replace Windows PPTP VPN

craigreilly · August 10, 2016, 11:04pm

When I started this job - the company was already using Windows PPTP along with a small Sonic Wall Router. I replaced the router with a CCR1009 when we went to VoIP. So it is fairly new. I am hoping it can support our latest need.
Our dear friends at Apple is getting rid of PPTP support in their new macOS/iOS in a few months stranding my Mac users from connecting to our VPN.

Can the Mikrotik do a reliable Client to Site VPN?
Can I use my Windows AD Authentication so they do not need another password?
What are the drawbacks?

If this is not the direction to go - what would you recommend without breaking the bank? (90 users)

Thanks for any guidance/setup instructions you can provide.

pe1chl · August 11, 2016, 7:47am

Yes it should work. We also have a CCR as PPTP server (and for other things).
For setup just follow the manual.
For AD authentication setup RADIUS on your domain controller and use RADIUS authentication on the CCR.

craigreilly · August 16, 2016, 3:09pm

As I mentioned in my initial post - I have to replace PPTP since Apple is removing support in upcoming iOS10 and macOS Sierra.

pe1chl · August 16, 2016, 4:55pm

What is the alternative that Apple supports?
L2TP/IPsec? I use that and it works OK on MikroTik. May require some manual config when the user is behind double NAT.
But I have no experience with Apple.

_saik0 · August 16, 2016, 6:52pm

From my experience l2tp/ipsec works ok between a windows client and mt server although like pe1chl said, it can be tricky when behind NAT.
Can mac do OpenVPN? Personally i’d go with that with a dedicated server/vm for this purpose.
At least until ROS7

craigreilly · September 30, 2016, 6:25pm

Anyone have any insight on using a Windows L2TP Server? I have it set up and clients can connect when at the office.
But remotely, I can not get the traffic to pass.
I have 2 DST-NAT Rules destination 70.x.x.x. (Public IP) for UDP 500,4500 to Windows Server 192.168.3.252.

What am I missing?

(Just adding the 2 rules GRE and UDP 1723 worked fine for PPTP which is still working on another server)

pe1chl · September 30, 2016, 7:19pm

L2TP/IPsec server behind NAT? I would not dare to try it…

craigreilly · October 3, 2016, 2:26pm

So - my choices are
PPTP - no as Apple devices no longer support it
L2TP - the protocol does not work for remote users behind a firewall
OpenVPN - requires more hardware

Oh - so no choices.

pe1chl · October 3, 2016, 6:27pm

Migrate everything to IPv6 I would say…

Revelation · October 3, 2016, 8:09pm

Maybe I am missing something…

Why not just set up your VPN server on the CCR and then allow that specific traffic to “talk” to the server?

craigreilly · October 3, 2016, 11:51pm

Apparently same issue. I ended up doing the L2TP on the Mikrotik. Only 1 client per location can log on at the same time. The second person bumps the first.
Does IPv6 solve this?
My provider, Cox, didn’t give me any IPv6 addresses when they installed this year. Does that mean I do not have any assigned?

pe1chl · October 4, 2016, 8:16am

Do you have routers at the location that you manage? In that case, let the router setup the VPN, not the end systems.
Any provider that is keeping up with technology is giving you IPv6
(but most of them are not, they apparently do not exist for clients or for internet, but only for shareholders)

craigreilly · October 4, 2016, 3:54pm

The networks are not mine to manage - usually hotels… sometimes in meeting rooms - but often working from their guestrooms.