VPN disconnects

RouterOS General
1

Hello,

I have hAP ac2 model with Router OS 6.46.1 configured as router over PPPoE connection and everything works perfectly.
Now I want to add another VPN connection - PPTP - to forward certain traffic over this VPN connection.

Problem: PPTP connection establishes but after several seconds disconnects.

Debug logs:

....
07:07:03 pptp,ppp,info vpn: authenticated
07:07:03 pptp,ppp,debug vpn: IPCP lowerup
07:07:03 pptp,ppp,debug vpn: IPCP open
07:07:03 pptp,ppp,debug,packet  vpn: sent IPCP ConfReq id=0x13
07:07:03 pptp,ppp,debug,packet     <addr 0.0.0.0>
07:07:03 pptp,ppp,debug vpn: IPV6CP open
07:07:03 pptp,ppp,debug vpn: MPLSCP lowerup
07:07:03 pptp,ppp,debug vpn: MPLSCP open
07:07:03 pptp,ppp,debug,packet  vpn: sent MPLSCP ConfReq id=0xa
07:07:03 pptp,ppp,debug vpn: BCP open
07:07:03 pptp,ppp,debug vpn: CCP lowerup
07:07:03 pptp,ppp,debug vpn: CCP open
07:07:03 pptp,ppp,debug,packet  vpn: sent CCP ConfReq id=0xa
07:07:03 pptp,ppp,debug,packet     <mppe 1000040>
07:07:03 pptp,ppp,debug,packet  vpn: rcvd CCP ConfReq id=0x1
07:07:03 pptp,ppp,debug,packet     <mppe 1000040>
07:07:03 pptp,ppp,debug,packet  vpn: sent CCP ConfAck id=0x1
07:07:03 pptp,ppp,debug,packet     <mppe 1000040>
07:07:03 pptp,ppp,debug,packet  vpn: rcvd IPCP ConfReq id=0x1
07:07:03 pptp,ppp,debug,packet     <addr 10.121.192.1>
07:07:03 pptp,ppp,debug,packet  vpn: sent IPCP ConfAck id=0x1
07:07:03 pptp,ppp,debug,packet     <addr 10.121.192.1>
07:07:03 pptp,ppp,debug,packet  vpn: rcvd LCP ProtRej id=0x3
07:07:03 pptp,ppp,debug,packet      82 81
07:07:03 pptp,ppp,debug,packet  vpn: rcvd IPCP ConfNak id=0x13
07:07:03 pptp,ppp,debug,packet     <addr 10.121.246.67>
07:07:03 pptp,ppp,debug,packet  vpn: sent IPCP ConfReq id=0x14
07:07:03 pptp,ppp,debug,packet     <addr 10.121.246.67>
07:07:03 pptp,ppp,debug,packet  vpn: rcvd CCP ConfAck id=0xa
07:07:03 pptp,ppp,debug,packet     <mppe 1000040>
07:07:03 pptp,ppp,debug vpn: CCP opened
07:07:03 pptp,ppp,info vpn: using encoding - MPPE128 stateless
07:07:03 pptp,ppp,debug,packet  vpn: rcvd IPCP ConfAck id=0x14
07:07:03 pptp,ppp,debug,packet     <addr 10.121.246.67>
07:07:03 pptp,ppp,debug vpn: IPCP opened
07:07:03 pptp,ppp,info vpn: connected
07:07:07 pptp,ppp,debug,packet  vpn: rcvd LCP TermReq id=0x4
07:07:07 pptp,ppp,debug vpn: LCP closed
07:07:07 pptp,ppp,debug vpn: CCP lowerdown
07:07:07 pptp,ppp,debug vpn: CCP closed
07:07:07 pptp,ppp,debug vpn: BCP lowerdown
07:07:07 pptp,ppp,debug vpn: BCP down event in starting state
07:07:07 pptp,ppp,debug vpn: IPCP lowerdown
07:07:07 pptp,ppp,debug vpn: IPCP closed
07:07:07 pptp,ppp,debug vpn: IPV6CP lowerdown
07:07:07 pptp,ppp,debug vpn: IPV6CP down event in starting state
07:07:07 pptp,ppp,debug vpn: MPLSCP lowerdown
07:07:07 pptp,ppp,debug,packet  vpn: sent LCP TermAck id=0x4
07:07:07 pptp,ppp,debug vpn: LCP lowerdown
07:07:07 pptp,ppp,debug vpn: CCP close
07:07:07 pptp,ppp,debug vpn: BCP close
07:07:07 pptp,ppp,debug vpn: IPCP close
07:07:07 pptp,ppp,debug vpn: IPV6CP close
07:07:07 pptp,ppp,debug vpn: MPLSCP close
07:07:07 pptp,ppp,info vpn: terminating...
....

My guess is that problem is related to “vpn: rcvd LCP ProtRej id=0x3”. I found following link http://pptpclient.sourceforge.net/howto-diagnosis.phtml#lcp_protrej_2 which assumes problem with VPN server configuration which is unlikely as the same PPTP connection works on another Mikrotik device (v 6.45.6) in different location. Also I tried L2TP (with IPSec tunnel - according to instruction from VPN provider) and had same symptoms.

Device has following firewall rules (basically default configuration):

0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough

 1    ;;; Add Syn Flood IP to the list
      chain=input action=add-src-to-address-list tcp-flags=syn connection-limit=30,32 protocol=tcp address-list=Syn_Flooder address-list-timeout=30m

 2    ;;; Drop to syn flood list
      chain=input action=drop src-address-list=Syn_Flooder

 3    ;;; Port Scanner Detect
      chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=Port_Scanner address-list-timeout=1w

 4    ;;; Drop to port scan list
      chain=input action=drop src-address-list=Port_Scanner

 5    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked

 6    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid

 7    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp

 8    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN

 9    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec

10    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec

11    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related

12    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked

13    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid

14    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

Does anyone have any clue what can be wrong?

2

For PPTP (server) you need to accept the port tcp 1723 and Gre (47) protocol in the input chain…

3

Thanks for reply, but issue still there - after 4 seconds connection terminates, same “rcvd LCP ProtRej id=0x3” in the log.
Changed rules like this:

< same as above >

 8    chain=input action=accept protocol=tcp port=1723 

 9    chain=input action=accept protocol=gre 

10    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 
      
 < same as above >

Saw zero counters in stats for 8 and 9 afterward.

Just to clarify: I have active and masqueraded PPPoE connection while trying to connect PPTP, no any nat/mangle rules for PPTP yet, just checking PPTP.

4

Just created trial account on SaferVPN.com and added PPTP connection with same parameters as before (only with different user/pass/connect-to) - connection is up and running.
Looks like original problem is related to prior VPN provider…