Wed Jun 29, 2005 8:18 am
--------------------------------------------------------------------------------
I am running a couple of 2.8 firewalls, and I have a client PPTP VPN set up. I am able to connect from the outside via a Windows or OS/X PPTP client and get on the network, as well as inside via my WiFi interface.
However, it does not work when I am connecting from behind my MT firewall nor any of my customers' other home firewalls. It does work from behind the cheap Netgear box at my local coffee shop.
Any ideas? Should I switch to L2TP or IPSEC? Is there a firewall setting that makes NAT traversal more reliable?
Will send configs/logs as needed.
Thanks,
John
sten
Joined: 01 Jun 2004
Posts: 157
Location: Moss, Norway
Posted: Wed Jun 22, 2005 12:09 am Post subject:
--------------------------------------------------------------------------------
Properly configured MT router should work. At home you dont say if you are NATing or no but either way it should work. You dont say what kind of PPTP server you are using. Do you have PPTP enabled in Firewall->Ports ?
On to topic. PPTP is generally easier to get through firewalls than IPSec. L2TP however should go straight through (the easiest), unless it's been specifically firewall'ed out. However Microsoft's L2TP implementation wants to run with IPSec. I guess you could modify it to not use IPSec encryption on the L2TP tunnel using registry or something. (Try googling it).
arclight
Joined: 21 Jun 2005
Posts: 2
Location: Los Angeles, CA
Posted: Thu Jun 23, 2005 12:15 am Post subject: MT config for PPTP
--------------------------------------------------------------------------------
When I connect from outside my firewall, everything works and I get authenticated almost immediately. From inside my FW or my customer's home WiFi LAN, it hangs on "verifying username and password" and ends up with Microsoft error 619, if connecting from Windows XP.
Here are my configurations on the PPTP server:
[admin@MikroTik] interface pptp-server> pri det
Flags: X - disabled, D - dynamic, R - running
0 name="pptp-in1" user=""
# NAME PORTS
0 ftp 21
1 pptp
2 gre
3 X h323
4 mms
5 irc 6667
6 quake3
7 X tftp 69
[admin@MikroTik] ppp profile> pri
Flags: * - default
0 * name="default" local-address=0.0.0.0 remote-address=0.0.0.0
session-timeout=0s idle-timeout=0s use-compression=yes
use-vj-compression=no use-encryption=yes require-encryption=yes
only-one=no change-tcp-mss=yes tx-bit-rate=0 rx-bit-rate=0
incoming-filter="" outgoing-filter="" dns-server=4.2.2.1 wins-server=""
0 name="user1" service=pptp caller-id="" password="password123" profile=default
local-address=192.168.1.254 remote-address=192.168.1.241 routes=""
limit-bytes-in=0 limit-bytes-out=0
1 name="user2" service=pptp caller-id="" password="password123" profile=default
local-address=192.168.1.254 remote-address=192.168.1.240 routes=""
limit-bytes-in=0 limit-bytes-out=0
admin@MikroTik] ip firewall rule input> pri
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Allow all incoming traffic on local LAN.
src-address=192.168.1.0/24 in-interface=!public action=accept
1 ;;; Allow PPTP to firewall.
dst-address=4.3.211.111/32 protocol=gre action=accept
0 ;;; Allow firewall services out to LAN.
src-address=192.168.1.254/32 dst-address=192.168.1.0/24
out-interface=!public action=accept
1 ;;; Allow outbound FW VPN traffic.
src-address=4.3.211.111/32 out-interface=public protocol=gre
action=accept
2 src-address=4.3.211.111/32:1723 out-interface=public protocol=tcp
action=accept
Any ideas?
John
randyloveless
Joined: 30 Sep 2004
Posts: 221
Location: california
Posted: Mon Jun 27, 2005 7:49 am Post subject:
--------------------------------------------------------------------------------
i have the same issue on this. it works from most other routers to our MT router. but we have a couple of satelite connections that for the life of me wont connect . they do 1 out of 50 times maybe . tryied changing mtu . no luck . i am also getting the same 619 error.
sten
Joined: 01 Jun 2004
Posts: 157
Location: Moss, Norway
Posted: Mon Jun 27, 2005 12:54 pm Post subject:
--------------------------------------------------------------------------------
Could be that one end does not set the correct GRE session id. This was the case for the longest time with poptop which apparently many have based their code on.
randyloveless
Joined: 30 Sep 2004
Posts: 221
Location: california
Posted: Mon Jun 27, 2005 7:06 pm Post subject:
--------------------------------------------------------------------------------
sten
i am going to change out the linsys router that i am having an issue with and see if this fixes the issue. but is there a work around for this or not ?
Randy