Hi, guys. Need some help.
There are two offices. In the first office i have MikroTik RB3011 and i deploy VPN server on it. Other office is co-working office in business center, where our company leases room for a few employees.
I have task: make for those employees in other office static public IP coz our CRM and VoIP providers works only with whitelisted IP addresses.
When i tried it at first time (I tried pptp+gre and l2tp+ipsec on my Rb3011 in the first office) i had some problems with slow connection(even web-pages downloading was very slow). Otherwise, i tried public VPN provider like CyberGhost but our ip telephony didnt work with this service.
Can you advise me something according to this? Buying IP static IP from the ISP of business center is not suitable.
Re: Choosing VPN
First, does your router in the leased office get a public address from the ISP but that address is changing now and then, or does it get a private address and is NATed somewhere in their network?
Second, do you need encryption or it is not required because the only issue to resolve is the private/changing outside address and there is no other traffic between the HQ and the leased office than the one which you'd happily let go to the internet directly if it wasn't for the private/changing address?
As you mention VoIP, IPsec is the only "real" VPN which it makes sense to use, alone or with any kind of tunnel atop it (or inside it, it depends on perspective), because it is the only one of all those supported on Mikrotik which does not use TCP as transport (leaving PPTP aside as it is not secure any more) and can handle NAT. But if you don't need encryption, it can be switched off on IPsec, thus lowering the resource consumption; I would still not give up authentication which makes PPTP and plain tunnels out of the game even if they could support NAT traversal or if you wouldn't need it.
Regarding the speed, you haven't written what is the router model you use in the leased office, and you haven't written where the service is slow - only in the leased office or it slows down also in the HQ office while the leased office uses its VPN connection?
RB3011 has recently obtained support for hardware acceleration of IPsec, and you may configure the router in the leased office to use the VPN connection only for access to the VoIP and CRM servers and keep the other traffic on the regular WAN.
If your router in the leased office gets a private IP address from the ISP and is thus placed behind a NAT, you'll have to use the tunnel mode of IPsec, so using yet another tunnel atop IPsec means even more overhead spent (less of the packet size available for the actual payload). So you have to decide how important that is for you - to use plain IPsec, you'll have to understand the different-from-anything-else way of routing using IPsec traffic selectors (policies) and the necessary modifications of firewall allowing the traffic selectors to work, whereas setting up a tunnel inside a tunnel just means some extra bytes spent on it in every single packet but you can use "normal" interfaces and "normal" routing.
Second, do you need encryption or it is not required because the only issue to resolve is the private/changing outside address and there is no other traffic between the HQ and the leased office than the one which you'd happily let go to the internet directly if it wasn't for the private/changing address?
As you mention VoIP, IPsec is the only "real" VPN which it makes sense to use, alone or with any kind of tunnel atop it (or inside it, it depends on perspective), because it is the only one of all those supported on Mikrotik which does not use TCP as transport (leaving PPTP aside as it is not secure any more) and can handle NAT. But if you don't need encryption, it can be switched off on IPsec, thus lowering the resource consumption; I would still not give up authentication which makes PPTP and plain tunnels out of the game even if they could support NAT traversal or if you wouldn't need it.
Regarding the speed, you haven't written what is the router model you use in the leased office, and you haven't written where the service is slow - only in the leased office or it slows down also in the HQ office while the leased office uses its VPN connection?
RB3011 has recently obtained support for hardware acceleration of IPsec, and you may configure the router in the leased office to use the VPN connection only for access to the VoIP and CRM servers and keep the other traffic on the regular WAN.
If your router in the leased office gets a private IP address from the ISP and is thus placed behind a NAT, you'll have to use the tunnel mode of IPsec, so using yet another tunnel atop IPsec means even more overhead spent (less of the packet size available for the actual payload). So you have to decide how important that is for you - to use plain IPsec, you'll have to understand the different-from-anything-else way of routing using IPsec traffic selectors (policies) and the necessary modifications of firewall allowing the traffic selectors to work, whereas setting up a tunnel inside a tunnel just means some extra bytes spent on it in every single packet but you can use "normal" interfaces and "normal" routing.