The article discusses the main vpn protocols that are currently applicable in business processes, as well as the issue of using L2TP in conjunction with IPsec in pre shared key mode. In practice, approaches to organizing virtual networks on MikroTik equipment were analyzed and a practical audit of data transmission security was performed from the perspective of third-party analysis of outgoing traffic with the possibility of a MITM attack.
To begin with, let's look at the cases in which a business needs a vpn: when connecting remote employees to the company's network resources (site-to-client vpn) and when combining geographically dispersed network elements (site-to-site vpn). There are a lot of vpn protocols themselves now: GRE , PPTP , SSTP , OVPN , L2TP, Wireguard , etc.
Having decided on a variation of protocols, which one to choose?
Firstly, depending on what we are building site-to-client or site-to-site, because GRE is not suitable for the first case.
Secondly, although Wireguard is young, simple and very promising, it cannot be installed on a Cisco or MikroTik office router, vendors do not even plan to implement it. PPTP is very easy to set up but will either be unencrypted or MPPE encrypted, which does not have hardware offload, as a result of which, the multi-user network will slow down in operation. SSTP is an excellent protocol, it works over TLS in UDP on port 443, it will get through any Firewall, and maybe even IDS. For some vendors, for example, MikroTik, it can work with a pre shared key instead of a certificate, it runs on Windows clients out of the box.
Of the minuses: certain dances with a tambourine when setting up Linux clients (the protocol is still from Microsoft) and the lack of support from vendors in hardware offloading. OpenVPN is good for everyone, especially its high flexibility. You can tunnel to L2, you can tunnel to L3, you can’t list everything. It is not for nothing that it is open soft. The MikroTik router will soon learn to work with it via UDP (expected in the next generation of RouterOS), since there is no point in TCP, because the connection is still checked in the nested tunnel. However, most likely your office Cisco does not know how to work with it, so you cannot organize a vpn server from it.
In fact, the de facto standard in a corporate environment is the L2TP protocol. It runs on UDP, the default port is 1701. Encryption is good, especially the ability to offload IPsec hardware. There is a possibility that your corporate MikroTik (despite the fact that it is a software router) can encrypt IPsec on hardware (see the "Hardware acceleration" table on the manufacturer's website). At Cisco, things are even better in this matter. Even if your office router does not know how to encrypt with iron, no one except youshould know this .
So, let's sum up the intermediate result: business needs vpn technologies, it is best to use L2TP. Having finished with the protracted introductory part, let's go directly to the topic of the article. Consider, using the example of MikroTik equipment, the security of data transmission in a tunnel with the possibility of MITM attacks from third parties. This question arises because L2TP is almost always used in a corporate environment in conjunction with IPsec in tunnel mode and a shared key for the entire network, instead of creating a PKI and enabling certificates. This is convenient, the network is quickly deployed and easily maintained. Is it safe under pre shared key compromise conditions? Let's find out in practice.
- Let's start with the fact that L2TP may not be encrypted:
To begin with, let's look at the cases in which a business needs a vpn: when connecting remote employees to the company's network resources (site-to-client vpn) and when combining geographically dispersed network elements (site-to-site vpn). There are a lot of vpn protocols themselves now: GRE , PPTP , SSTP , OVPN , L2TP, Wireguard , etc.
Having decided on a variation of protocols, which one to choose?
Firstly, depending on what we are building site-to-client or site-to-site, because GRE is not suitable for the first case.
Secondly, although Wireguard is young, simple and very promising, it cannot be installed on a Cisco or MikroTik office router, vendors do not even plan to implement it. PPTP is very easy to set up but will either be unencrypted or MPPE encrypted, which does not have hardware offload, as a result of which, the multi-user network will slow down in operation. SSTP is an excellent protocol, it works over TLS in UDP on port 443, it will get through any Firewall, and maybe even IDS. For some vendors, for example, MikroTik, it can work with a pre shared key instead of a certificate, it runs on Windows clients out of the box.
Of the minuses: certain dances with a tambourine when setting up Linux clients (the protocol is still from Microsoft) and the lack of support from vendors in hardware offloading. OpenVPN is good for everyone, especially its high flexibility. You can tunnel to L2, you can tunnel to L3, you can’t list everything. It is not for nothing that it is open soft. The MikroTik router will soon learn to work with it via UDP (expected in the next generation of RouterOS), since there is no point in TCP, because the connection is still checked in the nested tunnel. However, most likely your office Cisco does not know how to work with it, so you cannot organize a vpn server from it.
In fact, the de facto standard in a corporate environment is the L2TP protocol. It runs on UDP, the default port is 1701. Encryption is good, especially the ability to offload IPsec hardware. There is a possibility that your corporate MikroTik (despite the fact that it is a software router) can encrypt IPsec on hardware (see the "Hardware acceleration" table on the manufacturer's website). At Cisco, things are even better in this matter. Even if your office router does not know how to encrypt with iron, no one except you
So, let's sum up the intermediate result: business needs vpn technologies, it is best to use L2TP. Having finished with the protracted introductory part, let's go directly to the topic of the article. Consider, using the example of MikroTik equipment, the security of data transmission in a tunnel with the possibility of MITM attacks from third parties. This question arises because L2TP is almost always used in a corporate environment in conjunction with IPsec in tunnel mode and a shared key for the entire network, instead of creating a PKI and enabling certificates. This is convenient, the network is quickly deployed and easily maintained. Is it safe under pre shared key compromise conditions? Let's find out in practice.
- Let's start with the fact that L2TP may not be encrypted: