Site-to-Site and Client VPN Servers
Posted: Sun Jun 12, 2022 8:09 pm
by ahmet82
Hello,
I want to setup site-to-site vpn between two routers. I also want these two routers to host client to site VPN servers independently so that external laptops etc can connect to the network. Is this possible? Will there be collisions with the ports because they are expecting incoming vpn clients and also trying to connect to other routers with the same ports? I'm assuming I will need to use L2TP for both
Re: Site-to-Site and Client VPN Servers
Posted: Sun Jun 12, 2022 8:33 pm
by sindy
In general, a site-to-site VPN can be set up using the same ports like the client-to-site one as the router acting as a client in the site-to-site VPN will be distinguished from the "ordinary" clients by username, and will get its individual profile. The only limitation is that if you do that, the allowed encryption and authentication algorithms will have to be the same for all clients, including the other routers, unless the public IPs of the other routers are static.
There's an intrinsic issue with L2TP/IPsec if multiple Windows or Android clients connect from behind the same NAT. The workaround is complicated, so you may want to reconsider your choice. IKEv2 can handle multiple client connections from behind the same NAT, but unless you have User Manager on RouterOS 7 or some other RADIUS server, the embedded VPN client on Windows only supports certificate-based authentication. With User Manager, it can also work with username & password.
Re: Site-to-Site and Client VPN Servers
Posted: Tue Jun 14, 2022 7:03 am
by kevinds
Hello,
I want to setup site-to-site vpn between two routers. I also want these two routers to host client to site VPN servers independently so that external laptops etc can connect to the network. Is this possible? Will there be collisions with the ports because they are expecting incoming vpn clients and also trying to connect to other routers with the same ports? I'm assuming I will need to use L2TP for both
Yes it is possible.
No there will not be port collisions (?). Another router connecting or a laptop connecting is the same process. An outgoing connection is also separate from an incoming connection.
You can use L2TP for both, but you don't need to.
The only issue that may/can happen is that RouterOS doesn't like multiple VPN connections from the same IP address. Two employees, both using their laptops from the same coffee shop's free WiFi for example.