Hotels/Hotspots suck. Never sure IPSEC travels through. So sometimes I end up opening a VNC port to be able to do anything.
Von: Af [mailto:[email protected]] Im Auftrag von Chris Wright Gesendet: Dienstag, 13. Dezember 2016 16:16 An: [email protected] Betreff: Re: [AFMUG] Easiest VPN on mikrotik Clients are easy! It’s the server side that sucks. Chris Wright Network Administrator From: Af [ <mailto:[email protected]> mailto:[email protected]] On Behalf Of That One Guy /sarcasm Sent: Monday, December 12, 2016 11:45 PM To: <mailto:[email protected]> [email protected] Subject: Re: [AFMUG] Easiest VPN on mikrotik So, I'm getting the general consensus is there is no general consensus and end users configuring their client is simple as long as they are sysadmins On Dec 12, 2016 5:46 PM, "Chris Wright" < <mailto:[email protected]> [email protected]> wrote: It took me about an hour of trial-and-error to come to that conclusion a few months ago. :( Glad someone else might benefit from it and save them from the headache I got! Chris Wright Network Administrator From: Af [mailto: <mailto:[email protected]> [email protected]] On Behalf Of George Skorup Sent: Monday, December 12, 2016 11:24 AM To: <mailto:[email protected]> [email protected] Subject: Re: [AFMUG] Easiest VPN on mikrotik 6.32.2... [admin@NOC] /ip ipsec> export /ip ipsec proposal set [ find default=yes ] enc-algorithms=3des,aes-256-cbc I forget what blog or whatever I found this on, but that's what Windows wants to see. On 12/12/2016 1:05 PM, George Skorup wrote: And that's where one problem is. The Android native L2TP/IPsec client doesn't complain too much, but the Windows 10 native client wants some specific combination. I forget what it is, but I fought with it for a couple days. On 12/12/2016 12:54 PM, Adam Moffett wrote: ah...so you're saying it's not IPSec issue per se? Do you know which encryption types are hardware accelerated? ------ Original Message ------ From: "Mike Hammett" < <mailto:[email protected]> [email protected]> To: <mailto:[email protected]> [email protected] Sent: 12/12/2016 1:48:39 PM Subject: Re: [AFMUG] Easiest VPN on mikrotik If you change the cipher to one that's not hardware encrypted, that problem goes away, replaced with a new problem of CPU capacity. ----- Mike Hammett <http://www.ics-il.com/> Intelligent Computing Solutions <https://www.facebook.com/ICSIL> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> <https://www.linkedin.com/company/intelligent-computing-solutions> <https://twitter.com/ICSIL> <http://www.midwest-ix.com/> Midwest Internet Exchange <https://www.facebook.com/mdwestix> <https://www.linkedin.com/company/midwest-internet-exchange> <https://twitter.com/mdwestix> <http://www.thebrotherswisp.com/> The Brothers WISP <https://www.facebook.com/thebrotherswisp> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> _____ From: "George Skorup" < <mailto:[email protected]> [email protected]> To: <mailto:[email protected]> [email protected] Sent: Monday, December 12, 2016 12:46:12 PM Subject: Re: [AFMUG] Easiest VPN on mikrotik MT made L2TP+IPsec w/ pre-shared key painless to configure around v6.30 or 6.32, somewhere in there. In winbox, PPP > LT2P Server, check Use IPsec and fill in the IPsec Secret field. That's your pre-shared key. No more manual IPsec config, all of that is handled dynamically now. So it's just as easy to set up as PPTP. I'm still running this on our NOC CCR for remote access, and yes, the out of order packet issue is a problem especially with HTTPS, but I'm not going back to PPTP. If MT was smart, they would let us bypass the h/w accelerated encryption and let it gobble up one of the 36 unused CPU cores. I don't really care. At least that's an interim solution. On 12/12/2016 10:42 AM, Jon Bruce wrote: +1 It's right up there with WEP or locking your screen door. Is OpenVPN an option on Mikrotik? I've run it for years on pfSense and stand-alone and love it. Failing that, IPSec with a decent client like Greenbow has also worked easily and well. All of that being said, is easy what is best with security? On 12/12/2016 11:30 AM, Mike Hammett wrote: Not well. ----- Mike Hammett <http://www.ics-il.com/> Intelligent Computing Solutions <https://www.facebook.com/ICSIL> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> <https://www.linkedin.com/company/intelligent-computing-solutions> <https://twitter.com/ICSIL> <http://www.midwest-ix.com/> Midwest Internet Exchange <https://www.facebook.com/mdwestix> <https://www.linkedin.com/company/midwest-internet-exchange> <https://twitter.com/mdwestix> <http://www.thebrotherswisp.com/> The Brothers WISP <https://www.facebook.com/thebrotherswisp> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> _____ From: "Dennis Burgess" <mailto:[email protected]> mailto:[email protected] To: <mailto:[email protected]> [email protected] Sent: Monday, December 12, 2016 9:35:51 AM Subject: Re: [AFMUG] Easiest VPN on mikrotik I have IPSEC running on CCRS moving hundreds of megs? Dennis Burgess – Network Solution Engineer – Consultant <http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5> MikroTik Certified Trainer/Consultant – MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE For Wireless Hardware/Routers visit <http://www.linktechs.net/> www.linktechs.net Radio Frequiency Coverages: <http://www.towercoverage.com/> www.towercoverage.com Office: <tel:(314)%20735-0270> 314-735-0270 E-Mail: <mailto:[email protected]> [email protected] From: Af [ <mailto:[email protected]> mailto:[email protected]] On Behalf Of Adam Moffett Sent: Friday, December 9, 2016 1:16 PM To: <mailto:[email protected]> [email protected] Subject: Re: [AFMUG] Easiest VPN on mikrotik And yes Ken, I can attest that IPSec works for crap when the endpoint is a CCR. ------ Original Message ------ From: "Ken Hohhof" < <mailto:[email protected]> [email protected]> To: <mailto:[email protected]> [email protected] Sent: 12/9/2016 1:05:28 PM Subject: Re: [AFMUG] Easiest VPN on mikrotik You mean no encryption, it would be secured with username/password, right? Depends on what kind of security he is looking for. It would be easy enough to set up an IPSEC VPN, the question is CPU load if the encryption has to be done in software. Also, weren’t there some posts about problems with hardware based encryption on some Mikrotik platforms, maybe CCR? It sounds like you are looking for a client based VPN, not a site-site VPN? So you need something that will work with a client that comes with Windows? That sounds like either PPTP or IPSEC. From: Af [mailto: <mailto:[email protected]> [email protected]] On Behalf Of Josh Reynolds Sent: Friday, December 9, 2016 11:49 AM To: <mailto:[email protected]> [email protected] Subject: Re: [AFMUG] Easiest VPN on mikrotik No security though. On Dec 9, 2016 11:47 AM, "Tushar Patel" < <mailto:[email protected]> [email protected]> wrote: PPTP on mikrotik. It will be same, IP address and username and password. Tushar On Dec 9, 2016, at 11:42 AM, That One Guy /sarcasm < <mailto:[email protected]> [email protected]> wrote: I have a non WISP customer with some cameras they monitor, not NVR/DVR to speak of yet. The cameras are port forwarded (called pinholes in their current router) individually, so theyre pretty much exposed IoT targets. Im putting a mikrotik in because the Fortigate solution is cost prohibitive. Fortigates ssl vpn is slick, easy and end user friendly (for the client) Whats the easiest VPN/client on a mikrotik. It would be great if it was as simple as the fortigate, they have a workstation client and most phone apps, All I need to do is give them an IP/FQDN and their username and password, its done. -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team.
