Mikrotik to dial PPTP VPN like Windows

Hi,

I have problems to connect my Routers over PPTP VPN and hope someone can help me.

What I want:
Connecting two sites over PPTP VPN. My site is Mikrotik, other site is Bintec. When VPN is connected between the routers, all of my devices shall get access to LAN devices of the other network.

What I have until now:
My Windows machine can dial PPTP VPN to the other network (Bintec) directly. If done, ping of all LAN devices in other network works properbly and access to shares of servers in other network works fine.
My Mikrotik can dial a PPTP VPN too. Connection works.

What not works:
No single device in the other network is reachable by ping, not even the Bintec router which provides the VPN server. Neigher by pinging from Mikrotik Terminal, nor from my Windows machine. Traffic stats of pptp-client-interface look like I don’t get an answer from Bintec network. Sent 2051 packets, received 15 packets.

My config so far:

/interface pptp-client
add allow=chap connect-to=<IP_Bintec> max-mru=1480 max-mtu=1490 name=\
    wallu-vpn password=<password> profile=bintec-vpn-profile user=<username>

/ppp profile
add change-tcp-mss=yes name=bintec-vpn-profile use-compression=no \
    use-encryption=yes use-ipv6=no use-mpls=yes use-upnp=no

I tried many tutorials regarding this topic and tested every conceivable variant of NAT, Mangle, Routing but didn’t get this running.
Could someone please take me by the hand and tell me what I have to configure, that my Windows machine in Mikrotik network can access server shares in Bintec network whithout dialing the VPN connection itself?

Thank you

Hi Standarduser,

when using standard Windows VPN client, all your traffic is routed via VPN connection when connected.
All traffic hitting remote site is presented with source IP of your VPN connection

When you connect with mikrotik you are missing routes for destination network and you need to hide your local IP addresses behind IP your mikrotik obtained from VPN server.

What you need to do here is:

add route for remote site network (192.168.5.0/24 in this example)

 /ip route add dst-address=192.168.5.0/24 gateway=wallu-vpn

and hide your traffic behind pptp IP

 /ip firewall nat add chain=srcnat out-interface=wallu-vpn action=masquerade

Hi Googler,

Thank you for reply, but this doesn’t work for me. The remote network is still not accessable.
Ping from Mikrotik terminal to Bintec-Router over VPN: timeout
Ping from Mikrotik terminal to server in remote network: timeout
Ping from Windows machine to Bintec-Router over VPN: timeout
Ping from Windows machine to server in remote network: timeout

Looks like the ping is sent through VPN tunnel but it gets no answer.

when VPN connection is established, that is the remote IP?
can you ping this remote IP from MT terminal?

I won’t use the nat rule below as suggested, just use proper routing

/ip firewall nat add chain=srcnat out-interface=wallu-vpn action=masquerade

You must also have a route back to your local subnet at Bintec side

Hi CZFan,
Maybe the route back on Bintec side is the problem. That’s why I asked for connecting like a windows machine.
It’s not necessary that computers from Bintec network can contact computers in Mikrotik network. Only the other way is what I need.

Like CZFan said, you need reverse route ( in any way you preffer to achieve it - on server directly or on router ) and if both subnets know about each other then you do not need a masquerade.
In your expample with windows PC, after getting PPTP up, PC is getting IP on virtual adapter and your Bintec device knows how to get to it.
On the other side, you have some LAN subnet on your MT device, and you are obitaining some IP via PPTP dialer. Your bintec device perfectly knows where is this IP, but does not have a clue about your LAN subnet. So you have either to route traffic between subnets via routers, or use masquerading which is not really good solution.
So, if you have static route on your MT and it points to bintec, you also need reverse route on bintec, so it can route traffic back.

Also, there is one more important info, if bintec is providing addresses for PPTP from same subnet as your lan, then you need to consider proxy-arp.

Thanx for this explanation. It’s getting clearer now.

As I understood I have two options:
1: Routing on both sides, so all devices can reach each other.
2: masquerade the traffic with Mikrotik. Would be like internet - outgoing traffic can get a response, new traffic from the other side is not possible.

I would prefer the second option, because it would be easier to configure and makes me independent from what happens on the other side.

But, that doesn’t work until now. I don’t get a reply from Ping to Bintec over VPN. The subnets are completely different.
I’ve also deactivated all firewall rules to check if something drops there, but had no luck with that.

Are the some information I could additionally provide to make you able to help me?

Well, downside of masquerading is you have no any log which host form Mikrotik side accessed services.
Masquerade rule should be like this:
Source IP mikrotik LAN subnet
Destination IP Bintec subnet
Action masquerade
Outgoing interface PPTP_interface

Place this rule above your default masquerade and you should be good to go. Also, you have not answered is your PPTP pool part of bintec LAN pool? That makes difference.

I have these masquerade rules now:

/ip firewall nat
add action=masquerade chain=srcnat comment="wallu-vpn traffic" dst-address=\
    192.168.50.0/24 out-interface=wallu-vpn src-address=192.168.243.0/24
add action=masquerade chain=srcnat comment=Standard-Traffic dst-address=\
    !192.168.50.0/24 out-interface=pppoe-out1

192.168.243.0 is the subnet of my network
192.168.50.0 is the subnet of Bintec network

This is the result, where .50.254 is the Bintec router and .50.10 is a server in this network

The assigned IP to PPTP client of the Mikrotik router is .50.121

Ahh, you need to specify source IP when using tunnels. ( so it triggers cryptomap).

Could you explain this please?