Category: VPN


With the release of Mikrotik RouterOS 6.30 , you can now put IPSEC security over an EoIP Tunnel. Creating a secure encrypted, easy to setup VPN.

For sites with dynamic addresses, you need to keep the local and remote IPs updated.

View full article »

This method never worked as planned. The IPSEC tunnel left a hidden route in the route table, so it just got messy. Try this one instead.

 

http://blog.greypuddles.net/?p=258

 

I needed a way to fail over from an IPSEC tunnel with static IPs at each end, to a PPTP tunnel from a site with a non routable address.

The main problem is that I have the remote subnet listed as accessible Via bridge.local to allow the IPSEC traffic and to allow NetWatch to monitor the remote sites.

The solution is as follows

  • Setup and test IPSEC Tunnel
  • Setup the PPTP tunnel as needed to the remote site.
  • Add a route with a lower preference than the normal route.
  • Add a comment to the remote site route

/ip route
add check-gateway=ping comment=”over ipsec” distance=1 dst-address=10.4.44.0/24 \
gateway=bridge.Local
add distance=10 dst-address=10.4.44.0/24 gateway=pptp-out1
add distance=1 dst-address=192.168.1.1/32 gateway=”ether1-ADSL Modem”

In this setup, the local subnet is 10.4.40.0/24 and the remote subnet is 10.4.44.0/24

We put in the netwatch scripts Red below 1.2.3.4 is the STATIC IP address of the main interface.

/tool netwatch
add host=10.4.44.253
add down-script=\
“/ip route set [/ip route find where comment=\”over ipsec\”] disabled=yes” \
host=1.2.3.4 up-script=\
“/ip route set [/ip route find where comment=\”over ipsec\”] disabled=no”

The red “over ipsec” is used to identify the rule that’s going to get changes.

 

When the main interface goes down, NetWatch will disable the route Via bridge.local and allow the PPTP distance 10 route to kick in.
The PPTP interface should redial as needed to get connection over the second internet connection and all should just work. I will be testing that tomorrow.

In testing now with only one interface. When the “over IPSEC” rule is enabled, all traffic goes over the IPSEC tunnel, when that route gets disabled, traffic will flow over the PPTP.

If you have a dynamic WAN IP address, then you will have to get more creating running a lookup using /IP address print and putting that into this NetWatch host

 

I’m sure there are much cleaner ways of doing this, as this will not fail over in the event of the IPSEC tunnel failing but the ADSL staying alive, but thats a topic for another day