Hi there!
We are using Ltap LTE/4G devices as PPTP VPN clients with great results.
Now all looks great we can access devices from the clients to server without any issue.
We add a static route to reach those users behind the VPN (server to clients) but the interface from this route fails every time that the VPN restart, I mean every time that the VPN fails and connect again the route stays in unreachable situation, until we manually restart or create again the route stay down. (Clients can fail for a multiple reasons, change the public IP, power fail, low signal, etc etc, but the router’s or keep alive mechanism run and reconnect successfully. This runs great)
May be this is not the best way to implement this VPN. Basically are remote sites (Ltap devices running DHCP and with his own IP range) and all this devices behind this router (remote devices are in TCP/UDP server mode) must be acceded from the VPN central (sever) site.
A static route is the better option or some other deploy scheme is better?
I’m not sure I understand your problem description.
What does happen with all the ppp-based interfaces is that the client connection fails, the dynamically created tunnel interface at the server stays up for a while, until the keepalive mechanism finds out that the client connection has been lost. This may take minutes. If, during this time, the client establishes another connection, the routes added via the tunnel interface created for the dead connection still exist, and thus the communication is broken. One has to manually remove the stuck connection to obtain access to the client side network again. Is this the scenario you experience?
Besides, what is your motivation to use PPTP, given that it is equally simple (or equally complex) to configure an L2TP/IPsec VPN, which provides much better encryption and less problems as compared to PPTP?
Hi There Sindy, very thank you for your response.
About your question, I want that this route (server->client) restart itself as the VPN does. Noting else.
The only motivation to use PPTP is that we want to have a separate network segment in each remote site, I was thinking that L2TP is better for PC users running IPSEC.
About encryption, in my case because is a 4G link so my rule is lowest possible use of available bandwidth.
The only issue is that talking about sockets and services, this runs at the remote sites so the main router must reach them (The socket that listen to TCP connections remains in clients sites)
This is the route status when the VPN it fails:
I really want your comments!
Best Regards!
As @sindy has said PPTP has poor encryption, it should be avoided. L2TP is confusingly named - the L2 part refers to the transport of the PPP packets, it is still an IP / layer 3 VPN.
Instead, add a (properly modified) parameter routes=192.168.88.0/24 to the /ppp secret rows representing the individual clients. With this parameter, the route(s) will be added dynamically each time the client establishes a connection.
Or map the user names to static interface names (/interface pptp-server add user=xxx name=l2tp-xxx) in addition to the /ppp secret rows, and you can keep using static routes.
To provide a different treatment to Windows clients as compared to Mikrotik clients, you can create a dedicated /ppp profile for each group, and link each /ppp secret to one of those /ppp profile rows as needed. The pre-shared key for IPsec will be the same for both groups, but PPP usernames and passwords will be individual. It’ll still be far more secure than PPTP. Or you can manually configure the IPsec part for the Mikrotik clients with IKEv2, which will allow you to use a different PSK while using the same IP address and port, or to use certificates rather than PSK for authentification.
A /ppp profile row may point to an /ip pool rows to be used as remote-address, and it may specify multiple address-list and a single interface-list to add the client’s address and interface to, respectively, whenever the client is active.
