Tunnel & vpn1

Tunnel & VPNTunnel & VPN

VPN BenefitsVPN Benefits

Enable communications between corporateEnable communications between corporate private LANs overprivate LANs over Public networksPublic networks Leased linesLeased lines Wireless linksWireless links

Corporate resources (e-mail, servers, printers) Corporate resources (e-mail, servers, printers) can be accessed securely by users having can be accessed securely by users having granted access rights from outside (home, granted access rights from outside (home, while travelling, etc.)while travelling, etc.)

Jenis Tunnel dan VPNJenis Tunnel dan VPN

IPIPIPIP EoIPEoIP PPPoEPPPoE PPTPPPTP IPSecIPSec VlanVlan L2TPL2TP OVPNOVPN

VLANVLAN

VLAN is an implementation of the 802.1Q VLAN is an implementation of the 802.1Q VLAN protocol for MikroTik RouterOSVLAN protocol for MikroTik RouterOS

A VLAN is a logical grouping that allows end A VLAN is a logical grouping that allows end users to communicate as if they were users to communicate as if they were physically connected to a single isolated LAN.physically connected to a single isolated LAN.

As VLAN works on OSI Layer 2,As VLAN works on OSI Layer 2,

Vlan NetworkVlan Network

Konfigurasi VlanKonfigurasi Vlan

On the Router 1On the Router 1 [nico@router1] interface vlan> add name=test [nico@router1] interface vlan> add name=test

vlan-id=32 interface=ether1vlan-id=32 interface=ether1 [nico@router1] ip address> add [nico@router1] ip address> add

address=10.10.10.1/24 interface=testaddress=10.10.10.1/24 interface=test [nico@router1] ip address> /ping 10.10.10.1[nico@router1] ip address> /ping 10.10.10.1

10.10.10.1 64 byte pong: ttl=255 time=3 ms10.10.10.1 64 byte pong: ttl=255 time=3 ms


On the Router 2On the Router 2 [nico@router2] interface vlan> add name=test1 vlan-[nico@router2] interface vlan> add name=test1 vlan-

id=32 interface=ether1id=32 interface=ether1 [nico@router2] ip address> add address=10.10.10.2/24 [nico@router2] ip address> add address=10.10.10.2/24

interface=test1interface=test1 [nico@router2] ip address> /ping 10.10.10.2[nico@router2] ip address> /ping 10.10.10.2



Ethernet over IPEthernet over IP

MikroTik proprietary protocol.MikroTik proprietary protocol. Simple in configurationSimple in configuration Don't have authentication or data encryption Don't have authentication or data encryption

capabilitiescapabilities Encapsulates Ethernet frames into IP protocol Encapsulates Ethernet frames into IP protocol

47/gre packets, thus EOIP is capable to carry 47/gre packets, thus EOIP is capable to carry MAC-addressesMAC-addresses

EOIP is a tunnel with bridge capabilitiesEOIP is a tunnel with bridge capabilities

Membuat Tunnel EoIPMembuat Tunnel EoIP

Check that you are able to ping remote address Check that you are able to ping remote address before creating a tunnel to itbefore creating a tunnel to it

Make sure that your EOIP tunnel will have Make sure that your EOIP tunnel will have unique MAC-address (it should be from unique MAC-address (it should be from EF:xx:xx:xx:xx:xx range)EF:xx:xx:xx:xx:xx range)

Tunnel ID on both ends of the EOIP tunnel Tunnel ID on both ends of the EOIP tunnel must be the same – it helps to separate one must be the same – it helps to separate one tunnel from othertunnel from other

EoIP and BridgingEoIP and Bridging

EoIP Interface can be bridged with any otherEoIP Interface can be bridged with any other EoIP or Ethernet-like interface. Main use of EoIP or Ethernet-like interface. Main use of

EoIP tunnels is to transparently bridge remote EoIP tunnels is to transparently bridge remote networks.networks.

EoIP protocol does not provide data EoIP protocol does not provide data encryption,therefore it should be run over encryption,therefore it should be run over encrypted tunnel interface, e.g., PPTP or encrypted tunnel interface, e.g., PPTP or PPPoE, if high security is required.PPPoE, if high security is required.

Konfigurasi EoIPKonfigurasi EoIP

Seting AP di router 1Seting AP di router 1

Create IP addressCreate IP address

Create Eoip InterfaceCreate Eoip Interface

Create BridgeCreate Bridge

Create Bridge PortCreate Bridge Port

View Interface View Interface

Konfigurasi Router 2Konfigurasi Router 2

Create station di wlan1Create station di wlan1

Create ip addressCreate ip address

Create EoIPCreate EoIP

Create Bridge Create Bridge

Create Bridge PortCreate Bridge Port

View interfaceView interface

Tes KonfigurasiTes Konfigurasi

Tambahkan ip address di laptop satu kelas Tambahkan ip address di laptop satu kelas dengan ip internetdengan ip internet

Ping gateway melalui network EoIP yang telah Ping gateway melalui network EoIP yang telah dibuat.dibuat.

Hasil TesHasil Tes

Workshop EoIPWorkshop EoIP

Create EOIP tunnel with your neighbor(s) Create EOIP tunnel with your neighbor(s) Transfer to /22 private networks – this way Transfer to /22 private networks – this way youyou

will be in the same network with your will be in the same network with your neighbor,and local addresses will remain the neighbor,and local addresses will remain the samesame

Bridge your private networks via EoIPBridge your private networks via EoIP

/32 IP Addresses/32 IP Addresses

IP addresses are added to the tunnel interfacesIP addresses are added to the tunnel interfaces Use /30 network to save address space, forUse /30 network to save address space, for

example:example: 10.1.6.1/30 and 10.1.6.2/30 from network10.1.6.1/30 and 10.1.6.2/30 from network 10.1.6.0/3010.1.6.0/30

It is possible to use point to point addressing,It is possible to use point to point addressing, for example:for example: 10.1.6.1/32, network 10.1.7.110.1.6.1/32, network 10.1.7.1 10.1.7.1/32, network 10.1.6.110.1.7.1/32, network 10.1.6.1

EoIP and /30 RoutingEoIP and /30 Routing

EoIP and /32 RoutingEoIP and /32 Routing

Local User DatabaseLocal User Database

PPP ProfilePPP Profile PPP SecretPPP Secret

Point-to-Point protocol tunnelsPoint-to-Point protocol tunnels

A little bit sophisticated in configurationA little bit sophisticated in configuration Capable of authentication and data encryptionCapable of authentication and data encryption Such tunnels are:Such tunnels are:

PPPoE (Point-to-Point Protocol over Ethernet)PPPoE (Point-to-Point Protocol over Ethernet) PPTP (Point-to-Point Tunneling Protocol)PPTP (Point-to-Point Tunneling Protocol) L2TP (Layer 2 Tunneling Protocol)L2TP (Layer 2 Tunneling Protocol)

You should create user information beforeYou should create user information before creating any tunnelscreating any tunnels

PPP SecretPPP Secret

PPP secret (aka local PPP user database) stores PPP PPP secret (aka local PPP user database) stores PPP user access recordsuser access records

Make notice that user passwords are displayed in the Make notice that user passwords are displayed in the plain text – anyone who has access to the router are plain text – anyone who has access to the router are able to see all passwordsable to see all passwords

It is possible to assign specific /32 address to both It is possible to assign specific /32 address to both ends of the PPTP tunnel for this userends of the PPTP tunnel for this user

Settings in Settings in /ppp secret /ppp secret user database override user database override corresponding corresponding /ppp profile /ppp profile settingssettings

PPP SecretPPP Secret

PPP Profile and IP PoolsPPP Profile and IP Pools

PPP profiles define default values for user PPP profiles define default values for user access records stored under access records stored under /ppp secret /ppp secret submenusubmenu

PPP profiles are used for more than 1 user so PPP profiles are used for more than 1 user so there must be more than 1 IP address to give there must be more than 1 IP address to give out - we should use IP pool as “Remote out - we should use IP pool as “Remote address” valueaddress” value

Value “default” means – if option is coming Value “default” means – if option is coming from RADIUS server it won't be overridedfrom RADIUS server it won't be overrided

PPP ProfilePPP Profile

Change TCP MSSChange TCP MSS

Big 1500 byte packets have problems going Big 1500 byte packets have problems going trought the tunnels because:trought the tunnels because: Standard Ethernet MTU is 1500 bytesStandard Ethernet MTU is 1500 bytes PPTP and L2TP tunnel MTU is 1460 bytesPPTP and L2TP tunnel MTU is 1460 bytes PPPOE tunnel MTU is 1488 bytesPPPOE tunnel MTU is 1488 bytes

By enabling “change TCP MSS option, By enabling “change TCP MSS option, dynamic mangle rule will be created for each dynamic mangle rule will be created for each active user to ensure right size of TCP packets, active user to ensure right size of TCP packets, so they will be able to go through the tunnelso they will be able to go through the tunnel

PPTP & L2TPPPTP & L2TP

Point-to-Point Tunnelling ProtocolPoint-to-Point Tunnelling Protocol PPTP uses TCP port 1723 and IP protocol 47/ GREPPTP uses TCP port 1723 and IP protocol 47/ GRE There is a PPTP-server and PPTP-clientsThere is a PPTP-server and PPTP-clients PPTP clients are available for and/or included in PPTP clients are available for and/or included in

almost all OSalmost all OS You must use PPTP and GRE “NAT helpers” to You must use PPTP and GRE “NAT helpers” to

connect to any public PPTP server from your private connect to any public PPTP server from your private masqueraded networkmasqueraded network

L2TP TunnelsL2TP Tunnels

PPTP and L2TP have mostly the same PPTP and L2TP have mostly the same functionalityfunctionality

L2TP traffic uses UDP port 1701 only for link L2TP traffic uses UDP port 1701 only for link establishment, further traffic is using any establishment, further traffic is using any available UDP portavailable UDP port

L2TP don't have problems with NATed clients L2TP don't have problems with NATed clients – it don't required “NAT helpers”– it don't required “NAT helpers”

Configuration of the both tunnels are identical Configuration of the both tunnels are identical in RouterOSin RouterOS

L2TP AplicationL2TP Aplication

secure router-to-router tunnels over the Internetsecure router-to-router tunnels over the Internet linking (bridging) local Intranets or LANs (in linking (bridging) local Intranets or LANs (in

cooperation with EoIP)cooperation with EoIP) extending PPP user connections to a remote location extending PPP user connections to a remote location

(for example, to separate authentication and Internet (for example, to separate authentication and Internet access points for ISP)access points for ISP)

accessing an Intranet/LAN of a company for remote accessing an Intranet/LAN of a company for remote (mobile) clients (employees)(mobile) clients (employees)

Creating PPTP/L2TP ClientCreating PPTP/L2TP Client

Creating PPTP/L2TP serverCreating PPTP/L2TP server

PPTP Client LabPPTP Client Lab

Create PPTP clientCreate PPTP client Server Address:10.1.2.1Server Address:10.1.2.1 User: adminUser: admin Password: adminPassword: admin Add default route = yesAdd default route = yes

Make necessary adjustments to access the Make necessary adjustments to access the internetinternet

Network L2TPNetwork L2TP

Konfigurasi ScriptKonfigurasi Script

On Router 1On Router 1 Enable the L2TP serverEnable the L2TP server

[admin@L2TP-Server] interface l2tp-server [admin@L2TP-Server] interface l2tp-server server> set enabled=yesserver> set enabled=yes

Add a L2TP user:Add a L2TP user: [admin@L2TP-Server] ppp secret> add [admin@L2TP-Server] ppp secret> add

name=james password=pass \... local-name=james password=pass \... local-address=10.0.0.1 remote-address=10.0.0.2address=10.0.0.1 remote-address=10.0.0.2

Konfigurasi ScriptKonfigurasi Script

On Router 2On Router 2 Add a L2TP client:Add a L2TP client:

admin@L2TP-Client] interface l2tp-client> add admin@L2TP-Client] interface l2tp-client> add user=james password=pass \... connect-user=james password=pass \... connect-to=10.5.8.104to=10.5.8.104

Monitoring L2TP ClientMonitoring L2TP Client

Example of an established connectionExample of an established connection [admin@MikroTik] interface l2tp-client> [admin@MikroTik] interface l2tp-client>

monitor test2monitor test2

status: "connected"status: "connected"

uptime: 4m27suptime: 4m27s

encoding: "MPPE128 stateless"encoding: "MPPE128 stateless"

User Access ControlUser Access Control

Controlling the HardwareControlling the Hardware Static IP and ARP entriesStatic IP and ARP entries DHCP for assigning IP addresses and managing DHCP for assigning IP addresses and managing

ARP entriesARP entries Controlling the UsersControlling the Users

PPPoE requires PPPoE client configurationPPPoE requires PPPoE client configuration HotSpot redirects client request to the sign-up pageHotSpot redirects client request to the sign-up page PPTP requires PPTP client configurationPPTP requires PPTP client configuration

PPPoEPPPoE

Point-to-Point Protocol over EthernetPoint-to-Point Protocol over Ethernet PPPoE works in OSI 2nd (data link) layerPPPoE works in OSI 2nd (data link) layer PPPoE is used to hand out IP addresses to clients PPPoE is used to hand out IP addresses to clients

based on the user authenticationbased on the user authentication PPPoE requires a dedicated access concentrator PPPoE requires a dedicated access concentrator

(server), which PPPoE clients connect to.(server), which PPPoE clients connect to. Most operating systems have PPPoE client software. Most operating systems have PPPoE client software.

Windows XP has PPPoE client installed by defaultWindows XP has PPPoE client installed by default

PPPoE clientPPPoE client

PPPoE Client LabPPPoE Client Lab

Create PPTP clientCreate PPTP client Interface: wlan1Interface: wlan1 Service:pppoeService:pppoe User: adminUser: admin Password: adminPassword: admin Add default route = yesAdd default route = yes

Make necessary adjustments to access the Make necessary adjustments to access the internetinternet

PPPoE Client StatusPPPoE Client Status

Check your PPPoE connectionCheck your PPPoE connection Is the interface enabled?Is the interface enabled? Is it “connected” and running (R)?Is it “connected” and running (R)? Is there a dynamic (D) IP address assigned to theIs there a dynamic (D) IP address assigned to the pppoe client interface in the IP Address list?pppoe client interface in the IP Address list? What are the netmask and the network address?What are the netmask and the network address? What routes do you have on the pppoe client What routes do you have on the pppoe client

interface?interface? See the “Log” for troubleshooting!See the “Log” for troubleshooting!

PPPoE Lab with EncryptionPPPoE Lab with Encryption

The PPPoE access concentrator is changed to The PPPoE access concentrator is changed to use encryption nowuse encryption now

You should use encryption, eitherYou should use encryption, either change the ppp profile used for the pppoe client to change the ppp profile used for the pppoe client to

default-encryption', or,default-encryption', or, modify the ppp profile used for the pppoe client to modify the ppp profile used for the pppoe client to

use encryptionuse encryption See if you get the pppoe connection runningSee if you get the pppoe connection running

PPPoE ServerPPPoE Server

PPPoE server accepts PPPoE client PPPoE server accepts PPPoE client connections on a given interfaceconnections on a given interface

Clients can be authenticated againstClients can be authenticated against the local user database (ppp secrets)the local user database (ppp secrets) a remote RADIUS servera remote RADIUS server a remote or a local MikroTik User Manager a remote or a local MikroTik User Manager

databasedatabase Clients can have automatic data rate limitation Clients can have automatic data rate limitation

according to their profileaccording to their profile

Creating PPPoE serverCreating PPPoE server

Workshop PPPoEWorkshop PPPoE

KonfigurasiKonfigurasi

Set AP Bridge ModeSet AP Bridge Mode Set IP AddressSet IP Address Set IP RouteSet IP Route Set PPPoE server in Wifi InterfaceSet PPPoE server in Wifi Interface Set up PPPoE Client ( PPP Secret )Set up PPPoE Client ( PPP Secret ) Set up IP Pool (10.10.10.100-10.10.10.103)Set up IP Pool (10.10.10.100-10.10.10.103) Set up client windows PPPoESet up client windows PPPoE

PPP interface BridgingPPP interface Bridging

PPP BCP (Bridge Control Protocol)PPP BCP (Bridge Control Protocol) PPP MP (Multi-link Protocol)PPP MP (Multi-link Protocol)

PPP Bridge Control ProtocolPPP Bridge Control Protocol

RouterOS now have BCP support for all RouterOS now have BCP support for all async. PPP, PPTP, L2TP & PPPoE (not ISDN) async. PPP, PPTP, L2TP & PPPoE (not ISDN) interfacesinterfaces

If BCP is established, PPP tunnel does not If BCP is established, PPP tunnel does not require IP addressrequire IP address

Bridged Tunnel IP address (if present) does Bridged Tunnel IP address (if present) does not applies to whole bridge – it stays only on not applies to whole bridge – it stays only on PPP interface (routed IP packets can go PPP interface (routed IP packets can go through the tunnel as usual)through the tunnel as usual)

Setting up BCPSetting up BCP

You must specify bridge option in the ppp profiles on You must specify bridge option in the ppp profiles on both both ends of the tunnel.ends of the tunnel.

The bridge The bridge must must have manually set MAC address, or at least have manually set MAC address, or at least one regular interface in it, because ppp interfaces do not have one regular interface in it, because ppp interfaces do not have MAC addresses.MAC addresses.

PPP Bridging ProblemPPP Bridging Problem

PPP interface MTU is smaller than standard Ethernet PPP interface MTU is smaller than standard Ethernet interfaceinterface

It is impossible to fragment Ethernet frames –tunnels It is impossible to fragment Ethernet frames –tunnels must have inner algorithm how to encapsulate and must have inner algorithm how to encapsulate and transfer Ethernet frames via link with smaller MTUtransfer Ethernet frames via link with smaller MTU

EOIP have encapsulation algorithm enabled by EOIP have encapsulation algorithm enabled by default, PPP interfaces doesn'tdefault, PPP interfaces doesn't

PPP interfaces can utilize PPP Multi-link Protocol to PPP interfaces can utilize PPP Multi-link Protocol to encapsulate Ethernet framesencapsulate Ethernet frames

PPP Multi-link ProtocolPPP Multi-link Protocol

PPP Multi-link Protocol allows to open multiple PPP Multi-link Protocol allows to open multiple simultaneous channels between systemssimultaneous channels between systems

It is possible to split and recombine packets, between It is possible to split and recombine packets, between several channels – resulting in increase the effective several channels – resulting in increase the effective maximum receive unit (MRU)maximum receive unit (MRU)

To enable PPP Multi-link Protocol you must specify To enable PPP Multi-link Protocol you must specify MRRU optionMRRU option

In MS Windows you must enable "Negotiate multi-In MS Windows you must enable "Negotiate multi-link for single link connections" optionlink for single link connections" option

PPP Multi-link ProtocolPPP Multi-link Protocol

Tunnel & vpn1

Technology

Transcript of Tunnel & vpn1