Community discussions

MikroTik App
 
edmidor
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Fri Mar 05, 2010 12:06 am
Location: Canada
Contact:

Road warrior's VPN?

Thu Mar 11, 2010 7:49 am

Here's the problem: need to VPN into my LAN from Windows laptop while traveling.
Laptop's IP is unpredictable - airport, hotel, etc; 'home LAN' is on MT, behind dynamic DNS (dnsmadeeasy.com)

I searched for the recipe, but most examples are dedicated to permanent VPN setups between two routers.

How do I setup VPN server on MT for that?
 
edmidor
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Fri Mar 05, 2010 12:06 am
Location: Canada
Contact:

Re: Road warrior's VPN?

Thu Mar 11, 2010 5:18 pm

Guys, please help - I need to set it up before I leave!
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Road warrior's VPN?

Thu Mar 11, 2010 5:30 pm

You haven't even posted what kind of VPN you want to use.
 
edmidor
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Fri Mar 05, 2010 12:06 am
Location: Canada
Contact:

Re: Road warrior's VPN?

Thu Mar 11, 2010 5:34 pm

You haven't even posted what kind of VPN you want to use.
I mentioned Windows laptop
I don't have many choices there :)
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Road warrior's VPN?

Thu Mar 11, 2010 5:54 pm

Sure you do. IPsec/L2TP and PPTP are built in, there's clients for pure IPsec and OpenVPN.

Below a wiki guide for IPsec/L2TP:
http://wiki.mikrotik.com/wiki/MikroTik_ ... IPSec/L2TP
 
edmidor
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Fri Mar 05, 2010 12:06 am
Location: Canada
Contact:

Re: Road warrior's VPN?

Thu Mar 11, 2010 6:13 pm

I saw this, my problem is with local-address=1.1.1.1 remote-address=1.1.1.2

Remote address isn't known, but the guide says I can use 0.0.0.0

But what should I do about the local address - it's dynamic IP. I have dynDNS, but I don't see how can apply it here.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Road warrior's VPN?

Thu Mar 11, 2010 6:20 pm

Local and remote addresses are for VPN connection. So you can set some unused address from LAN subnet as remote (client will get this address) and anything as local (client will use it as gateway). Then enable proxy-arp on LAN interface and computer connected using VPN will appear as part of LAN. Also in IPSec settings, instead of 0.0.0.0 you must use 0.0.0.0/0.
 
edmidor
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Fri Mar 05, 2010 12:06 am
Location: Canada
Contact:

Re: Road warrior's VPN?

Thu Mar 11, 2010 6:44 pm

Good, now the dots are connecting... slowly but surely.

Thanks a lot!
 
edmidor
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Fri Mar 05, 2010 12:06 am
Location: Canada
Contact:

Re: Road warrior's VPN?

Fri Mar 12, 2010 4:13 pm

The "Adjusting IPSec settings" part is written for Windows XP. On Windows 7 security settings are arranged in different way, and some options are not there. I followed the instructions as much as I could, but it doesn't connect.

Have anyone made it work with Win7?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Road warrior's VPN?

Fri Mar 12, 2010 8:40 pm

I skipped "Adjusting IPSec settings" completely and it worked on both XP and Win7. Well, not always, few times it didn't want to connect for unknown reason and I wasn't able to make it work through NAT at all.
If it doesn't work for you, there are other options. You may try PPTP. Just enable it in RoS, change "service" in secret if you don't have "any" and change VPN type on Windows, if you don't have automatic selection.
Or there is also OpenVPN (http://wiki.mikrotik.com/wiki/OpenVPN). For that you'd need ssl certificate and additional client software for Windows.
 
edmidor
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Fri Mar 05, 2010 12:06 am
Location: Canada
Contact:

Re: Road warrior's VPN?

Fri Mar 12, 2010 9:05 pm

That doesn't sound good. I never had such problems when I had to VPN from Windows PC to the office in last work places. Not sure what they used server-side, but it always was zero-config on my (client) side. Why isn't it possible with Mikrotik?

Then I'll try from another direction: what is the most reliable way to VPN from NAT-ed Windows 7 laptop to NAT-ed MT? I don't mind to install client software or certificates as long as it works reliably.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Road warrior's VPN?

Fri Mar 12, 2010 9:46 pm

My favorite is OpenVPN. It needs exactly one open port on server and nothing else. As long as NATs allow access to this one port, it has no problems with them. In worst case, it can work even using HTTP proxy.
 
edmidor
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Fri Mar 05, 2010 12:06 am
Location: Canada
Contact:

Re: Road warrior's VPN?

Wed Mar 17, 2010 5:57 pm

I can connect with PPTP from within LAN, but from outside it displays "Device connected" momentarily, and then fails with "Cannot connect" right after.
I suppose I have to change firewall settings, but I'm not sure what ARP proxy does here. I have ether1 as WAN and ether2 as LAN. Most of my rules for local traffic have in-interface=ether2 clause, and apparently PPTP comes via WAN (ether1) interface. On the other side it's supposed to mimic local connection, isn't it?
What should I change in firewall - remove in-interface conditions altogether, or it's something else I need to check?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Road warrior's VPN?

Wed Mar 17, 2010 6:46 pm

Proxy ARP: Lets say you have internal network 192.168.10.0/24. On your LAN interface you have 192.168.10.1 and other local computers use it as gateway. You want your VPN client to appear as part of 192.168.10.0/24 network, so you set it's remote address to 192.168.10.200.
From the client side it's easy, because the connection with server is point to point (netmask /32) and when client wants to access other computers in 192.168.10.0/24 network, it does that using normal routing via gateway which is what you set as local ip on VPN server.
The other way is different. If computer in internal network wants to access some other computer in the same subnet, it assumes that it's directly reachable using ARP. But VPN client is not, because it's behind the router. But if you enable proxy-arp on router's LAN interface, it'll reply on behalf of client and then forward the traffic to it and the other computer won't see the difference.

Via WAN interface comes the VPN connection. For PPTP it's TCP port 1723 and GRE protocol and they're going to the external IP of the router and it must accept them. It's input chain of WAN interface.
Once the connection is established, data between client and internal network travel between LAN and PPTP-client interface, so you need to set up your firewall to allow that.
 
edmidor
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Fri Mar 05, 2010 12:06 am
Location: Canada
Contact:

Re: Road warrior's VPN?

Wed Mar 17, 2010 10:20 pm

Once the connection is established, data between client and internal network travel between LAN and PPTP-client interface, so you need to set up your firewall to allow that.
Thanks! I hate to ask silly questions, but it happens a lot lately :)
You mean I'm supposed to see something named as "PPTP-client" interface in the interface list? Or you mean WAN interface is the "PPTP-client interface"?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Road warrior's VPN?

Wed Mar 17, 2010 10:58 pm

You'll see new interface. You can create it yourself for specific user by adding new "PPTP Server" in Interfaces window and name it anything you want (and fill in the User field). Or you can let RoS to create it dynamically and in that case it will be named "<pptp-username>". For setting up persistent firewall rules I believe the first one is what you need.
 
edmidor
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Fri Mar 05, 2010 12:06 am
Location: Canada
Contact:

Re: Road warrior's VPN?

Fri Mar 19, 2010 2:25 am

Still struggling to make it work from outside...
Here's the trace - any ideas?
14:28:36 pptp,info TCP connection established from 22.111.333.44 
14:28:36 pptp,ppp,info <pptp-0>: waiting for call... 
14:28:36 pptp,debug,packet sent Set-Link-Info to 22.111.333.44 
14:28:36 pptp,debug,packet     peers-call-id=26080 
14:28:36 pptp,debug,packet     send-accm=0xffffffff 
14:28:36 pptp,debug,packet     receive-accm=0xffffffff 
14:28:37 pptp,ppp,debug <22.111.333.44>: LCP timer 
14:28:37 pptp,ppp,debug,packet  <22.111.333.44>: sent LCP ConfReq id=0x1 
14:28:37 pptp,ppp,debug,packet    <mru 1460> 
14:28:37 pptp,ppp,debug,packet    <magic 0x623a72f5> 
14:28:37 pptp,ppp,debug,packet    <auth  mschap2> 
14:28:38 pptp,ppp,debug <22.111.333.44>: LCP timer 
14:28:38 pptp,ppp,debug,packet  <22.111.333.44>: sent LCP ConfReq id=0x2 
14:28:38 pptp,ppp,debug,packet    <mru 1460> 
14:28:38 pptp,ppp,debug,packet    <magic 0x623a72f5> 
14:28:38 pptp,ppp,debug,packet    <auth  mschap2> 
14:28:39 pptp,ppp,debug <22.111.333.44>: LCP timer 
14:28:39 pptp,ppp,debug,packet  <22.111.333.44>: sent LCP ConfReq id=0x3 
14:28:39 pptp,ppp,debug,packet    <mru 1460> 
14:28:39 pptp,ppp,debug,packet    <magic 0x623a72f5> 
14:28:39 pptp,ppp,debug,packet    <auth  mschap2> 
14:28:42 pptp,ppp,debug <22.111.333.44>: LCP timer 
14:28:42 pptp,ppp,debug <22.111.333.44>: LCP timeout sending ConfReq 
14:28:42 pptp,ppp,debug <22.111.333.44>: LCP lowerdown 
14:28:42 pptp,ppp,info <pptp-0>: terminating... 
14:28:42 pptp,ppp,info <pptp-0>: terminating... 
14:28:42 pptp,ppp,debug <22.111.333.44>: LCP lowerdown 
14:28:42 pptp,ppp,debug <22.111.333.44>: LCP down event in starting state 
14:28:42 pptp,ppp,info <pptp-0>: disconnected 
14:28:42 pptp,ppp,info <pptp-0>: disconnected 
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Road warrior's VPN?

Fri Mar 19, 2010 5:30 pm

I got exactly the same messages when I blocked GRE.

Try to add the following rule at the beginning of filter rules list:

/ip firewall filter add action=accept chain=input disabled=no protocol=gre
 
edmidor
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Fri Mar 05, 2010 12:06 am
Location: Canada
Contact:

Re: Road warrior's VPN?

Fri Mar 19, 2010 6:19 pm

I'll try, thanks.

I have "drop invalid connections" in the very beginning - can it be the reason, should I move all "drop" rules to the end of the input and forward chains?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Road warrior's VPN?

Fri Mar 19, 2010 10:45 pm

I think GRE for PPTP could be "related" connection, but I didn't test it. Anyway, try to add the rule for allowing incoming GRE as the first one just for now. Test the connection and it should work. And you can fine tune it later.

But it's also possible that GRE is blocked on the other end. It can happen if client is behind some really stupid NAT.
 
edmidor
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Fri Mar 05, 2010 12:06 am
Location: Canada
Contact:

Re: Road warrior's VPN?

Mon Mar 22, 2010 4:02 pm

I had both gre and pptp port accepted in input chain... Still doesn't work.

Log says" "LCP timeout sending ConfReq". What's that? Is it inbound or outbound, same port?

I thought this issue might be related to my other question here - for some reason I have a lot of unaccounted ACK packets, eventually dropped because they aren't caught by established or related rules.
http://forum.mikrotik.com/viewtopic.php ... 79#p199379

Could be "ConfReq" falls under the same problem?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Road warrior's VPN?

Mon Mar 22, 2010 6:09 pm

As I wrote, it can also be GRE problem at client side. Do you connect from behind the NAT? Unfortunately some NATs have problems with GRE. Can you try connecting from public address?

I googled up the following, it's not specifically about RouterOS, but it describes several outgoing ConfReqs without reply as problem with GRE: http://pptpclient.sourceforge.net/howto ... _no_gre_rx

About the ACK packets, I can't say anything for sure. I see them sometimes in my networks too. I guess it's possible that sometimes more of them are sent and stateful firewall takes only first one as valid. But I don't thing it's related to your PPTP problems.
 
edmidor
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Fri Mar 05, 2010 12:06 am
Location: Canada
Contact:

Re: Road warrior's VPN?

Wed Mar 24, 2010 9:33 pm

So I gave up on gre for the meanwhile, and decided to try IPSec again

This is what I'm getting... any advise?
15:23:22 ipsec respond new phase 1 negotiation: 70.80.88.144[500]<=>24.113.235.32[12835]
15:23:22 ipsec begin Identity Protection mode.
15:23:22 ipsec received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
15:23:22 ipsec received Vendor ID: RFC 3947
15:23:22 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
15:23:22 ipsec
15:23:22 ipsec received Vendor ID: FRAGMENTATION
15:23:22 ipsec invalid DH group 20.
15:23:22 ipsec invalid DH group 19.
15:23:22 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 1024-bit MODP group:2048-bit MODP group
15:23:22 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = AES-CBC:3DES-CBC
15:23:22 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 1024-bit MODP group:2048-bit MODP group
15:23:22 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = AES-CBC:3DES-CBC
15:23:22 ipsec no suitable proposal found.
15:23:22 ipsec failed to get valid proposal.
15:23:23 ipsec received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
15:23:23 ipsec received Vendor ID: RFC 3947
15:23:23 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
15:23:23 ipsec
15:23:23 ipsec received Vendor ID: FRAGMENTATION
15:23:23 ipsec invalid DH group 20.
15:23:23 ipsec invalid DH group 19.
15:23:23 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 1024-bit MODP group:2048-bit MODP group
15:23:23 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = AES-CBC:3DES-CBC
15:23:23 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 1024-bit MODP group:2048-bit MODP group
15:23:23 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = AES-CBC:3DES-CBC
15:23:23 ipsec no suitable proposal found.
15:23:23 ipsec failed to get valid proposal.
15:23:25 ipsec received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
15:23:25 ipsec received Vendor ID: RFC 3947
15:23:25 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
15:23:25 ipsec
15:23:25 ipsec received Vendor ID: FRAGMENTATION
15:23:25 ipsec invalid DH group 20.
15:23:25 ipsec invalid DH group 19.
15:23:25 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 1024-bit MODP group:2048-bit MODP group
15:23:25 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = AES-CBC:3DES-CBC
15:23:25 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 1024-bit MODP group:2048-bit MODP group
15:23:25 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = AES-CBC:3DES-CBC
15:23:25 ipsec no suitable proposal found.
15:23:25 ipsec failed to get valid proposal.
15:23:30 ipsec received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
15:23:30 ipsec received Vendor ID: RFC 3947
15:23:30 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
15:23:30 ipsec
15:23:30 ipsec received Vendor ID: FRAGMENTATION
15:23:30 ipsec invalid DH group 20.
15:23:30 ipsec invalid DH group 19.
15:23:30 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 1024-bit MODP group:2048-bit MODP group
15:23:30 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = AES-CBC:3DES-CBC
15:23:30 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 1024-bit MODP group:2048-bit MODP group
15:23:30 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = AES-CBC:3DES-CBC
15:23:30 ipsec no suitable proposal found.
15:23:30 ipsec failed to get valid proposal.
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Road warrior's VPN?

Wed Mar 24, 2010 9:52 pm

Your proposals don't match. You're using DH group 2048 on your Windows machine, and 3DES for encryption. But the only policy on the RouterOS device is DH group 2 (1024 bit) and AES.

You can't use group 2048 on Windows and group 2 should be sufficient, and AES is less resource intensive than 3DES - so I'd match the policy on the Windows machine to what is already configured on RouterOS (group 2, AES).
 
edmidor
Member Candidate
Member Candidate
Topic Author
Posts: 126
Joined: Fri Mar 05, 2010 12:06 am
Location: Canada
Contact:

Re: Road warrior's VPN?

Wed Mar 24, 2010 10:36 pm

The group in Windows settings was set to group2 with AES-128... don't understand why it sends DH 2048 with 3des.
So I changed peer settings on mikrotik to accept 3des, now it looks... well... shorter, but less clear what's wrong
16:30:34 system,info ipsec peer changed by admin-ssh
16:30:55 ipsec respond new phase 1 negotiation: 70.80.88.144[500]<=>24.113.235.32[12972]
16:30:55 ipsec begin Identity Protection mode.
16:30:55 ipsec received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
16:30:55 ipsec received Vendor ID: RFC 3947
16:30:55 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
16:30:55 ipsec
16:30:55 ipsec received Vendor ID: FRAGMENTATION
16:30:55 ipsec invalid DH group 20.
16:30:55 ipsec invalid DH group 19.
16:30:55 ipsec the packet is retransmitted by 24.113.235.32[12972].
16:30:55 ipsec ISAKMP-SA established 70.80.88.144[500]-24.113.235.32[12972] spi:ff0114bb520f217c:add4000062da819a
16:30:55 ipsec respond new phase 2 negotiation: 70.80.88.144[500]<=>24.113.235.32[12972]
16:30:55 ipsec Update the generated policy : 68.245.171.115/32[1701] 70.80.88.144/32[1701] proto=udp dir=in
16:30:56 ipsec IPsec-SA established: ESP/Transport 24.113.235.32[0]->70.80.88.144[0] spi=95772039(0x5b55d87)
16:30:56 ipsec IPsec-SA established: ESP/Transport 70.80.88.144[0]->24.113.235.32[0] spi=3285053531(0xc3cdf05b)
16:31:32 ipsec ISAKMP-SA expired 70.80.88.144[500]-24.113.235.32[12972] spi:ff0114bb520f217c:add4000062da819a
16:31:33 ipsec ISAKMP-SA deleted 70.80.88.144[500]-24.113.235.32[12972] spi:ff0114bb520f217c:add4000062da819a
Further attempts bring me somewhat different error: "remote address mismatched"
17:05:36 ipsec respond new phase 1 negotiation: 70.80.88.144[500]<=>24.113.235.32[13308]
17:05:36 ipsec begin Identity Protection mode.
17:05:36 ipsec received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
17:05:36 ipsec received Vendor ID: RFC 3947
17:05:36 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
17:05:36 ipsec
17:05:36 ipsec received Vendor ID: FRAGMENTATION
17:05:36 ipsec invalid DH group 20.
17:05:36 ipsec invalid DH group 19.
17:05:36 ipsec the packet is retransmitted by 24.113.235.32[13308].
17:05:37 ipsec ISAKMP-SA established 70.80.88.144[500]-24.113.235.32[13308] spi:713d157a549ae96d:be31ba2453f70c38
17:06:41 ipsec remote address mismatched. db=24.113.235.32[13308], act=24.113.235.32[13314]
17:06:41 ipsec ISAKMP-SA expired 70.80.88.144[500]-24.113.235.32[13308] spi:713d157a549ae96d:be31ba2453f70c38
17:06:42 ipsec ISAKMP-SA deleted 70.80.88.144[500]-24.113.235.32[13308] spi:713d157a549ae96d:be31ba2453f70c38

Who is online

Users browsing this forum: Ahrefs [Bot], Amazon [Bot], jahieulislam, MarkoB, menyarito, tdw and 93 guests