I found (at least part of) the problem -
at the remote site, or a Cisco PIX
will create that behavior:
PC -----NAT ------LINKSYS or Cisco PIX
...even with VPN pass-thru enabled on the "home" device.
So far, I have established that the problem goes away
- netgear router
- Verizon-branded router
- DD-WRT (same "linksys" hardware that was causing a problem; so it's not the hardware, but rather the firmware)
The error occurs at the "verifying username / password" - therefore, it seems the GRE protocol is at fault, not correctly being passed through the Microtik, even with a specific dstnat (redirect) of GRE (protocol 47).
Do "Cisco-based" firmwares somehow encapsulate GRE differently than other routers? Let me repeat that if, instead of a Microtik, I use a linksys (just for testing), then the redirect works well - so it's not the way the "home router" encapsulates the GRE traffic as much as the way the Microtik "recognizes" that kind of encapsulation? Hm -- That's for someone more qualified than me to answer...
For now, since I didn't want to start policing which "soho house router" my remote users bought, I personally did this
to fix the problem (regardless of the brand of router used
on the other end):
- Setup the RB450G as PPTP server
- Use RADIUS against the internal RRAS server for authentication (IAS) - this maintains single sign-on
(I'll create a "how to" document if someone is interested?)