The Mikrotik PPTP client can’t handle having the connect-to address being the same as the remote-address.
The problem was first encountered when connecting a MT to a pix that implements this architecture.
I can reproduce this connecting to an XP machine running the MS VPN (Incoming connections) and specifing the remote and local addresses in a MT profile.
A workaround i’m thinking of might be to try and fool the MT by nating one of the address??? No real idea of how to do this or even if it will work..
This is a real show stopper for us buying Mikrotik and I really want to buy MT over other solutions.
Not quite sure what you mean … can you explain more? Is this MT acting a client or server? Are you talking about the source-address used for the tunnel being different than the local address assigned?
When I say The Mikrotik PPTP client can’t handle…
I mean the the MT is a client.
When I say ‘connect-to’ address (Mikrotik term)
I mean the public ip address of the VPN server on the internet.
WHen I say the ‘remote-address’ (Mikrotik’s term)
I mean the tunnel end point address as given in the PPP / IPCP address option sent by the vpn server …
or it can be set manually in an MT profile as ‘remote-address’
after analysing the traffic I find that the MT having set up a tcp conection with the vpn using 1723 and 32779 decides to send it’s echo request on 32780 WRONG port. The server doestn’t respond and the tunnel times out.
This bug only appears when the connect-to address is the same as the remote-server address, regardles of whether the address are hard coded in the MT or come down the wire from a vpn server.
I suppose I need to send some sort of info or report to the support people.
If anyone from support is reading this please let me know what steps and info are required.
why are you setting remote address at all? this parameter means the address that the server will give the client. so if you set it to the same as server’s - logically you end up with the same IP on both the server and the client. no wonder it doesn’t work read the manual!
remote-address (IP address | name) - IP address or IP address pool name for PPP clients
connect-to (IP address) - The IP address of the PPTP server to connect to
You didn’t read the post properly either. The Hyperlink Cisco Pix server is setting the IPs as per std PIX 506e setup. I only set them the same to repro the fault on other vpn servers.
Cisco VPN PIX servers set both addresses the same, and even though they are set the same …
MS XP VPN Clients connect fine.
MS Win2000 VPN client connect fine.
WIn 98 VPN client connect fine.
Macintosh VPN clients connect fine.
BSD VPN clients connect fine.
Cisco VPN clients connect fine.
Microtik can’t maintain a connection because it’s not using tcp session state properly.- not compliant = bug.
lucky I didn’t buy the twenty or thirst licenses we need - hey? to outfit our global branch network. but then you DO have my moneylicenses purchased so far so no wonder your so flippant and happy.
You just blew away the chance to collect a fair amount of money, and kudos from a testimonial about ECA and ACR’ss global network operating wonderfully with Mikrotik.
I wasn’t sure if i needed to send captue files and debug info from the Mikritik VPN Client, Cisco server and other VPN servers and clients.
However I’m NOT sure I’ll continue to go the Mikrotik path after the terse unproffessional treatment doled out by their man here. Not the way to treat prospective commercial clientele.
Normis was adamant about the forum going down the other day - but was wrong …and he is wrong about this also.
I’ll follow up with an email to management but I don’t really think it will make any difference.
Peter Walker (Comm Sci, Microsoft MVP)
Senior IT consultant
Estate Constructions
Estate Properties
Castle Investment Corperation.
sorry, i read your posts another time and now i understand the problem. yes, it is true that RouterOS will not work if your server will give it’s own IP to the routeros client, and it is known that windows will work in this situation. we will try to see how we can fix this
Well I dont know how to make it any plainer mate. Iv’e used IS and Mikrotik terms. I have explained that all other vpn clients tried connect to the pix and the Mikrotik wont.
I set up a standard mikrotik pptp-client.
In winbox…
I enter a public ip.
I enter a username.
I enter a password.
I use default encryption profile.
I connect and it fails with a timeout @ 1minute 30 secons.
Using the same IP username and passwork other VPN clients connect fine.
If you like I can set up an account at hyperlink and you can connect and test with an XP or win2k client confirm it works and then test with the mikrotik on the same connection and watch it fail.
I can foward the complete sett of packets where you will see that other clients connect and work and the MT does not.
judging by the number of posts appearing in the time when some users claimed the forum was down, i assumed that this was not a server problem. we did find some interesting configuration problem afterwards, but that was after my initial post.
i am not a mikrotik representative here, i post as a private person and my views are not necessarily mikrotik’s views. this is a user forum, not supported by mikrotik. if you have any questions to mikrotik, please contact support or sales.
In case anyone still has doubts here is a screen dump of a VPN client connecting to a vpn server where the server IP is the same as the remote IP.
In this instance is is not a pix box at the other end but a mikrotik howevewr if you try to connect a MT to a pix that uses this configuration it times out. As I can only reach one mukrotik at the moment I can test whether another MT can connect to 61.9.198.115 with a username of test and password of test.
This is live feel free to try and connect XP or Win2K clients (or any others for that matter)
[quote=“papwalker”]In case anyone still has doubts here is a screen dump of a VPN client connecting to a vpn server where the server IP is the same as the remote IP.
In this instance is is not a pix box at the other end but a mikrotik howevewr if you try to connect a MT to a pix that uses this configuration it times out. As I can only reach one mukrotik at the moment I can test whether another MT can connect to 61.9.198.115 with a username of test and password of test.
This is live feel free to try and connect XP or Win2K clients (or any others for that matter)
Please dont hack my router
Hey, I have read your post regarding this problem.
Is it still an issue or have you give up MT?
Have you done any PPP sniffing when the connection establish?
read the manual!
