VPN..Problem..Problem...

ashisheitl · February 9, 2007, 12:41pm

Hello Guys,
Please Help me out to solve my VPN Configuration.
I have created VPN through PPTP. The Configuration Mentioned below.

VPN Server.

WAN IP - 59.160.X.X/27
LAN IP - 172.16.97.X/23

VPN Client

WAN IP - 202.160.X.X/29
LAN IP - 172.16.2.X/23

Tunnel IP

Server - 10.10.10.1
Client - 10.10.10.2

Now, The Tunnel is established.

Route Added

Server - dst-address=172.16.2.0/23 gateway=10.10.10.2
Client - dst-address=172.16.97.0/23 gateway=10.10.10.1

I Can Able to ping the VPN Client Network from VPN Server Network. But I cant able to ping VPN Server Network from Client Network, even i cant able tp ping 10.10.10.1.

Both side LAN arp=proxy-arp is configured.

What is wrong with this. Pl help me out.

Ashish.

janisk · February 9, 2007, 4:06pm

all traffic through tunnel?

ashisheitl · February 10, 2007, 3:24am

JaniX,

I need Both End Network can commuinicate through Tunnel.

I mean…172.16.96.0/23 to 172.16.2.0/23 through Tunnel and vice versa.

But i want to work on Internet at the same time.

Ashish.

mneumark · February 10, 2007, 8:23am

Can you post /export of your vpn setup including routes for it. That way we can see where you might of missed.

Suggestions:

Check to make sure ip address 10.10.10.x is added to interface for outgoing on both sides.
Check your routes.
Turn on proxy-arp on the interface you are trying to reach.

ashisheitl · February 10, 2007, 11:29am

SIR,

I SAID, My VPN Tunnel is established. BUT my packets are NOT going through TUNNEL.

The default gateway at bot end is WAN Gateway. and for LAN the gateway is Tunnel IP.

Ie.

SERVER Side : dst-address of Client LAN Network and Gateway is Client Tunnel IP. and Vice versa at Client Side.

Both End MT 2.9.27.

Proxy-Arp is already configured at both side LAN.

Ashish.

wildbill442 · February 11, 2007, 5:36am

It sounds like the routing table isn’t correct. Can you post your routing table from both mikrotiks?

You need to have a route in the VPN concentrator for the remote network, and a route in the VPN client router to the concentrators network. Since this is a PPTP link setup the PPP secret to create the route dynamically when the PPTP link is up.

You’ll still have to add a static route on the remote end. There’s no need for Proxy-ARP.

I have a similar PPTP link connecting a remote office to our main office. I can post the configs if need be.

Not sure what the 10.10.10.xxx network is used for, the VPN client end should be assigned an address from your 172.16.2.xx pool, and their should be a route from that address to the remote network and vise-versa.

This post may be a little confusing I have a sample config I can post later.

-bill

wildbill442 · February 11, 2007, 5:45am

PPTP Server routing table. The PPTP link has a statically assigned address through the PPP secrets and I just created static routes in the routing tables. You could also use the routes function in the PPP secrets to have the route added dynamically.

DST-ADDRESS PREF-SRC G GATEWAY DIS INTERFACE

0 ADC 66.xx.xx.xx/32 66.xx.xx.xx pppoe-out1
1 ADC 192.168.0.222/32 192.168.0.199 <pptp-user.remote>
2 ADC 192.168.0.0/24 192.168.0.1 LAN
3 A S ;;; Route to remote office
192.168.1.0/24 r 192.168.0.222 <pptp-user.remote>
4 AD 0.0.0.0/0 r 66.xx.xx.xx 1 pppoe-out1

the client end looks similar just reverse the routes.