Class Video – Mikrotik VPN
This class covers:
The slides are here: Mikrotik-VPN-Class (21679)
The video is around 1 hour and 15 minutes long.
Here is my sophisticated lab:
A quick note on the video, I recorded it at 2 in the morning…sometimes it’s hard for me to find time. If you run into a little quiet space in the video, just chalk it up to being so late…hehehe.
And here is the video:
Using the packet flow diagram from the wiki, you can see that the src-nat operation will be performed before the packet gets encapsulated. This is why you have to do the src-nat accept for traffic that should traverse the tunnel.
One VPN topic I didn’t cover is PKI or certificate based VPN. This allows you to use a certificate instead of using a shared key for phase 1 negotiation. This one will be quite time consuming video wise, so I’m creating a separate video just for him.
I’ve got an article on IPSec or other tunneling protocols when BOTH sides have DHCP here.
If a single side has DHCP, then try this:
Site #1 will have peer address of 0.0.0.0 with “Generate Policy” checked. No policy is necessary (this is the same as is shown in the video and slides).
Site #2 will be configured the same as in the video, only you need to add this script:
1 2 3 4 5 6 7 8 9
:local WANip [/ip address get [find interface="ether5"] address] :log info "Interface IP is $WANip" :local WANip [:pick "$WANip" 0 ([:len $WANip] - 3)] :log info "IP sans the slash notation is $WANip" /ip ipsec policy set 0 sa-src-address=$WANip
Same script in command line form:
1 2 3 4 5 6 7 8 9 10 11 12
/system script add name=DHCP-VPN-UPDATE policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive source=":local WANip\ \_[/ip address get [find interface=\"ether5\"] address]\r\ \n\r\ \n:log info \"Interface IP is \$WANip\"\r\ \n\r\ \n:local WANip [:pick \"\$WANip\" 0 ([:len \$WANip] - 3)]\r\ \n\r\ \n:log info \"IP sans the slash notation is \$WANip\"\r\ \n\r\ \n/ip ipsec policy set 0 sa-src-address=\$WANip"
You will need to update the interface and the policy number to suit your needs. Schedule the script to run every 5 minutes or so.
This video covers L2TP for Windows client connections:
As always, if you have any questions or comments, please leave them below. All I’m looking for is a little feedback. Also, if you enjoyed the video, consider visiting my sponsors and/or hit that donate button…I did invest a good chunk of hours building slides and recording/editing the video 😉