Community discussions

MikroTik App
 
royalpublishing
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Mon Sep 23, 2013 5:47 pm

Multi WAN IP Sec

Tue Dec 03, 2013 1:53 am

Router1 - WAN1 1.1.1.1 WAN2 2.2.2.2 LAN 10.1.1.0/24
Router2 - WAN1 3.3.3.3 LAN 10.1.10.0/24
I have site-to-site IPsec VPN Tunnels set up between 6 branch offices, this all works great. We are trying to add some redundancy so now I'm trying to add dual WAN's to each of my branches and I can't figure out how to make the IPsec configuration work. When I try to add an additional IPsec Policy on Router1 using the same source network 10.1.1.0/24 to the same destination network 10.1.10.0/24 but using WAN2's SA Src. Address and Router2's SA destination address, one of my entries turns red and stops working like it's not allowed or something. Basically I'm trying to create two IPsec policies to the same source and destination networks but with different Source SA addresses. Any ideas on what I'm doing wrong or how to set this up? Thanks in advance.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7185
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Multi WAN IP Sec

Tue Dec 03, 2013 10:43 am

ROS v6.7 now allows to specify source address in peer config.
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: Multi WAN IP Sec

Tue Dec 03, 2013 10:48 am

I've tried this in my spare time but I couldn't make it work correctly.

One option would be to split your IPSec policies so half clients go through first wan and the other half use the second wan.

Edit: with version v5.x
 
JJCinAZ
Member
Member
Posts: 475
Joined: Fri Oct 22, 2004 8:03 am
Location: Tucson, AZ

Re: Multi WAN IP Sec

Tue Dec 03, 2013 5:05 pm

Don't use IPSec tunnels; rather use GRE tunnels with IPSec transport mode. That will make it far easier to create redundancy in your setup.
 
royalpublishing
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Mon Sep 23, 2013 5:47 pm

Re: Multi WAN IP Sec

Wed Dec 11, 2013 4:50 pm

Don't use IPSec tunnels; rather use GRE tunnels with IPSec transport mode. That will make it far easier to create redundancy in your setup.
Thank you for pointing me in the right direction. After doing a little research and some deep thinking on the issue, I think to be able to have redundant tunnels and do load balancing simultaneously, it is necessary to do the following (not necessarily in this order):

1. Create an IPsec transport tunnel for each of your WAN connections to each of your sites
2. Create a GRE tunnel for each of your WAN connections to each of your sites
3. Add Secondary Point-to-Point /30 IP addresses for each WAN connection on your LAN interface at each site. So for two sites with two internet connections you would have a total of 4 /30's to create a P2P for each possible route.
4. Add NAT bypass rules for each /30 P2P connection and masquerade rules for WAN interfaces
5. Use Policy Routing to route traffic to/from your secondary WAN default gateway
6. Create Mangle rules to mark traffic to ensure it uses the same path to get back to where it came from
7. Create Routes for Remote Site /30 IP address via gre-tunnel# and policy routing
8. Create Mangle rules that use Nth to load balance between WAN links
9. Set up OSPF to distribute routes

I haven't gotten this fully working yet but I will let everybody know of whether I was successful or not.
 
i4jordan
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Mon Sep 02, 2013 1:42 am

Re: Multi WAN IP Sec

Wed Dec 11, 2013 5:09 pm

IPsec + GRE is very nice to make advanced routed private netwerks through VPN.
But I have noticed there is a big performance penalty with this combination.

If you use IPIP tunnels instead of GRE it is faster, but this gives some MTU challenges.

In short:
IPsec + GRE, nice for VPN 'tunnels' but slow, no MTU problems and special settings.
IPsec + IPIP, also nice for VPN 'tunnels' and faster than GRE, but IPIP needs some MTU finetuning.

Just my though on this subject.

IPsec + GRE/IPIP is indeed much more 'flexible' than standard IPsec tunnels. For sure in combination with ospf and other dynamic routing functions.
 
royalpublishing
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Mon Sep 23, 2013 5:47 pm

Re: Multi WAN IP Sec

Wed Dec 11, 2013 5:15 pm

IPsec + GRE is very nice to make advanced routed private netwerks through VPN.
But I have noticed there is a big performance penalty with this combination.

If you use IPIP tunnels instead of GRE it is faster, but this gives some MTU challenges.

In short:
IPsec + GRE, nice for VPN 'tunnels' but slow, no MTU problems and special settings.
IPsec + IPIP, also nice for VPN 'tunnels' and faster than GRE, but IPIP needs some MTU finetuning.

Just my though on this subject.

IPsec + GRE/IPIP is indeed much more 'flexible' than standard IPsec tunnels. For sure in combination with ospf and other dynamic routing functions.
Hi thanks for the reply, Just in my testing alone I can already tell that there seems to be a performance hit with the GRE tunnels. My ping times alone seem to go up by 30+ ms. What would you recommend for MTU settings?
 
royalpublishing
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Mon Sep 23, 2013 5:47 pm

Re: Multi WAN IP Sec

Wed Dec 11, 2013 8:12 pm

Info for setting IP/IP over IPsec MTU and MSS can be found here....
http://forum.mikrotik.com/viewtopic.php?f=14&t=55124
 
i4jordan
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Mon Sep 02, 2013 1:42 am

Re: Multi WAN IP Sec

Wed Dec 11, 2013 9:34 pm

You can 'adjust' mss (MTU -/- protocol overhead) size with MSS Mangle rules.
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Mangle
Look for Basic Examples 'Change MSS'

With those you can set the outgoing MSS (and resulting MTU) size for packages passing the ipsec + IPIP tunnel.

I always use mtupath for testing the optimal (maximum) MSS size which can pass a route without fragmentation.
http://www.iea-software.com/products/mtupath.cfm

You can also use 'Clear DF' Mangle rules for applications which send Do'nt Fragment flag with the message.
With a DF Mangle rules your can 'remove' the DF flag and the packets will pass fragmentated, else the packets will be ignored.
Some examples of applications which send DF flags and so have 'troubles' passing IPIP tunnels:
  • - RDP protocol (terminal server)
  • - TFTP
 
royalpublishing
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Mon Sep 23, 2013 5:47 pm

Re: Multi WAN IP Sec

Fri Dec 13, 2013 6:24 pm

I was wrong earlier when I said put the P2P /30's on the LAN interface, those actually need to be secondary IP addresses on the IP/IP tunnels. Still trying to figure out the logistics of this thing.

Who is online

Users browsing this forum: 3pages, nanobahr, NanoTik and 15 guests