Networks are the most critical component of an effective enterprise IT environment.
Network services from I0T Inc. support your network’s growing need for agility, security and scalability in a multi-vendor, multi-technology environment. We provide straightforward guidance and extensive knowledge on networking across industries, and we use a lifecycle approach that spans strategy, assessment, planning, design, implementation and management. Our services range from network connectivity consulting and integration to managed network services and software-defined networking.
We have been tasked with designing and implementing VPN infrastructure to connect six offices located around the world.
The solution should includes inter-site connectivity and remote access. It should include the following:
I0T Inc. Networking Team applies the KISS principle wherever possible while balancing the needs of our organization.
The solution proposes to deploy a site-to-site VPN on IP Security (IPSec) tunneling over Internet between the six remote sites and to provide a secure PPTP / L2TP service for remote users’ (Dial in VPN users) over Internet
The solution design is based on the vendor best practices to build a site-to-site enterprise virtual private network (VPN). The proposed solution is using Mikrotik VPN router products.
The reason these technologies are selected is I wanted to keep the solution simple and straight forward while at
the same time meeting of most organization’s need.
This document describes the proposed solution topology diagram, IP addressing scheme, the individual hardware requirements and their interconnections, software features, transport mediums, security and reliability.
This document is made for the subject exercise for I0T’s Do It Yourself.
Topology diagram and IP addressing scheme
The IPSec standard provides a method to manage authentication and data protection between multiple peers engaging in secure data transfer.
IPsec protocol suite can be divided in following groups:
This solution requires a standards-based way to secure data from eavesdropping and modification. IPSec provides such a method. IPSec has a choice of transform sets so that users may choose the strength of their data protection. IPSec also has several hash methods to choose from, each giving different levels of protection.
Each site will need to establish a peer IPSec tunnel with all the other sites. Will need 5 tunnels for each each site, see the below diagram.
Diagram # 1 – IPSec Tunnels
The following hardware and software will be required for the setup:
Gateway Router: Two redundant (active-standby) Mikrotik router of the following model running latest RouterOS will be required in each site. Mikrotik CCR1036-12G-4S Router: 1U rackmount, 12x Gigabit Ethernet, 4xSFP cages, LCD, 36 cores x 1.2GHz CPU, 4GB RAM, 24 mppsfastpath, Up to 16Gbit/s throughput, RouterOS L6
LAN Switch: Two redundant (active-active) Cisco Catalyst 2960-L with 48 ports: Fixed or Smart Managed, LAN Lite, Data or PoE+, Up to 370W PoE, 4 SFP or SFP+ uplinks Enhanced Limited Lifetime Warranty (E-LLW)
Reliable Internet Link preferred with backup and SLA: Symmetrical or Asymmetrical high speed Internet connection with FIXED IP ADDRESS, speed based on forecasted traffic, recommendation is 100 – 500Mbps download/upload speed. Type of connections is based on availability, and can be in preference:
c. Wireless P2P (reliable)
Link backup and redundancy can be provided based on availability. Solutions like, SD-WAN, 2G/3G/4G/LTE or 5G that can combine different link types and provide bonding on a single channel to provide the largest possible amount of bandwidth.
Site Network Diagram and configuration
The Internet router will provide an Ethernet connection to the Mikrotik gateway router and a Fixed IP address. The below diagram is for Toronto site, however, all other sites will have similar setup.
We will limit the configuration to only one site (Toronto), as other sites will have a similar configuration but with different IP addressing.
Start off by configuring IPsec peer. It is enough to configure address, auth method and secret parameters and leaving everything else as default. However, it is possible to set additional Peer properties as long as they are identical between both sites.
For the next steps, it is important that proposed authentication and encryption algorithms match on both routers. we will use predefined “default” proposal. To verify Proposal settings:
At this point if you try to send traffic over the IPsec tunnel, it will not work, packets will be lost. This is because both routers have NAT rules (masquerade) that is changing source address before packet is encrypted. Router is unable to encrypt the packet, because source address do not match address specified in policy configuration.
To fix this we need to set up NAT bypass rule.
It is very important that bypass rule is placed at the top of all other NAT rules.
Another issue is if you have Fasttrack enabled, packet bypasses IPsec policies. So we need to add accept rule before Fasttrack, However this can add significant load to CPU if there is a fair amount of tunnels and significant traffic on each tunnel. Solution is to use RAW firewall tables to
bypass connection tracking, that way eliminating need of filter rules listed above and reducing load on CPU by approximately 30%.
MikroTik routers requires password configuration, we suggest to use pwgen or other password generator tool to create secure and non-repeating passwords,
Besides the fact that default firewall protects your router from unauthorized access from outer networks, it is possible to restrict username access for the specific IP address
All production routers must be administered by SSH, secured Winbox or HTTPs services. Use the latest Winbox version for secure access. Note, that in newest Winbox versions, “Secure mode” is ON by default, and can’t be turned off anymore.
and also, change the default port, this will immediately stop most of the random SSH bruteforce login attempts, disable mac-telnet services, Disable mac-winbox services, Disable mac-ping service, disable MikroTik Neighbor discovery protocol, disable Bandwidth server, disable DNS cache, disable proxy and socks, UPNP service, dynamic name service, disable lcd
We strongly suggest to keep default firewall on. Here are few adjustments to make it more secure:
work with new connections to decrease load on a router; create address-list for IP addresses, that are allowed to access your router; enable ICMP access (optionally); drop everything else, log=yes might be added to log packets that hit the specific rule;
Remote users can connect a computer to a remote office network over a PPTP encrypted tunnel giving that computer an IP address from the same network that the remote office has (without any need of bridging over EoIP tunnels).
PPTP is a secure tunnel for transporting IP traffic using PPP. PPTP encapsulates PPP in virtual lines that run over IP. PPTP incorporates PPP
and MPPE (Microsoft Point to Point Encryption) to make encrypted links. The purpose of this protocol is to make well-managed secure connections between routers as well as between routers and PPTP clients (clients are available for and/or included in almost all OSs including Windows). Multilink PPP (MP) is supported in order to provide MRRU (the ability to transmit full-sized 1500 and larger packets) and bridging over PPP links (using Bridge Control Protocol (BCP) that allows the sending of raw Ethernet frames over PPP links). This way it is possible to setup bridging without EoIP. The bridge should either have an administratively set MAC address or an Ethernet-like interface in it, as PPP links do not have MAC addresses. PPTP includes PPP authentication and accounting for each PPTP connection. Full authentication and accounting of each connection may be done through a RADIUS client or locally.
MPPE 128bit RC4 encryption is supported.
PPTP traffic uses TCP port 1723 and IP protocol GRE (Generic Routing Encapsulation, IP protocol ID 47), as assigned by the Internet Assigned Numbers Authority (IANA). PPTP can be used with most firewalls and routers by enabling traffic destined for TCP port 1723 and protocol 47 traffic to be routed through the firewall or router.
PPTP connections may be limited or impossible to setup though a masqueraded/NAT IP connection. Please see the Microsoft and RFC links listed below for more information.
Office router (Toroto mikrotik for example) is connected to internet through ether1. Workstations are connected to spf1 via a Cisco switch on VLAN1 and VLAN2.
Remote users can connect a computer to a remote office network over a PPTP encrypted tunnel giving that computer. RADIUS, short for Remote Authentication Dial-In User Service, is a remote server that provides authentication and accounting facilities to various network appliances. RADIUS authentication and accounting gives the ISP or network administrator ability to manage PPP user access and accounting from one server throughout a large network. The MikroTik RouterOS has a RADIUS client which can authenticate for HotSpot, PPP, PPPoE, PPTP, L2TP and ISDN connections. The attributes received from RADIUS server override the ones set in the default profile, but if some parameters are not received they are taken from the respective default profile. The RADIUS server database is consulted only if no matching user access record is found in router’s local database.
Traffic is accounted locally with MikroTik Traffic Flow and Cisco IP pairs and snapshot image can be gathered using Syslog utilities. If RADIUS accounting is enabled, accounting information is also sent to the RADIUS server default for that service.
Install and register the Radius server along with Network policy. This will be out of this exercise scope. But here some screen shots on how to configure it. Radius will use a database for portal use also.
Now configure the Mikrotik to forward ppp AAA requests to the RADIUS server.
The Mikrotiks and the VPN users’ management can be handled by a web platform I created for that reason and can be accessed via https://tik.i0t.ca.
MikroTik routers configuration will be backup every month and upon changes. The following script will be configured on each router. Will limit to Toronto in this exercise. Additionally, one backup system will be ready for replacement in each site in the case of hardware failure.
PRTG will be used as the monitoring and alerting system. SNMP Ver. 3.0 will be configuration in the router to monitor the Bandwidth,
interfaces status, logged in users,
In order to manage the use of the Internet bandwidth available for each site, a queuing policy will be applied. A shaper will be installed, who are limited at 50 Mbit/s of overall Bandwidth, what includes around 100 users online with different rates limited 1 Mbit/s and 2 Mbit/s per user. The idea behind the scripts is for allowing different limits Day and Night, to give to the lowest priority to reach at least 22 Mbit/s after businesses hours, when business clients do not use much bandwidth. For web video (youtube …) 400 Kbit/s per user will e served using PCQ.
For web video services, create Address-List for most of the Youtube, Metacafe, Youporn, Redtube etc.
Apply a useful scripts that change the Queue Tree at different
times of the day. At 19h it will start to check the average rate of PRIO8
Queue and if it’s below 20 Mbit/s it will disable it and enable PRIO8-19h what
will guarantee 22Mbit/s for that kind of traffic. The other script will check
the average rate of the OVERALL Queue and if the rate is below 50 Mbit/s it
will disable PRIO8-19h and enable PRIO8 since there will be more than 22 MBit/s