Tutorial Mikrotik VPN : Point to Point Tunnel Protocol (PPTP) Summary PPTP (Point to Point Tunnel Protocol) supports encrypted tunnels over IP. The MikroTik RouterOS feat includes hold fot PPTP machine and server. General applications of PPTP tunnels: * For bonded router-to-router tunnels over the Internet * To unification (bridge) topical Intranets or LANs (when EoIP is also used) * For ambulatory or far clients to remotely admittance an Intranet/LAN of a consort (see PPTP falsehood for Windows for more information) Each PPTP unification is imperturbable of a machine and a client.
The MikroTik RouterOS haw duty as a machine or machine – or, for assorted configurations, it haw be the machine for whatever connections and machine for additional connections. For example, the machine created beneath could enter to a Windows 2000 server, additional MikroTik Router, or additional router which supports a PPTP server. Description PPTP is a bonded delve for transporting IP reciprocation using PPP. PPTP encapsulates UPPP in realistic lines that separate over IP. PPTP incorporates UPPP and MPPE (Microsoft Point to Point Encryption) to attain encrypted links. The determine of this prescript is to attain well-managed bonded connections between routers as substantially as between routers and PPTP clients (clients are acquirable for and/or included in nearly every OSs including Windows). PPTP includes UPPP marker and business for apiece PPTP connection. Full marker and business of apiece unification haw be finished finished a RADIUS machine or locally. MPPE 40bit RC4 and MPPE 128bit RC4 coding are supported. PPTP reciprocation uses prescript opening 1723 and IP prescript GRE (Generic Routing Encapsulation, IP prescript ID 47), as appointed by the cyberspace Assigned Numbers Authority (IANA). PPTP crapper be utilised with most firewalls and routers by sanctioning reciprocation sure for prescript opening 1723 and prescript 47 reciprocation to be routed finished the firewall or router.
PPTP connections haw be restricted or impracticable to falsehood though a masqueraded/NAT IP connection. Please wager the Microsoft and RFC course at the modify of this country for more information. PPTP Client Setup Submenu take : /interface pptp-client Property Description name (name; default: pptp-out1) – programme study for reference mtu (integer; default: 1460) – Maximum Transmit Unit. The best continuance is the MTU of the programme the delve is employed over attenuated by 40 (so, for 1500-byte ethernet link, ordered the MTU to 1460 to refrain fragmentation of packets) mru (integer; default: 1460) – Maximum Receive Unit. The best continuance is the MTU of the programme the delve is employed over attenuated by 40 (so, for 1500-byte ethernet link, ordered the MRU to 1460 to refrain fragmentation of packets) connect-to (IP address)- the IP come of the PPTP machine to enter to user (string)- individual study to ingest when logging on to the far server password (string; default: “”)- individual countersign to ingest when logging to the far server profile (name; default: default) – strikingness to ingest when conjunctive to the far server add-default-route (yes | no; default: no) – whether to ingest the machine which this machine is adjoining to as its choice router (gateway) Example To ordered up PPTP machine titled test2 using username john with countersign john to enter to the 10.1.1.12 PPTP machine and ingest it as the choice gateway: [admin@MikroTik] programme pptp-client> add name=test2 connect-to=10.1.1.12 \ \… user=john add-default-route=yes password=john [admin@MikroTik] programme pptp-client> print Flags: X – disabled, R – running 0 X name=”test2″ mtu=1460 mru=1460 connect-to=10.1.1.12 user=”john” password=”john” profile=default add-default-route=yes [admin@MikroTik] programme pptp-client> enable 0
Monitoring PPTP Client Command study : /interface pptp-client monitor Property Description Statistics: uptime (time) – unification instance displayed in days, hours, minutes, and seconds encoding (string) – coding and coding (if asymmetric, distributed with ‘/’) existence utilised in this connection status (string) – position of the client: # Dialing – attempting to attain a connection # Verifying password… – unification has been ingrained to the server, countersign substantiation in progress # Connected – self-explanatory # Terminated – programme is not enabled or the additional lateral module not found a connection Example Example of an ingrained connection: [admin@MikroTik] programme pptp-client> guardian test2 uptime: 4h35s encoding: MPPE 128 bit, stateless status: Connected [admin@MikroTik] programme pptp-client> PPTP Server Setup Submenu take : /interface pptp-server server [admin@MikroTik] programme pptp-server server> print enabled: no mtu: 1460 mru: 1460 authentication: mschap2 default-profile: default [admin@MikroTik] programme pptp-server server>
Description The PPTP machine supports oceanic connections from clients. For apiece underway connection, a impulsive programme is created. Property Description enabled (yes | no; default: no) – defines whether PPTP machine is enabled or not mtu (integer; default: 1460) – Maximum Transmit Unit. The best continuance is the MTU of the programme the delve is employed over attenuated by 40 (so, for 1500-byte ethernet link, ordered the MTU to 1460 to refrain fragmentation of packets) mru (integer; default: 1460) – Maximum Receive Unit. The best continuance is the MTU of the programme the delve is employed over attenuated by 40 (so, for 1500-byte ethernet link, ordered the MTU to 1460 to refrain fragmentation of packets) authentication (multiple choice: garbage | lad | mschap1 | mschap2; default: mschap2) – marker algorithm default-profile (name; default: default) – choice strikingness to use Example To enable PPTP server: [admin@MikroTik] programme pptp-server server> ordered enabled=yes [admin@MikroTik] programme pptp-server server> print enabled: yes mtu: 1460 mru: 1460 authentication: mschap2 default-profile: default [admin@MikroTik] programme pptp-server server> PPTP Server Users Submenu take : /interface pptp-server
Description There are digit types of items in PPTP machine plan – noise users and impulsive connections. A impulsive unification crapper be ingrained if the individual database or the default-profile has its local-address and remote-address ordered correctly. When noise users are added, the choice strikingness haw be mitt with its choice values and exclusive P2P individual (in /ppp secret) should be configured. Note that in both cases P2P users staleness be organized properly. Property Description name – programme name user – the study of the individual that is organized statically or additional dynamically Statistics: mtu – shows (cannot be ordered here) client’s MTU client-address – shows (cannot be ordered here) the IP of the adjoining client uptime – shows how daylong the machine is connected encoding (string) – coding and coding (if asymmetric, distributed with ‘/’) existence utilised in this connection Example To add a noise entry for ex1 user: [admin@MikroTik] programme pptp-server> add user=ex1 [admin@MikroTik] programme pptp-server> print Flags: X – disabled, D – dynamic, R – running # NAME USER MTU CLIENT-ADDRESS UPTIME ENC… 0 DR ex 1460 10.0.0.202 6m32s none 1 pptp-in1 ex1 [admin@MikroTik] programme pptp-server> In this warning an already adjoining individual ex is shown likewise the digit we meet added. PPTP Router-to-Router Secure Tunnel Example The mass is an warning of conjunctive digit Intranets using an encrypted PPTP delve over the Internet.
There are digit routers in this example: * [HomeOffice] Interface LocalHomeOffice 10.150.2.254/24 Interface ToInternet 192.168.80.1/24 * [RemoteOffice] Interface ToInternet 192.168.81.1/24 Interface LocalRemoteOffice 10.150.1.254/24 Each router is adjoining to a assorted ISP. One router crapper admittance additional router finished the Internet. On the PPTP machine a individual staleness be ordered up for the client: [admin@HomeOffice] ppp secret> add name=ex service=pptp password=lkjrht local-address=10.0.103.1 remote-address=10.0.103.2 [admin@HomeOffice] ppp secret> indicant detail Flags: X – disabled 0 name=”ex” service=pptp caller-id=”” password=”lkjrht” profile=default local-address=10.0.103.1 remote-address=10.0.103.2 routes==”” [admin@HomeOffice] ppp secret> Then the individual should be additional in the PPTP machine list: [admin@HomeOffice] programme pptp-server> add user=ex [admin@HomeOffice] programme pptp-server> print Flags: X – disabled, D – dynamic, R – running # NAME USER MTU CLIENT-ADDRESS UPTIME ENC… 0 pptp-in1 ex [admin@HomeOffice] programme pptp-server> And finally, the machine staleness be enabled: [admin@HomeOffice] programme pptp-server server> ordered enabled=yes [admin@HomeOffice] programme pptp-server server> print enabled: yes mtu: 1460 mru: 1460
authentication: mschap2 default-profile: default [admin@HomeOffice] programme pptp-server server> Add a PPTP machine to the RemoteOffice router: [admin@RemoteOffice] programme pptp-client> add connect-to=192.168.80.1 user=ex \ \… password=lkjrht disabled=no [admin@RemoteOffice] programme pptp-client> print Flags: X – disabled, R – running 0 R name=”pptp-out1″ mtu=1460 mru=1460 connect-to=192.168.80.1 user=”ex” password=”lkjrht” profile=default add-default-route=no [admin@RemoteOffice] programme pptp-client> Thus, a PPTP delve is created between the routers. This delve is aforementioned an Ethernet point-to-point unification between the routers with IP addresses 10.0.103.1 and 10.0.103.2 at apiece router. It enables ‘direct’ act between the routers over ordinal band networks. To line the topical Intranets over the PPTP delve – add these routes: [admin@HomeOffice] > ip line add dst-address 10.150.1.0/24 gateway 10.0.103.2 [admin@RemoteOffice] > ip line add dst-address 10.150.2.0/24 gateway 10.0.103.1 On the PPTP machine it crapper instead be finished using routes constant of the individual configuration: [admin@HomeOffice] ppp secret> indicant detail Flags: X – disabled 0 name=”ex” service=pptp caller-id=”” password=”lkjrht” profile=default local-address=10.0.103.1 remote-address=10.0.103.2 routes==”” [admin@HomeOffice] ppp secret> ordered 0 routes=”10.150.1.0/24 10.0.103.2 1″ [admin@HomeOffice] ppp secret> indicant detail Flags: X – disabled 0 name=”ex” service=pptp caller-id=”” password=”lkjrht” profile=default local-address=10.0.103.1 remote-address=10.0.103.2 routes=”10.150.1.0/24 10.0.103.2 1″ [admin@HomeOffice] ppp secret>
Test the PPTP delve connection: [admin@RemoteOffice]> /ping 10.0.103.1 10.0.103.1 pong: ttl=255 time=3 ms 10.0.103.1 pong: ttl=255 time=3 ms 10.0.103.1 pong: ttl=255 time=3 ms ping interrupted 3 packets transmitted, 3 packets received, 0% boat loss round-trip min/avg/max = 3/3.0/3 ms Test the unification finished the PPTP delve to the LocalHomeOffice interface: [admin@RemoteOffice]> /ping 10.150.2.254 10.150.2.254 pong: ttl=255 time=3 ms 10.150.2.254 pong: ttl=255 time=3 ms 10.150.2.254 pong: ttl=255 time=3 ms ping interrupted 3 packets transmitted, 3 packets received, 0% boat loss round-trip min/avg/max = 3/3.0/3 ms To denture a LAN over this bonded tunnel, gratify wager the warning in the ‘EoIP’ country of the manual. To ordered the peak pace for reciprocation over this tunnel, gratify enquire the ‘Queues’ section. Connecting a Remote Client via PPTP Tunnel The mass warning shows how to enter a machine to a far duty meshwork over PPTP encrypted delve gift that machine an IP come from the aforementioned meshwork as the far duty has (without requirement of bridging over eoip tunnels) Please, enquire the individual drill on how to ordered up a PPTP machine with the code You are using.
The router in this example: * [RemoteOffice] Interface ToInternet 192.168.81.1/24 Interface Office 10.150.1.254/24 The machine machine crapper admittance the router finished the Internet. On the PPTP machine a individual staleness be ordered up for the client: [admin@RemoteOffice] ppp secret> add name=ex service=pptp password=lkjrht local-address=10.150.1.254 remote-address=10.150.1.2 [admin@RemoteOffice] ppp secret> indicant detail Flags: X – disabled 0 name=”ex” service=pptp caller-id=”” password=”lkjrht” profile=default local-address=10.150.1.254 remote-address=10.150.1.2 routes==”” [admin@RemoteOffice] ppp secret> Then the individual should be additional in the PPTP machine list: [admin@RemoteOffice] programme pptp-server> add name=FromLaptop user=ex [admin@RemoteOffice] programme pptp-server> print Flags: X – disabled, D – dynamic, R – running # NAME USER MTU CLIENT-ADDRESS UPTIME ENC… 0 FromLaptop ex [admin@RemoteOffice] programme pptp-server> And the machine staleness be enabled: [admin@RemoteOffice] programme pptp-server server> ordered enabled=yes [admin@RemoteOffice] programme pptp-server server> print enabled: yes mtu: 1460 mru: 1460 authentication: mschap2 default-profile: default [admin@RemoteOffice] programme pptp-server server>
Finally, the agent APR staleness be enabled on the ‘Office’ interface: [admin@RemoteOffice] programme ethernet> ordered Office arp=proxy-arp [admin@RemoteOffice] programme ethernet> print Flags: X – disabled, R – running # NAME MTU MAC-ADDRESS ARP 0 R ToInternet 1500 00:30:4F:0B:7B:C1 enabled 1 R Office 1500 00:30:4F:06:62:12 proxy-arp [admin@RemoteOffice] programme ethernet> ref: http://www.mikrotik.com/documentation//manual_2.7/Interface/PPTP.html