Which bundle on MIKROTIK is best for connecting branches via the Internet to the main white IP?

Kenny002019-04-26 12:25:51

openvpn

Kenny00, 2019-04-26 12:25:51

Good afternoon!
There are 4 branches (5 more are planned), without external IP , and I don’t think it is necessary. Since the backup channels for different providers and technologies. Mainly LTE.
And there is HQ with white IP . Routers (all Mikrotiks) already have hardware encryption in them, speed is not important there.
What is the best technology to use to connect the networks of these branches and HQ? It is necessary to encrypt the traffic, since personal data will go through these tunnels. (Order of the FSB of Russia...) (they go like Plain-text, old software)
Someone makes L2TP + IPSec, someone simply takes Mikrotik's OpenVPN, or PPTP + IPSec a lot of opinions, articles.
Which one did you use and why?
Here is HERE for example in the form of a table.

Answer the question

In order to leave comments, you need to log in

7 answer(s)

Valentin, 2019-04-26
@vvpoloskin

I have used different options. PPTP/IPSec uses TCP for transport, L2TP uses UDP. This means that L2TP will be more productive in terms of speed (especially on SIM cards), but less reliable in terms of information loss. OpenVPN and SSTP are not available in all devices.
For your case, I would use L2TP, but if the data inside is transmitted without delivery confirmation and the speed is really not important, you can switch to TCP.
And another moment. Since you are transferring personal data, I would recommend making sure that in your case you do not need certified crypto devices aka vipnet/continent

Ronald McDonald, 2019-04-26
@Zoominger

I configured GRE + IPSec branches.
You'll have to struggle, but it's worth it.
In your case, it’s also not bad, since there are few branches and it won’t load much. Dynamic IP at branches is also not a problem.

Keffer, 2019-04-26
@Keffer

If there is a white ip in HQ , then it will have a microtic server, the rest, those with LTE, will be clients, first PPTP \ L2TP tunnels are established from clients to the server, and encrypted EoIP \ Ipsec is installed on them as necessary. Routing is also prescribed as needed. Everything is extremely simple. Moreover, a PPTP connection is best suited where mobile opsos cut UDP traffic. No need to reinvent the wheel, everything has been done, tested and tested a long time ago.

Dmitry Shitskov, 2019-04-26
@Zarom

GRE+IPSec.
Why:
GRE is configured first, routes and work is checked. Then you can already raise IPSec. This separates possible routing and encryption settings issues.
It is also the most universal way, compatible with most equipment from various vendors.
Not OpenVPN - Mikrotiki support it for show, they buried the development of this protocol.

CityCat4, 2019-04-26
@CityCat4

IPSec.
Mikrotik with Mikrotik fit with a bang. Mikrotik with linux - no problem at all. The roadwarrior mode is turned on and forward, IP doesn’t care if it’s according to certificates.

Vladimir Zhurkin, 2019-05-18
@icCE

Kenny00
We use a link with ipip where there is ip, where there is none l2tp.
With a budget, all this can be made fault-tolerant up to certain aisles.
That would not be one point of failure.
Somewhere there were speed tests through different vpn options, but the truth is on old firmware. Again, if there is a need for speed.

nApoBo3, 2019-05-01
@nApoBo3

ipip and ipsec