I am currently running v3.10 on a RB500 and I need to configure it for a customer so that his remote/mobile users (which usually have dynamic addresses and may or may not be behind a NAT device) can VPN in. For the sake of simplicity (we’re not talking about computer-literate people) the request is that the VPN client built into WinXP and newer Microsoft OSes be used.
I have no problems getting the Microsoft client to connect from machines that have direct access to a public IP, but everything falls apart when they are located behind any device that performs NAT. Searching the forums has suggested to me that in v2.9 (and earlier) there was something called GRE that could enable PPTP VPNs to perform NAT traversal, but for some mysterious reason the capability was removed in version 3.
I haven’t had any luck finding more information about this topic. Most notably, I’d like to know whether there is any way to configure a VPN on Mikrotik to meet the requirements listed above. I don’t have to use the built-in Microsoft client, if it’s necessary to install some other (free) software to make this work we can deal with it.
If there is currently no way to make the Mikrotik VPN functionality actually work in this scenario I’d like to know why and whether anything is being done to correct the situation. I’ve worked with other VPN platforms that could navigate through the pitfalls of client-side NATting without any complaint, so I’m rather shocked the Mikrotik seems to have no provisions in place to deal with it.
I’m not terribly sure why the clients behind a NAT firewall cannot access your Mikrotik, but this procedure is pretty standard and fairly easy as well. The dynamic IP of the client has nothing to do with the VPN capabilities although I stand to be corrected but you’ll have problems transversing two NATted firewalls.
Anyway, take a look at this graphic and let me know if you get stuck. Standard Vista/XP VPN connection required. I hope I’ve fully understood you?
The firewalls that your dynamic clients reside behind may not have the PPTP/GRE helper configured (similar to /ip firewall service ports). I’ve just disabled these (pptp & gre) on my RB532 and I cannot connect to any other PPTP VPN. So it’s definitely needed but out of your control if this is not enabled on the client firewalls.
The config you suggested is actually the one I currently have in place, I encountered it on another thread that you posted to.
The problems I’m encountering do seem to be tied directly to the presence of a NAT device on the client side. The Mikrotik is performing NAT on its end, a public subnet is on one side and a private one on the other.
Everything is ok when the client that I’m connecting with has a public IP address. For instance, a Win2K3 server at my datacenter (which has a public IP address assigned to it) can connect to the Mikrotik’s VPN using the built-in Microsoft software.
My home computer, connected to the internet by a broadband modem/router supplied by the service provider, has a private IP (the public IP resides on the modem/router). That system can NOT connect to the Mikrotik’s VPN. On the client side it simply reports “error 721: The remote computer did not respond.” The log on the Mikrotik shows the following lines:
pptp info | TCP connection established from <my modem’s public address>
pptp ppp info | : waiting for call…
pptp ppp info | : terminating…-call cleared
pptp ppp info | : disconnected
So, basically, I’m positive that my home system is attempting to initiate the VPN connection because the Mikrotik is showing the connection, but then it doesn’t get any farther. I’m fairly confident that the problem is due to the presence of the NAT device on my home computer’s connection because I can connect to the VPN successfully from another system that has direct access to a public IP.
I’ve just disabled these (pptp & gre) on my RB532 and I cannot connect to any other PPTP VPN. So it’s definitely needed but out of your control if this is not enabled on the client firewalls.
I’ve successfully used other VPN clients on my home computer before (Sonicwall, 3Com) without any trouble. Is the NAT-traversal problem strictly related to the client software?
This issue is really the absence of NAT helpers on the client side. So it would appear that if your firewall is a bit thick then a possible solution is to use another type of VPN where the client software has the NAT helper built in. Have you looked at OpenVPN?
Seems like more work up front but I’ve used this before in a IPCop scenario and it worked quite well. The only client configuration that I can recall is to generate a config file for them which is then imported into the client software. So a config file per user is required.
Dunno, not sure I’ve been of any help here. Maybe give it a go and let us know?
If the mikrotik vpn server is behind NAT then all you have to do is forward port 1723 and the GRE protocol. If the firewall that the clients are behind doesn’t allow PPTP NAT transversal then you’re out of luck.
Be prepared for bad performance using the OpenVPN server on RouterOS. It only supports TCP over TCP so expect stalled connections and a host of other problems.
