PPTP Tunnel Routing problem

lydian75 · October 21, 2008, 3:05pm

Hi to all,

I have a problem with a Routerboard RB500 with RouterOS 3.15.
This is the scenario:

Local LAN: 192.168.20.0/24 ----> attached to mikrotik eth. 2 (configured with 192.168.20.1, default gateway and DHCP server for the hosts)

default route 0.0.0.0/0 to Internet -----> to gateway 10.x.x.x (Mikrotik eth. 1)

Source Nat configured : “0 chain=srcnat action=masquerade out-interface=ether1”

Internet routing is working fine.

Now I have configured a PPTP client on the Mikrotik to connect a corporate branch over Internet.
This is the PPTP client config:

“0 R name=“VPN_LAB” max-mtu=1460 max-mru=1460 mrru=disabled connect-to=x.x.x.x user=“xxxx” password=“xxxx” profile=default-encryption add-default-route=no allow=pap,chap,mschap1,mschap2”

The connection is successful and the PPTP client interface receive from the PPTP Server (a Microsoft Server) the IP 192.168.10.155.

Within the branch there is a 192.168.10.0/24 network. So i have configured this static route:

Destination=192.168.10.0/24 Gateway Interface=VPN_LAB

From the router i’m able to ping and trace the hosts that are within the branch LAN, but I’m unable to do the same from the hosts within the local LAN (192.168.20.0/24).

In fact I’m able to ping the 192.168.10.155 (the PPTP client interface) and if I made a trace to a host on the branch LAN that I’m able to ping and trace from the Mikrotik I have only the 192.168.20.1 hop (the Local LAN default gateway) and no other hops.

Someone can help me ?

Thanks in advance.

changeip · October 21, 2008, 4:44pm

the branch doesnt have a route back to your subnet, so you need to masquerade it as well. . . or tell that windows box that your subnet is behind the pptp tunnel so it can return traffic.

lydian75 · October 22, 2008, 12:32pm

Hi changeip,

thanks for your reply.
The mikrotik has been placed in substitution of a damaged windows server in the Local LAN, with the same addressing of the damaged Server.
So I don’t made any change/reconfiguration on the Branch server, because it is alredy configured to route the 192.168.20.0/24 traffic to the VPN interface.

Any other idea ?

BrianHiggins · October 23, 2008, 2:29pm

changeip is probably still correct, double-check your routing tables to confirm you have a valid route in both cases. Don’t make the assumption that windows will handle the MT VPN the same as it did a RRAS to RRAS connection.

I assume you are using RRAS on the windows machine. I’ve found it’s better with RRAS to configure it to dial out and connect into the MikroTik machine, that seems to be more reliable as I’ve had problems in the past getting RRAS to correctly assign the MikroTik IPs to the tunnel interface for demand dial interfaces in RRAS.