how to set it up?

Good afternoon!
There is an office with ISP reservations (1 and 2) and a warehouse with the same situation (ISP 3 and 4).
Tunnel type - L2TP.
Redundancy - check-gateway=ping the ISP gateway.
After configuration (thanks to dannyzubarev ), the router responds to the interface on which the request comes:

/ip firewall mangle
add chain=input in-interface=wan1-out action=mark-connection new-connection-mark=wan1
add chain=input in-interface=wan2-out action=mark-connection new-connection-mark=wan2
add chain=output connection-mark=wan1 action=mark-routing new-routing-mark=wan1     
add chain=output connection-mark=wan2 action=mark-routing new-routing-mark=wan2
/ip route
add dst-address=0.0.0.0/0 gateway=10.0.0.1 routing-mark=wan1 
add dst-address=0.0.0.0/0 gateway=10.0.0.2 routing-mark=wan2

Those. outside through winbox and a ping both links - both the main and reserve are visible.
The office serves as an L2TP server.
A VPN tunnel from the warehouse should be connected to it via the currently active link in the warehouse.
Those. two tunnels must be raised simultaneously, one to ISP 1, the second to ISP2, and static routes to the internal networks of the office and warehouse with different distances are already indicated on the routers.
Problem:
When there is only one tunnel (up to ISP 1 or 2, it doesn't matter) everything is fine. It is worth turning on the second one (secrets, routes, IP tunnels, everything is different) - then the first one falls off, tries to get through, but immediately turns off. The second one doesn't rise at all.
How to fix it?
vpn.jpg

Answer the question

In order to leave comments, you need to log in

8 answer(s)
D
Dmitry Tallmange, 2014-03-13
@p00h

You will not be able to raise two tunnels of the same type between two devices. As far as I understand, you are trying to raise two l2tp tunnels, you need to replace one with something else: ovpn, pptp...
If your goal is link aggregation, then there are many ways to do this, but the most correct, in my opinion, is to raise two vpls over your vpn, which are able to provide bridges between the office and the warehouse, and, in turn, combine them into bonding. Here is the simplest example.

N
nimbo, 2014-03-13
@nimbo

and what for two tunnels if it is possible one, but through an active link at present? 0_o
Have you tried just distance to 0.0.0.0 for isp1=1 for isp2=2? why I ask - because I don’t see how you get the Internet specifically - pppoe \ eth is pure static or gray ip, etc.

M
Maxim Chilikin, 2014-04-01
@AntiHelper

At the last MUM, a similar situation was analyzed. I think the link is a more elegant solution.
I myself use Mikrotik in almost 20 offices, some of them have two channels.
If you have only a couple of offices, then don't read further than the first chapter, more - be sure to use OSPF.
mum.mikrotik.com/presentations/RU14/cudin.pdf

M
Maxim Chilikin, 2014-04-02
@AntiHelper

In Mikrotik there is such a thing "Torch". During the connection setup, look from which ISP is outgoing traffic and which one is receiving incoming.
In the L2TP client, as far as I remember (I'm sitting on my wife's Macbook, now there's nowhere to peep), there is no concept of "Local IP", because of this, the establishment of both connections goes through the default route (if they have the same metric, then from the least loaded ISP).
If my assumption is confirmed, then try GRE/IP Tunel/EoIP tunnels. In general, do OSPF over GRE / IP tunel, hang IPSEC on top and don’t worry, it works stably, there are built-in channel status checks, the more devices, the more stability. If you need advice on dynamic routing, I can help via Skype/TeamViever for free.

M
Maxim Chilikin, 2014-04-03
@AntiHelper

d1fef37f888c4a93b531a3b43fcdb6ed.png
in screenshot demonstration. There should be two IPs: 1 - from which IP to establish a connection, 2 - to which IP to expect an oncoming connection (Peer-to-peer connection, Network-to-network connection)
GRE / IP Tunel / EoIP - these are just other types of tunnels that have their own advantages and cons, I personally use them because they are more manageable and it is easy to do dynamic routing on them. These are connections of equal participants, where everyone is both a client and a server.
habrahabr.ru/post/170895

K
Kirill 1, 2014-05-13
@SmileyK

And again to our bears, if I do such a scheme That's it, when updating DNS every 3 minutes, I get a break, right?

P
Pavel, 2014-05-14
@Uttar

I have the same situation.
Central office - two channels, points 1/2 channels.
On the central mikrotik, the l2tp server was raised, at the points, respectively, the clients.
It is necessary that if the main channel in the office fails, the VPN reconnects to the backup channel.
I set up a script to check the availability of the main channel and when it falls, one l2tp-clinet interface is extinguished and another one rises (in which Connect To of the backup Internet is driven in at the central office). It all works. But when trying to initialize the VPN, it swears "old tunnel is not closed yet" and does not want to connect to any. Removal from active connections and from Connections in Firewall does not help. As soon as I change it back, everything goes great.

W
Wolf KTL, 2014-06-20
@Wolf_ktl

Solution in my post mikrotik.ru/forum/viewtopic.php?f=1&t=5034&p=26331...

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question