PPTP Server Setup for WinXP Client

ajones · March 28, 2006, 6:05pm

Hi there

I need to setup a VPN server on a MikroTik.

The plan is to allow 'remote' WindowsXP VPN client to connect to this server to access Database on the 'office' network.

I've tried to follow the instructions from the manual: RouterOS_Reference_Manual_v2.9 as show below:

PPTP Server Setup

(1) Add a user on the PPTP server:

[admin@MikroTik] ppp secret> add name=jack password=pass
local-address=10.0.0.1 remote-address=10.0.0.2

(2) Enable the PPTP server:

[admin@MikroTik] interface pptp-server server> set enabled=yes
[admin@MikroTik] interface pptp-server server> print
enabled: yes
mtu: 1460
mru: 1460
authentication: mschap2,mschap1
keepalive-timeout: 30
default-profile: default

(3) Add a static entry for the user

[admin@MikroTik] interface pptp-server> add user=ex1
[admin@MikroTik] interface pptp-server> print
Flags: X - disabled, D - dynamic, R - running

NAME USER MTU CLIENT-ADDRESS UPTIME ENC...

0 DR ex 1460 10.0.0.202 6m32s none
1 pptp-in1 ex1

Well I replaced the document addresses with the relevant ones on my network.

I was not quite sure how to replace in step (1) above but I tried different things
local-address=10.0.0.1 remote-address=10.0.0.2

Created the winXP VPN client connection & it does not connect.

I would appreciate any help but I know my information may be vague so I'll try some specific questions:

(1) if I assigned IP address of x.x.x.x to my MikroTik, can I use that same address for the 'local-address' when I'm adding user, or should I stick to 10.0.0.1 ??

(2) when I'm adding user, should I use 'remote-address' 10.0.0.2 or use the IP address of the windowsXP machine/gateway router ?.

(3) To see what might be blocking the VPN when it tries to connect I checked my firewall logs & I saw nothing there to deny the connection.

I also began to check access-lists on gateway router but I don't know what port number the VPN will be trying on. What would that be??

Thanx for any help

sergejs · March 28, 2006, 7:08pm

I suppose, this example should be clear pretty much,
http://www.mikrotik.com/docs/ros/2.9/interface/pptp.content#5.29.6.2
change interface arp mode.

PPTP traffic uses TCP port 1723 and IP protocol GRE (ID 47), that’s for firewall.
Are there any NAT after Windows XP client ?

ajones · March 28, 2006, 8:46pm

Thanx for the reply

Theres no NAT at the client.

I’ll continue to refer to the link u sent me . . .

miahac · August 20, 2006, 8:05pm

I did not really want to start a new thread but I too am having a problem setting up PPtP server on one of my MT boxes. I have the box set up as a Hotspot/NAT.

I want to be able to VPN from home/my network monitoring server so I can login to client radios behind hotspot.

The windows PPTP client does not connect with “remote computer did not respond”. This MT has a quite a few firewall rules but under Service Ports GRE is enabled.

I tested the config on another MT that was just running as an access point on public IP. It has almost no FW rules and I could connect fine.

Any tips?

papwalker · August 21, 2006, 12:50pm

Im am certainly not an expert with the MT, but I would either slowly remove firewall rules until it connects or remove all and add one at a time until it failed.

cheers

miahac · August 21, 2006, 1:03pm

The problem is that I did not set up the FW and there are some rules I do not understand. I am going through them now to figure out. I am sure somebody with more exp would look right at it and know.

miahac · August 22, 2006, 1:23pm

I got the VPN to connect by adding the rule accept services to the FW at the top of the chain.

Now I cannot pass traffic.

I tried adding forward gre passthrough
it did not work.

ps... here is some configs and tests

[user@MikroTik] interface pptp-server> print
Flags: X - disabled, D - dynamic, R - running

NAME USER MTU CLIENT-ADDRESS UPTIME ENCODING

0 R remoteAdmin miah 1400 68.102.187.57 1m50s MPPE128 stateless

[user@MikroTik] interface> print
Flags: X - disabled, D - dynamic, R - running

NAME

0 R ether2
1 R ether3
2 R ether1
3 R remoteAdmin

[user@MikroTik] ppp active> print
Flags: R - radius

NAME SERVICE CALLER-ID ADDRESS UPTIME ENCODING

0 miah pptp 68.102.187.57 10.2.1.2 5m29s MPPE128 stateless

[user@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic

ADDRESS NETWORK BROADCAST INTERFACE

0 ;;; added by setup
publicIP/24 public.0 morepublic.255 ether1
1 ;;; added by setup
10.3.1.1/24 10.3.1.0 10.3.1.255 ether2
2 ;;; added by setup
10.5.1.1/24 10.5.1.0 10.5.1.255 ether3
3 publicIP/24 publicIP.0 public.255 ether1
4 publicIP/24 publicIP.0 public.255 ether1
5 publicIP/24 publicIP.0 public.255 ether1
6 D 10.2.1.254/32 10.2.1.2 0.0.0.0 remoteAdmin
7 10.2.1.254/24 10.2.1.0 10.2.1.255 ether2

1 ;;; Cisco VPN
chain=forward src-address=10.3.1.0/24 protocol=udp src-port=500 action=passthrough

2 chain=services action=accept

3 chain=forward src-address=10.5.1.28 p2p=all-p2p action=accept

4 chain=forward dst-address=10.5.1.28 p2p=all-p2p action=accept

5 chain=forward src-address=10.3.1.81 p2p=all-p2p action=accept

6 chain=forward dst-address=10.3.1.81 p2p=all-p2p action=accept

7 chain=forward p2p=all-p2p action=drop

8 ;;; Allow Established connections
chain=input connection-state=established action=accept

9 ;;; Drop Invalid connections
chain=input connection-state=invalid action=drop

10 ;;; Allow UDP
chain=input protocol=udp action=accept

11 ;;; Allow ICMP
chain=input protocol=icmp action=accept

12 ;;; jump to chain services
chain=input action=jump jump-target=services

13 ;;; Allow access to router from known network
chain=input src-address=10.5.1.0/24 action=accept

14 ;;; Allow access to router from known network
chain=input src-address=10.3.1.0/24 action=accept

15 ;;; allow http, webbox
chain=input protocol=tcp dst-port=8081 src-address-list=admin action=accept

16 ;;; Allow winbox
chain=input protocol=tcp dst-port=8291 src-address-list=admin action=accept

17 ;;; allow ftp
chain=services protocol=tcp dst-port=20-21 src-address-list=admin action=accept

18 ;;; allow sftp, ssh
chain=services protocol=tcp dst-port=22 src-address-list=admin action=accept

19 ;;; allow telnet
chain=services protocol=tcp dst-port=23 src-address-list=admin action=accept

20 ;;; Drop anything else
chain=input action=drop

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Owner>ping 10.2.1.5

Pinging 10.2.1.5 with 32 bytes of data:

Reply from 10.2.1.254: Destination host unreachable.
Reply from 10.2.1.254: Destination host unreachable.
Reply from 10.2.1.254: Destination host unreachable.
Reply from 10.2.1.254: Destination host unreachable.

Ping statistics for 10.2.1.5:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\Documents and Settings\Owner>ping 10.2.1.254

Pinging 10.2.1.254 with 32 bytes of data:

Reply from 10.2.1.254: bytes=32 time=13ms TTL=64
Reply from 10.2.1.254: bytes=32 time=15ms TTL=64
Reply from 10.2.1.254: bytes=32 time=15ms TTL=64
Reply from 10.2.1.254: bytes=32 time=13ms TTL=64

Ping statistics for 10.2.1.254:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 13ms, Maximum = 15ms, Average = 14ms

C:\Documents and Settings\Owner>

miahac · August 22, 2006, 2:00pm

One thing that bugs me is that the “local address” is set for 10.2.1.254/32
this address is already used on ether2 with 10.2.1.254/24

This is however directly from the instructions.

Also when I connect. In the addresses list I see this in winbox.

Maybe I am not thinking in the right box but this seems wrong.

miahac · August 23, 2006, 12:18am

could this be related to the other fellows pptp propblem?

jo2jo · August 23, 2006, 2:12am

is proxy-arp set on the eth interface?

miahac · August 23, 2006, 2:53pm

yes proxy arp is set on eth2

here is another funney thing I can communicate with a few addresses like 10.2.1.76 but not 10.2.1.5. VERY odd.

miahac · August 24, 2006, 2:59pm

on another hotspot, I get the same result.