Page 1 of 1

VERY redundand VPN with remote offices. Need some help

Posted: Tue Jun 28, 2016 11:41 am
by EvgenyM
Hello!
I'm pretty new in Mikrotik, I've been working with it for 3 months or so. And right now I have a task to create a redundant configuration for remote offices. We have a software that need to have constant connection to central server in our central office. Maximum downtime is few minutes.
In every office we plan to install Mikrotik 2011 with 2 ISPs:
1 ISP with broadband connection and static white IP
2 ISP a USB 3G modem with grey or white (optional) IP

In our central office we have another Mikrotik router, which is a VPN-server, it also have 2 ISPs, both broadband with white IP's.

I need to create a configuration, in which a PPTP tunnel from remote office will be connected always, even if 1 ISP will be down in remote office or in central office.
Here is some sort of simplified scheme of that.
Image
I had some ideas to achieve that with CheckGateway, but thats not and option, sunce the gateway can be accessible, but ISP can have problems on their line or something like that. I think the right way is to ping central office IPs from remote offices and decide via script which route to use. I also need to send all traffic through VPN, not just local.

Can you suggest a way to solve this issue? I googled a lot, but in most cases 2 ISP failover is done without VPN, and having VPN is more complicated.

Re: VERY redundand VPN with remote offices. Need some help

Posted: Tue Jun 28, 2016 1:29 pm
by pe1chl
When you use a suitable type of VPN, e.g. L2TP over IPsec or IP tunnel interface over IPsec,
which has a dedicated interface for the tunnel, you can check the availability of that interface
as it will go down when something along the path is down.

Re: VERY redundand VPN with remote offices. Need some help

Posted: Tue Jun 28, 2016 1:50 pm
by EvgenyM
When you use a suitable type of VPN, e.g. L2TP over IPsec or IP tunnel interface over IPsec,
which has a dedicated interface for the tunnel, you can check the availability of that interface
as it will go down when something along the path is down.
Hello!
Well, I understand that, my question is about an optimal way to switch between different ISP's and routes and returning to normal state after working on second ISP.

Re: VERY redundand VPN with remote offices. Need some help

Posted: Tue Jun 28, 2016 1:59 pm
by cdiedrich
I have an almost identical setup running.

Create two pptp accounts on each side with dedicated transport networks.
From remote office, connect to both white IPs in the central office.
From the central office, connect to both IPs in the remote office.

Add ECMP routes for the remote networks like

/ip route
add distance=10 dst-address=<remote network> gateway=pptp-server-binding1, pptp-server-binding2, pptp-client1, pptp-client2
Since I switched our intersite-routing to this concept in the beginning of this year, we haven't had a single second of unscheduled downtime.
As a side note: It is wise to make sure your ISPs are peering different Tier1-carriers for the remote WAN IPs. We chose our ISPs that way that one tunnel is going through Level3 and the other through Cogent. So even a major problem on the way will not break communication.

-Chris

Re: VERY redundand VPN with remote offices. Need some help

Posted: Tue Jun 28, 2016 2:09 pm
by EvgenyM
I have an almost identical setup running.

Create two pptp accounts on each side with dedicated transport networks.
From remote office, connect to both white IPs in the central office.
From the central office, connect to both IPs in the remote office.

Add ECMP routes for the remote networks like

/ip route
add distance=10 dst-address=<remote network> gateway=pptp-server-binding1, pptp-server-binding2, pptp-client1, pptp-client2
Since I switched our intersite-routing to this concept in the beginning of this year, we haven't had a single second of unscheduled downtime.
As a side note: It is wise to make sure your ISPs are peering different Tier1-carriers for the remote WAN IPs. We chose our ISPs that way that one tunnel is going through Level3 and the other through Cogent. So even a major problem on the way will not break communication.

-Chris
Thanks for the hint!
Do I understand correctly, that there are total 4 VPN tunnels for each remote office in your scenerio?
And how do you select which tunnel to use? In my case the second ISP can be 3G, which is slow and cost a lot, so it shouldn't be used always (in your script the distance is always 10)

P.S. Forgot to mention, that we have almost 100 remote offices.

Re: VERY redundand VPN with remote offices. Need some help

Posted: Tue Jun 28, 2016 2:13 pm
by cdiedrich
Yes, four tunnels.
Well, ECMP routes (Equal Cost, Multiple Paths) always utilize all the routes simultaneously.
In the 3G case, I'd suggest a route with distance=10 for the wired tunnels and an additional route with distance=20 for the 3G tunnels.

With so many remote sites, spending some thoughts on OSPF shoulld be considered.
-Chris

Re: VERY redundand VPN with remote offices. Need some help

Posted: Tue Jun 28, 2016 2:21 pm
by EvgenyM
Yes, four tunnels.
Well, ECMP routes (Equal Cost, Multiple Paths) always utilize all the routes simultaneously.
In the 3G case, I'd suggest a route with distance=10 for the wired tunnels and an additional route with distance=20 for the 3G tunnels.

With so many remote sites, spending some thoughts on OSPF shoulld be considered.
-Chris
Thanks! I will consider it.

Re: VERY redundand VPN with remote offices. Need some help

Posted: Tue Jun 28, 2016 2:32 pm
by pe1chl
When you use a suitable type of VPN, e.g. L2TP over IPsec or IP tunnel interface over IPsec,
which has a dedicated interface for the tunnel, you can check the availability of that interface
as it will go down when something along the path is down.
Hello!
Well, I understand that, my question is about an optimal way to switch between different ISP's and routes and returning to normal state after working on second ISP.
Set static routes with a different distance over these two VPN interfaces.
Or as already recommended, use an automatic routing protocol like OSPF or BGP.
Just put a /30 on the VPN tunnel and route the traffic for the subnets over that.