Hi All,

I have a L2TP/Libreswan IPSEC server running well, I am using this in a hub & spoke format as I have a few Mikrotik endpoints that can dynamically change IP addresses and are or could be using a double nat, I also need routing between the sites, and support for a couple of road warriors.

However I am aware there are limitations of L2TP & IPSEC from behind a nat with multiple clients using the same public IP address.

I was wondering if anybody has a workaround for this I know there is Softether that works very well as it supports multiple clients from behind a nat however it seams that you have to run Secure Nat with a dhcp server for it to work properly and there client software on laptops or vpn server software for offices obviousley Id like to stick to one device being Mikrotik doing everything for the network.

I wondering if anyone has done this before and what did you use.


Regards

Martin

When you say you need routing between the sites, do you mean dynamic routing like OSPF, or will static routing do?

IPsec (and hence L2TP) works fine from behind NAT as long as both parties support the IPsec NAT-T extension. But there's a problem with IPsec/L2TP and dynamic IPs, which has to do with a design limitation in the IKEv1 protocol used by IPsec.

IPsec can authenticate clients using certificates or preshared keys (PSKs), and in the latter case one may specify an IP address, a FQDN or a (possibly fictitious) e-mail address as a client identifier. In a dynamic IP scenario, using an e-mail address as a username sounds like an excellent idea. As long as the server has a fixed IP and the client is initiating the connection, IPsec itself should work just fine.

Unfortunately, with IKEv1, the user ID itself is transmitted using encryption negotiated using the PSK. This leads to a chicken-and-egg problem: the receiving end cannot identify the client without decrypting the incoming packet, which cannot be decrypted without the right PSK, which cannot be selected without first establishing the client's identity. Unless you can tie the client to a specific IP (or at very least a subnet), the server won't know which PSK to use, and the authentication fails.

If you want to stick with L2TP, you have two options:

1. Use certificates instead of PSKs for clients with dynamic IPs
2. Use the same PSK for all clients with a non-IP user ID
3. Switch to IKEv2

Using certificates means setting up your own Certification Authority and installing both the root certificate and a client certificate on every Microtik router and laptop. Not a huge task, but a bit of a hassle if you've never done this before.

Having the same PSK on every router behind a dynamic IP may or may not be acceptable from a security point of view, depending on your environment. This is expecially true when you have road warriors using laptops, since the loss of a laptop means you have to change the PSK on all remaining devices.

Switching to IKEv2 (which libreswan supports) would solve all your problems, since it transmits the user ID using an encrypted channel that doesn't rely on the PSK. Unfortunately, many older routers and most L2TP clients do not support IKEv2.

For your site-to-site connections, you could dispense with L2TP and just use GRE tunnels over IPsec with IKEv2. That would eliminate the dynamic IP issue and you wouldn't have to invest in a CA infrastructure. You could even use dynamic routing as long as both endpoints allow dynamic routing over tunnel interfaces, which for some strange reason some devices (*cough* ZyXEL *cough*) refuse to do, but your Mikrotik routers might not have this restriction.

For your road warriors, I would not hesitate to recommend SoftEther/SSTP. SSTP is just PPP over HTTP over SSL/TLS, which means you'd simply have to obtain a single (free) SSL certificate for your server. As a bonus, SSTP VPN traffic looks like HTTPS, which mostly eliminates issues with firewall traversal in corporate environments.