Hi,
I’ve been trying to set up a road warrior VPN system on my RB751G-2HnD running ROS 5.16. This was supposed to be a proof of concept set up before I rushed out and bought something like an RB1200 for the real deployment. Unfortunately I’ve really struggled to make the VPN work despite reading the instructions a dozen times and probably every post that mentions VPN on the forums.
The set up I need is for NAT’ed Windows XP or later machines to be able to VPN in and access various secure resources. The machines are under the control of our customers IT department so installing the OpenVPN client is almost certainly out (although we might get away with AnyConnect - see later). That, as far as I can see, leaves me with PPTP or L2TP/IPsec.
After several days of struggling I’ve managed to get a Windows Vista machine to connect using both PPTP and L2TP/IPsec but once connected it was only able to see the router. All packets to machines on the network behind the router were dropped by the srcnat chain (as far as I could tell). One big problem I’m having is testing the configuration as I don’t have access to a second internet connection. The best I’ve managed is something like this:
Client ↔ Switch ↔ MT Router ↔ Servers
The trouble with this is that the client isn’t then NAT’ed so even if I make this work I can’t be sure it’ll work in real life.
So the question is this: is a road warrior set up possible? If so are there any up to date instructions that explain things to someone less than completely up to speed?
I’m currently leaning towards just buying an ASA 5510. It costs a fortune but at least I’m pretty sure I could make it work.
It depends on what underlying VPN technique that you want to use, but yes a Road Warrior setup is possible. PPTP in Windows is very easy and strait forward, IPSec/L2TP is not so much with a MikroTik. I know back in version 4 and earlier there were problems with NAT traversal for Windows in IPSec/L2TP, and I haven’t tried using that kind of VPN with a MikroTik since to see if that has been corrected or not.
The Wiki will usually have the most up to date information, either in the official documents or user submitted ones.
http://wiki.mikrotik.com/wiki/Main_Page
It’s definitely possible to do with either VPN technology (PPTP, L2TP-over-IPsec), although I don’t have any experience trying to set up IPsec on RouterOS myself (been meaning to play with it for a while…just need to carve out some time). You managed to get connections established over both, though, and verified that you could at least talk to the MikroTik over the tunnel, so the tunnel itself is working. Now we just need to establish reachability over the tunnel to the servers.
One common mistake that I see people making over and over again that will bite you on either type of VPN, is when they configure the PPP server to hand out IPs that are in the same range/subnet as the rest of their network and just expect it to work. This won’t work out-of-the-box, of course, because PPP (Point-to-Point Protocol) is not an ethernet-compatible broadcast medium. (You can “bridge” a PPP session with ethernet-like interfaces using BCP, which RouterOS supports…but no desktop operating system that I know of supports BCP/bridged PPP.) So if you, too, are doing this, that would go a ways to explain why you are not able to talk to anything over the VPN tunnel other than the router itself.
There are two ways to get around this:
- Enable proxy-arp on the ethernet interface facing your network/servers.
- Choose a different (separate) IP range to hand out to remote VPN clients.
#1 is probably the easiest, realistically. If you go with #2, this won’t necessarily work unless: 1) you NAT all VPN traffic between the clients and the servers, or 2) the MikroTik VPN server is also acting as the servers’ default gateway, or 3) each server has a persistent static route entry in their individual routing tables pointing the VPN IP range at the MikroTik VPN server’s LAN-side IP address.
– Nathan