PPTP Server won't work

Hi guys,

I am trying to get PPTP server working, but I am obviously overlooking something
I checked with a couple of public guides and all seems to be ok, according to those.

• I have Mikrotik HAP AC3, ROS 6.47.8

This is what I did, any comments are highly appreciated.
For me, the do not seem to display so I am adding also links to them

1. Created PPTP pool
   Image 1

2. Setup PPP profile
   Image 2

3. Added network
   Image 3

4. Added a test user
   Image 4

5. Enabled PPTP on FW
   Image 5

6 Enabled PPTP server
Image 6

7 Created test VPN connection in Windows
Image 7

8 Connected - it passed the credentials authorization but it hangs on connecting and wont connect - any ideas what i am missing?
Image 8

Screenshots generally do not convey enough information to be useful, post the output of /export hide-sensitive from a Winbox terminal session in a code block (the icon above the text box when posting on the forum).

Many third-party guides on the internet are out of date / not optimal / insecure. The Mikrotik wiki / help page examples are a good starting point, then MUM presentations and the forum.

PPTP is a poor choice for VPNs as it has known insecurities.

To be more precise it’s the legacy authentication methods like mschap that are insecure. The newer EAP would do alright but isn’t available in RoS. In the long run I would also replace PPTP with for instance WireGuard or IPSEC/IKEv2 but there are other means you can straighten up the security for PPTP.

Regarding the specific problem of yours (picture 8) it seems the win client can’t reach either tcp port 1723 or not capable (or allowed) routing GRE-packets. This is typical if you try to connect through a hotspot using an iPhone, hotell or restricted public wifi hotspot.

Link: PPTP VPN: TESTING WHETHER GRE 47 TRAFFIC IS ALLOWED

Thanks for the replies guys.

I am aware PPTP is not ideal, but it is the simplest windows built-in VPN, easy to explain to the few (family) users who will connect

I tested 1723 with the open port tester and that seems to be ok
port open

As for GRE, i have it listed and allowed in Firewall and since I am able to do WOL I assume it is not blocked.

The VPN connection I am trying to establish is just for the test purposes from a computer from LAN where mikrotik is located

Here is the export (I put XXX on couple of unrelated settings)

[admin@MikroTik] > export /hide-sensitive
expected end of command (line 1 column 8)
[admin@MikroTik] >> export hide-sensitive 
# nov/26/2020 16:39:59 by RouterOS 6.47.7
# software id = B8RB-MITG
#
# model = RBD53iG-5HacD2HnD

/interface bridge
add admin-mac=xxxxxxx auto-mac=no comment=defconf name=bridge
/interface wireless
xxx
xxx

/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] advertise=1000M-full comment=Shield
set [ find default-name=ether3 ] comment=DarkDuo
set [ find default-name=ether4 ] comment=NAS
set [ find default-name=ether5 ] poe-out=off
/interface wireless manual-tx-power-table
set wlan1 
set wlan3 
/interface wireless nstreme
set wlan1 
set wlan3 
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="Guest connections" name=Guest
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
add name=profile supplicant-identity=MikroTik
/ip firewall layer7-protocol
add comment="Steam L7" name=Steam regexp="^..+\\.(steam|valvesteampowered|steamc\
    ommunicty|steamgames|steamusercontent|steamcontentsteamstatic).*\$"
/ip hotspot profile
set [ find default=yes ] login-by=cookie,http-chap,https
/ip pool
add comment="Local DHCP" name=dhcp ranges=192.168.2.2-192.168.2.30
add comment="PPTP Server" name=PPTP-Pool ranges=192.168.10.2-192.168.10.30
add comment="Default VPN" name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add comment="PPTP Server" dns-server=192.168.10.1 local-address=192.168.10.1 \
    name=PPTP-Profile only-one=yes remote-address=PPTP-Pool use-encryption=yes
set *FFFFFFFE comment=SSL local-address=192.168.89.1 remote-address=vpn
/system logging action
add bsd-syslog=yes name=cloutikds remote=51.75.26.223 remote-port=5014 \
    syslog-facility=syslog target=remote
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan3
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment="Guest connections" list=Guest
add comment="Guest connections" interface=wlan1 list=Guest
/interface pptp-server server
set authentication=chap,mschap1,mschap2 default-profile=PPTP-Profile enabled=\
    yes
/ip address
add address=xxx comment=defconf interface=ether2 network=xxx
add address=xxx interface=ether1 network=xxx
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
xxx

/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.1 netmask=24
add address=192.168.10.0/24 gateway=192.168.10.1 netmask=24
/ip dns
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="PPTP VPN" dst-port=1723 protocol=tcp
add action=accept chain=input comment="GRE for PPTP" protocol=gre
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Remote admin" dst-port=8291 protocol=tcp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=\
    udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=fasttrack-connection chain=forward comment="Fastrack Steam" \
    connection-mark=steam-connection
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=forward comment="Steam UDP Ports" \
    new-connection-mark=steam-connection passthrough=no port=\
    2700-28999,3478,4379,4380 protocol=udp
add action=mark-connection chain=forward comment="Steam TCP Ports" dst-port=\
    27015,27036,27037 new-connection-mark=steam-connection passthrough=no \
    protocol=tcp
add action=mark-connection chain=forward comment="Steam HTTPS" dst-port=443 \
    new-connection-mark=steam-connection passthrough=yes protocol=tcp
add action=mark-connection chain=forward comment="Steam L7" layer7-protocol=\
    Steam new-connection-mark=steam-connection passthrough=no protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=accept chain=dstnat dst-port=5001 protocol=tcp src-address=\
    192.168.2.20
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip route
add distance=1 gateway=xxx
/ip service
set www-ssl certificate=bax-crt disabled=no
/ppp secret
xxx
/system clock
set time-zone-name=Europe/Prague
/system logging
add action=cloutikds prefix=info topics=info
add action=cloutikds prefix=error topics=error
add action=cloutikds prefix=critical topics=critical
add action=cloutikds prefix=warning topics=warning
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

With that configuration the address 192.168.10.1 in image #7 does not exist until a connection using the PPTP Server PPP profile is made, you can use the LAN gateway address if connecting locally to test.

Also there is no need to add 192.168.10.0/24 under /ip dhcp-server network as PPP-like protocols do not use DHCP for address assignment.

Thank you TDW.

I removed the VPN network from the list
Servers

and

Also changed VPN to connect to the local gateway
Connecting to VPN

Unfortunately it remains the same - it validates the credentials and hangs on connecting.
Any ideas?

Are you sure the credentials are validated, or just accepted by the Windows client?

Does the packet count on the firewall filter add action=accept chain=input comment=“PPTP VPN” dst-port=1723 protocol=tcp rule increase? Anything in the Mikrotik log?

The credentials are 100%, I created a simple test-user, but you are right windows is likely simply accepting as I do not see anything in the mikrotik log at all so I am not sure where else to look.

I am also fine to give a try to L2TP.
I have already tested it according to some guide and ended up in windows VPN connection returning error “The modem (or any other connecting device) reported an error”.

The Mikrotik log showed in this case following
L2TP log

Basically I will happily remove all the PPTP setup and follow any reliable guide for L2TP.
I can also post here the setup I have done for L2TP as well or any screenshot.

Did you check what client errors you got by examine the windows event log for rasdial events like 678 or 777?

• List of error codes for dial-up connections or VPN connections
• Routing and Remote Access Error Codes

RasClient specific events are stored in the application log ie Windows Logs → Application → RASClient

baxik, disable all firewall filters and try again.

For the test, I disabled both local client network FW and all FW filters on MK with the same result.
I feel I have some big stupid setup issue somewhere in IPSEC I keep overlooking, or have all the clients configured wrong or something.

On windows I ended up with error code 651 in the logs - i checked and updated all drivers installed all latest windows updates, no driver is having any issue, but still getting 651
I tried on 3 different machines ending up in 651 with all of them.
This is how it looks in the MK logs
MK Log Win client connecting


On android phone connecting from local the MK log said it could not find any suitable proposal.

When I tried on completely different machine connecting from WAN, I did not even get anything in the log and the machine returned “L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer”




Adding my configuration with L2TP

/interface bridge
add admin-mac=48:8F:5A:AA:4A:9C auto-mac=no comment=defconf name=bridge
/interface wireless
XXX
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] 
set [ find default-name=ether3 ] 
set [ find default-name=ether4 ] 
set [ find default-name=ether5 ] 
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="Guest connections" name=Guest
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=XXX
add name=profile supplicant-identity=XXX
/ip firewall layer7-protocol
add comment="Steam L7" name=Steam regexp="^..+\\.(steam|valvesteampowered|steamc\
    ommunicty|steamgames|steamusercontent|steamcontentsteamstatic).*\$"
/ip hotspot profile
set [ find default=yes ] login-by=cookie,http-chap,https
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 pfs-group=none
/ip pool
add comment="Local DHCP" name=dhcp ranges=192.168.2.2-192.168.2.30
add comment="VPN Pool" name=vpn-pool ranges=192.168.10.2-192.168.10.30
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add local-address=192.168.10.1 name=vpn-profile only-one=yes remote-address=\
    vpn-pool
set *FFFFFFFE local-address=192.168.10.1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan3
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment="Guest connections" list=Guest
add comment="Guest connections" interface=wlan1 list=Guest
/interface pptp-server server
set authentication=chap,mschap1,mschap2 enabled=yes
/ip address
add address=192.168.2.1/24 comment=defconf interface=ether2 network=192.168.2.0
add address=XXX interface=ether1 network=XXX
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.1 netmask=24
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=\
    udp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Remote admin" dst-port=8291 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=fasttrack-connection chain=forward comment="Fastrack Steam" \
    connection-mark=steam-connection
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=forward comment="Steam UDP Ports" \
    new-connection-mark=steam-connection passthrough=no port=\
    2700-28999,3478,4379,4380 protocol=udp
add action=mark-connection chain=forward comment="Steam TCP Ports" dst-port=\
    27015,27036,27037 new-connection-mark=steam-connection passthrough=no \
    protocol=tcp
add action=mark-connection chain=forward comment="Steam HTTPS" dst-port=443 \
    new-connection-mark=steam-connection passthrough=yes protocol=tcp
add action=mark-connection chain=forward comment="Steam L7" layer7-protocol=\
    Steam new-connection-mark=steam-connection passthrough=no protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=accept chain=dstnat dst-port=5001 protocol=tcp src-address=\
    192.168.2.20
/ip route
add distance=1 gateway=XXX
add distance=1 dst-address=192.168.2.0/24 gateway=192.168.2.1
add distance=1 dst-address=192.168.10.0/24 gateway=XXX
/ip service
set www-ssl certificate=bax-crt disabled=no
/ppp l2tp-secret
add comment="L2TP Preshared Key"
/ppp secret
add disabled=yes name=test-user profile=vpn-profile service=l2tp
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I sometimes get the same symptoms (With L2TP/IPSec, don’t use PPTP) and is a bug in Windows, to get around this, connect via Network & Internet Settings–>VPN in Windows. Going forward it will connect normally until you restart Windows, then first time you will have to follow the same procedure again

Thanks for the tip, but this is how I created the L2TP VPN in the first place and from where I am connecting.
VPN connection - but maybe you meant something else?

Also can you have a look to the settings whether the FW rules and/or IPSec is not missing anything there?
I am getting a bit desperate and running out of ideas..

Just a long shot but try disabling the windows fw and check if that will make any difference.

Event 651 is not something common to me but check this out:

• https://www.ionos.com/digitalguide/server/configuration/error-651/
• https://support.microsoft.com/en-us/help/818455/you-receive-the-error-651-error-message-when-you-try-to-establish-a-vp
  
  
  PS…
  In the early days of Windows development, it seems that Microsoft had an internal contest to create cryptic error messages and left out detailed explanations on purpose. Problem no 2, the windows network protocol stack is a total mess since it’s a patchwork of changes since winxp.

Reason your PPPTP VPN did not work is that you have the allow rule for GRE protocol after the drop invalid rule, move this to before and PPTP VPN should work

For L2TP/IPSec, you will need the following allow rules for input chain:

1. UDP Dst Port 500,1701,4500
2. Protocol number 50 (ipsec-esp)

@Larsa

I did try this, yesterday, I think it was even your recommendation. I tried to turn off both Windows FW and also MK and the combination.
For the 651 I also bumped into the articles you mention and reinstalled the network driver as well as the L2TP minidriver updated to latest windows KBs and the drivers for the adapters and restarted the computer. Still was getting same issue.
Since I am getting the same error code also on 3 other windows machines, I believe it might not be really a windows issue.To be sure, I setup a new laptop with a fresh W10 installation and got 651 error the moment I hit the connect button.

When I looked to MK logs it went OK through Phase 1 (Identity protection) than it dropped.
MK LOG

@CZFan

I completely scrapped the PTPT setup, I left the GRE there for WOL, but since you mention it. I the GRE was behind DROP Invalid rule not drop everything - i thought this rule should be rather at the
beginning, as it drops just invalid packets not tp process them through other rules, no? For further tests i rather moved it down to make sure it was not an issue.

I added the rules like suggested, but it still issues the same message.

This is how the FW looks now - is that what you had in mind?

MK FW

# nov/27/2020 14:50:47 by RouterOS 6.47.7
# software id = B8RB-MITG
#
# model = RBD53iG-5HacD2HnD
# serial number = D96C0C4CC55D
/ip firewall layer7-protocol
add comment="Steam L7" name=Steam regexp="^..+\\.(steam|valvesteampowered|stea\
    mcommunicty|steamgames|steamusercontent|steamcontentsteamstatic).*\$"
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow L2TP" dst-port=500,1701,4500 \
    protocol=udp
add action=accept chain=input comment="allow ipsec" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Remote admin" dst-port=8291 protocol=\
    tcp
add action=accept chain=input comment="GRE for WOL" protocol=gre
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=fasttrack-connection chain=forward comment="Fastrack Steam" \
    connection-mark=steam-connection
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=forward comment="Steam UDP Ports" \
    new-connection-mark=steam-connection passthrough=no port=\
    2700-28999,3478,4379,4380 protocol=udp
add action=mark-connection chain=forward comment="Steam TCP Ports" dst-port=\
    27015,27036,27037 new-connection-mark=steam-connection passthrough=no \
    protocol=tcp
add action=mark-connection chain=forward comment="Steam HTTPS" dst-port=443 \
    new-connection-mark=steam-connection passthrough=yes protocol=tcp
add action=mark-connection chain=forward comment="Steam L7" layer7-protocol=\
    Steam new-connection-mark=steam-connection passthrough=no protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=dstnat dst-port=5001 protocol=tcp src-address=\
    192.168.2.20

Basically, I am even willing to create a test user for you to test remotely with your client whether you get the same or not.
Let me know if you would do so I would send you a PM

@baxik, I’ve got a temporary lte sandbox you can use to test your pptp client. Is there a way to send PM with the connection info?

I thought there was, but i see the contact button is grayed out.
You can send it to ---@gmail.com

You’ve got mail!

Works like charm.
Do you also happen to have l2tp sandbox as well for me to test and be sure the client side is OK?