Community discussions

 
pbcconsulting
just joined
Topic Author
Posts: 6
Joined: Tue Jan 25, 2011 5:19 am

PPTP VPN "iffy"

Tue Jan 25, 2011 5:51 am

Hello -

I'm having a peculiar problem - I have a RB450G running RouterOS 4.11.

This router is the main router for this company I support. They have an internal Microsoft RRAS server to terminate VPN traffic.

1) The RB450G is natted with 2 x dstnat:

- PPTP (1723) to the internal RRAS server
- GRE to the same RRAS server

2) The IP Firewall accepts (input) both PPTP and GRE

Situation:

- Some people can connect without any problems
- Some people can connect, but then after 1-2 minutes it drops
- some people cannot connect at all.

I initially suspected either user's routers or ISP - But as it turns out, if I replace the RB450G by a generic linksys with NAT forward 1723 and PPTP pass-thru enabled, it works perfectly for everyone! :?

ANY suggestion welcome.

Thanks -
 
Inssomniak
Member
Member
Posts: 326
Joined: Fri Apr 13, 2007 11:21 pm

Re: PPTP VPN "iffy"

Mon Jan 31, 2011 3:21 am

You made sure that under service ports the PPTP was enabled and port set?
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: PPTP VPN "iffy"

Mon Jan 31, 2011 9:41 am

I'm running v4.13, with PPTP tunnel to Windows 7 client.

After about 1 min if activity the PPTP connection will have completely lost any activity.

If a client connects, and within 1min, I start a ping, no problems, connection will work fine until idle time reaches 1min again, then all activity is lost again.
Basically, what I was finding was: if idle time exceeded 1min on a pptp connection, all communication was "silently dropped" by the router.

To solve this, I run a script on the server (Mikrotik RouterOS) every 45sec (< 1min) to ping out the pptp interface(s), and it seems to work great, so far connections have been up for weeks without any problems.

Not sure if this is related, but it helped me.
I looked over the debug logs, and I'm trying to determine what the root cause is, but the logs don't show much. I haven't reported this to support yet, because I'm trying to gather more data, and run some more tests.

Let me know what you find out.
Doug
 
pbcconsulting
just joined
Topic Author
Posts: 6
Joined: Tue Jan 25, 2011 5:19 am

Re: PPTP VPN "iffy"

Tue Feb 01, 2011 8:24 am

I found (at least part of) the problem -

A Linksys at the remote site, or a Cisco PIX will create that behavior:

PC -----NAT ------LINKSYS or Cisco PIX-----------------Internet -------------Microtik---------NAT---------RRAS

...even with VPN pass-thru enabled on the "home" device.

So far, I have established that the problem goes away with:

- netgear router
- Verizon-branded router
- DD-WRT (same "linksys" hardware that was causing a problem; so it's not the hardware, but rather the firmware)

The error occurs at the "verifying username / password" - therefore, it seems the GRE protocol is at fault, not correctly being passed through the Microtik, even with a specific dstnat (redirect) of GRE (protocol 47).

Do "Cisco-based" firmwares somehow encapsulate GRE differently than other routers? Let me repeat that if, instead of a Microtik, I use a linksys (just for testing), then the redirect works well - so it's not the way the "home router" encapsulates the GRE traffic as much as the way the Microtik "recognizes" that kind of encapsulation? Hm -- That's for someone more qualified than me to answer...

For now, since I didn't want to start policing which "soho house router" my remote users bought, I personally did this to fix the problem (regardless of the brand of router used on the other end):

- Setup the RB450G as PPTP server
- Use RADIUS against the internal RRAS server for authentication (IAS) - this maintains single sign-on :)

(I'll create a "how to" document if someone is interested?)
 
nebajoth
just joined
Posts: 2
Joined: Tue Oct 19, 2010 10:11 pm

Re: PPTP VPN "iffy"

Tue Feb 01, 2011 7:13 pm

This is also happening to me. External clients cannot reach an internal Windows 2003 Server running the VPN.
 
pbcconsulting
just joined
Topic Author
Posts: 6
Joined: Tue Jan 25, 2011 5:19 am

Re: PPTP VPN "iffy"

Wed Feb 02, 2011 5:41 pm

I can confirm that the issue doesn't happen if the following routers brand (at least the models tested) are used at the tunnel origin:

- Netgear
- DD-WRT
- Verizon-branded ActionTec
- SpeedTouch

So far, only Cisco-based firware cause issues (linksys WRT54G v6 latest firmware, and PIX 501 old firmware - both confirmed to cause issues.)
 
wildbill442
Forum Guru
Forum Guru
Posts: 1050
Joined: Wed Dec 08, 2004 7:29 am
Location: Sacramento, CA

Re: PPTP VPN "iffy"

Wed Feb 02, 2011 7:04 pm

Make sure the helper in the firewall is enabled:
/ip firewall service-port enable pptp
Also I see you've DST-NAT'd the ports, but did you SRC-NAT them back out the public interface?
William Burnett
Network Engineer
 
pbcconsulting
just joined
Topic Author
Posts: 6
Joined: Tue Jan 25, 2011 5:19 am

Re: PPTP VPN "iffy"

Wed Feb 02, 2011 7:45 pm

@wildbill442 -

Others will need to answer this, as I have already moved to stop the redirection, and instead configured the RB as PPTP server with RADIUS (as mentioned earlier). It works well and now I just want to leave my (very happy) users alone ;-)
 
wildbill442
Forum Guru
Forum Guru
Posts: 1050
Joined: Wed Dec 08, 2004 7:29 am
Location: Sacramento, CA

Re: PPTP VPN "iffy"

Wed Feb 02, 2011 8:04 pm

Yeah that's what I did in the past.. It's been awhile since I've needed to forward PPTP through to an internal RAS.
William Burnett
Network Engineer
 
graham
just joined
Posts: 1
Joined: Tue Feb 14, 2012 12:07 am

Re: PPTP VPN "iffy"

Tue Feb 14, 2012 12:32 am

I'm not certain if this is the most recent discussion on this, but I'm having this exact same issue with my RB750GL. I was hoping to replace my old Netopia router with a Mikrotik, but I did and now I have 2 people that can't connect to my pptp vpn. Both people are using Comcast SMC Business Gateways as their routers. Not sure if I'll run into other routers with same issue, but I can't just hope for the best. I have to switch away from Mikrotik unless there's a solution. I have many other people working fine through the existing RB750GL dst nating to a server 2008 VPN server.

I use SSTP when possible, but it's not always possible for everyone. I do not want to run the vpn server on the Mikrotik.
 
imcon
just joined
Posts: 1
Joined: Thu Mar 29, 2012 12:40 pm

Re: PPTP VPN "iffy"

Mon Apr 02, 2012 7:27 pm

Recently I changed the old soho routed D-link with Mikrotik and now I have the same problem. No way how to enable passthrough for my VPN.

PC - internet - Mikrotik - VPN(Synology) - LAN

The connection can not be established.
The Firewall NAT configuration:
0 ;;; default configuration
chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether1-gateway

1 ;;; PPTP-SynoDS210 VPN
chain=dstnat action=dst-nat to-addresses=192.168.1.21 to-ports=1723 protocol=tcp dst-port=1723

3 ;;; PPTP-SynoDS210 VPN
chain=dstnat action=dst-nat to-addresses=192.168.1.21 protocol=gre



The Firewall Filter configuration:
0 ;;; default configuration
chain=input action=accept protocol=icmp

1 ;;; default configuration
chain=input action=accept connection-state=established

2 chain=forward action=accept connection-state=established

3 ;;; default configuration
chain=input action=accept connection-state=related

4 chain=forward action=accept tcp-flags=fin protocol=tcp src-address=0.0.0.0

5 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway


I'd like to use our Synology as VPN server therefore any help appreciated.
The alternative is to use Mikrotik as VPN srv.

Who is online

Users browsing this forum: No registered users and 96 guests