Community discussions

MikroTik App
 
Rockyboa
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Tue Jul 14, 2009 10:52 pm

RB1000 VPN offloading feature

Fri Jul 31, 2009 4:07 am

Hi,

We just bought some Mikrotik hardware and I just read that the RB1000 is having IPSec tunnel dedicated hardware, thats pretty cool and would really benefit from that. I would like to know which tunnel are supported by this feature, is PPTP, OVPN, L2TP and IPsec use the offloading engine?

Also, would like to know if dynamic tunnel are now supported since most of our remote site have dynamic IPs. Can someone point me out a tutorial on how to establish a really simple tunnel using a RB450 with dynamic IP and a RB1000U with a static IP.

We allready put v4.0b3, should we go back to v3.27 , we had no issue yet with the beta.

Thank you

Sabrina
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7186
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: RB1000 VPN offloading feature

Mon Aug 03, 2009 4:09 pm

Only IpSec tunnels encryption is hardware accelerated.

Simple pptp tunnel:
Server (RB1000):
/ppp secret add name=test local-address=1.1.1.1 remote-address=2.2.2.2
/interface pptp-server server set enabled=yes

Client:
/interface pptp-client add connect-to=x.x.x.x user=test

where x.x.x.x public ip address of RB1000.
 
Rockyboa
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Tue Jul 14, 2009 10:52 pm

Re: RB1000 VPN offloading feature

Wed Aug 05, 2009 5:02 am

Thanks for the reply.

Will experiment with pptp, but some says it is less secure than Ipsec, would I achieve higher perfomrance using pptp on my RB1000?

But like I said would like prefer using IPSec hardware offloading feature of the RB1000. So is dynamic IP supported at the remote location, using RB450?

I followed the Ref manual v3 example IPsec Between two Masquerading MikroTik Routers, but the tunnel is not building up. Do you have some info in the manual on how to diagnose my issues with logs?

Sabrina
 
nik247
Frequent Visitor
Frequent Visitor
Posts: 63
Joined: Fri Jan 16, 2009 1:00 pm
Location: Ukraine, Kyiv

Re: RB1000 VPN offloading feature

Wed Aug 05, 2009 12:11 pm

I try find same solution.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7186
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: RB1000 VPN offloading feature

Wed Aug 05, 2009 1:12 pm

Yes, Ipsec is possible with dynamic IP's.
You have to set generate-policy=yes and set remote peers address to 0.0.0.0
 
Rockyboa
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Tue Jul 14, 2009 10:52 pm

Re: RB1000 VPN offloading feature

Tue Aug 11, 2009 2:18 pm

Those are very good info and pointers I will try as soon as my vacation are over. Again, can someone with good knowledge in tunnelling technology using Mikrotik router would be able to give me a very easy to understand pros and cons of each of them, like I said we plan to use a pure Mikrotik solution from site to site and some mobile users, mostly for admin task may need to connect inside the VPN too. Performance is important since we are planning 4000 tunnels from different micro sites (1 to 5 users) on our RB1000 using RB450.

Thank you again.

Sabrina
 
Rockyboa
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Tue Jul 14, 2009 10:52 pm

Re: RB1000 VPN offloading feature

Thu Aug 27, 2009 12:40 am

IPSec is working fine, but unable to make it work with dynamic IP at remote site.

Remote Site: /ip ipsec export

/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m \
name=default pfs-group=modp1024
/ip ipsec peer
add address=69.x.x.122/32:500 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 \
enc-algorithm=3des exchange-mode=aggressive generate-policy=yes \
hash-algorithm=md5 lifebytes=0 lifetime=1d nat-traversal=no \
proposal-check=obey secret=mysecret send-initial-contact=yes

Primary Site: /ip ipsec export

/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m \
name=default pfs-group=modp1024
/ip ipsec peer
add address=0.0.0.0/32:500 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 \
enc-algorithm=3des exchange-mode=aggressive generate-policy=yes \
hash-algorithm=md5 lifebytes=0 lifetime=1d nat-traversal=no \
proposal-check=obey secret=mysecret send-initial-contact=no

Question his do I still need to create policy or generatepolicy should just do that?

Sabrina
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7186
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: RB1000 VPN offloading feature

Thu Aug 27, 2009 8:33 am

On a remote site you need to add static policy.
Otherwise ipsec will not know what policy to generate on the primary site.
 
Rockyboa
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Tue Jul 14, 2009 10:52 pm

Re: RB1000 VPN offloading feature

Thu Aug 27, 2009 10:29 pm

ahrg, usually I'm pretty good without needing to ask spoon feeding me the procedure. But again I'll need help and hopefully this will be helpfull for some other people. I deleted the policy on the remote site and check the generate policy, that works, but strangely it created not one, nor two but three Dynamic policy on the primary site with only one remote MT 450 establishing the connection.

As soon as I change, in the primary site, the IP address of the peer to 0.0.0.0, and the SA Src Address in the remote policy to 0.0.0.0 I get into trouble... I read again the ref manual and try to change the policy level to other settings without better result...

Again here are my new export

Primary Site:
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m \
name=default pfs-group=modp1024
/ip ipsec peer
add address=0.0.0.0/32:500 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 \
enc-algorithm=3des exchange-mode=main generate-policy=yes hash-algorithm=\
md5 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=\
mysecret send-initial-contact=no


Remote Site:
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m \
name=default pfs-group=modp1024
/ip ipsec peer
add address=69.x.x.122/32:500 auth-method=pre-shared-key dh-group=modp1024 \
disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 \
enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=\
md5 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=\
mysecret send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.213.0/24:any \
ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
all sa-dst-address=69.x.x.122 sa-src-address=0.0.0.0 src-address=\
192.168.214.0/24:any tunnel=yes

Again TY

Sabrina
Last edited by Rockyboa on Sun Aug 30, 2009 3:46 pm, edited 1 time in total.
 
Rockyboa
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Tue Jul 14, 2009 10:52 pm

Re: RB1000 VPN offloading feature

Thu Aug 27, 2009 10:37 pm

Solved it, my mistake, peer needs to be 0.0.0.0/0 not 0.0.0.0/32 to all accept connections. Hope this will help others.

But still need explanation why it creates 3 dynamic policies (noticed that 2 are identical - src: remote ste dst: primary site)

Sabrina

Who is online

Users browsing this forum: magchiel and 20 guests