Tips for VPN / IP routing issues on Mikrotik ?

xander · March 5, 2013, 4:00am

Hi!

I was wondering if anyone had tips to help troubleshoot VPN / Routing issues on Mikrotik routers? A couple cases have come up where the configuration appears to be fine, but the routing does not appear to be working…

On the main router:
RB1100AHx2 (RouterOS 5.24, PPTP Server
LAN: 10.0.254.0/24
PPTP local/remote range: 10.99.99.0/24

I have about ~40 sites running RB750GL routers as PPTP clients.
Typically, all these locations have as LAN 192.168.x.0/24 or 172.16.x.0/24 and are configured as PPTP clients to the main site.
I use the same configuration template & checklist when setting up these clients to reduce mistakes & oversights… however I have 3 sites where the PPTP VPN tunnel is up, the client LAN computers are able to ping the main LAN over the VPN at 10.0.254.0/24 over VPN, however, the main LAN computers are not able to ping back these 3 faulty remote sites… Both the host & client side Mikrotiks are able to ping the other side’s LAN computers. Weird.

Here’s screenshots of how I set up the VPN on the HOST & CLIENT routers (attached to this post).

Any tips or advise on either something I might have overlooked or tips on anything else I might be able to try to troubleshoot this issue!

Thanks!

PPP Secret on HOST
HOST-PPP Secret.JPG
PPTP Server Interface on HOST
HOST-PPTP Interface.jpg
IP Route added automatically once PPTP connection is active on HOST
HOST-IP Routes.JPG
client side screenshots on next post since it won’t let me add more than 3 screenshots in this post…

xander · March 5, 2013, 4:02am

Screenshots for client side RB750GL router:

PPTP Client interface 1/2:
CLIENT-PPTP Interface 1.JPG
PPTP Client interface 2/2:
CLIENT-PPTP Interface 2.JPG
IP Route, static route configured manually back to HOST router LAN (10.0.254.0/24)
CLIENT-IP Routes.jpg
There are other routes shown in the last screenshot, but those are for VPN connections to other locations that are working fine.

xander · March 6, 2013, 3:13am

Issue is still unresolved, however, after investigating further, I’ve noticed the thing in common for these 3 locations that have this problem, they all have their ETH1/WAN connection as DHCP, as opposed to all our other locations which use pppoe/dsl or fiber with manually configured static IP’s… So the issue seems to only affect our branches which use DHCP to obtain their WAN IP address.

gsloop · March 6, 2013, 5:46am

I’m sorry I’ve not read your question so this isn’t help with the technical part of your question, however:
PPTP is based on MSChapv2 which is TOTALLY broken and vulnerable to any attacker than can capture a handshake/connect. [i.e. Anyone on the route from PPTP client to PPTP server.] (Google Cloudcracker)

If you are relying on any security of PPTP [which you must be, otherwise why not use another protocol] please pick another VPN method. Options are probably: SSTP, OpenVPN, L2TP and perhaps IPSec.

Thus, taking time to explain why PPTP doesn’t work may well be wasted effort.

Best luck.
-Greg

xander · March 6, 2013, 5:55am

The issue is reproducible as well if I recreate the VPN tunnel using an SSTP connection.
So far my working theory is that for some reason, when I have a remote site that gets it’s WAN IP via DHCP, for some reason it interferes with the VPN tunnel in one direction (from host LAN to guest LAN).