Community discussions

 
cavere
just joined
Topic Author
Posts: 4
Joined: Tue Oct 21, 2014 9:33 pm

Mikrotik as VPN client

Wed Nov 12, 2014 2:58 pm

Hello,

We have a remote desktop windows 2008 R2 server running in a datacenter and 2 remote offices with printers.
From the remote desktop server we need to print to every office.

We want to place in every office an Mikrotik router and on the windows server we install Softether VPN server.
We configured the Softether VPN server and connected 1 mikrotik as SSTP client the mikrotik gets the ip 192.168.30.10. From the mikrotik we can ping the VPN server (192.168.30.1) and the VPN server can ping the mikrotik (192.168.30.10).

But we can't ping the local subnet (192.168.88.0) on the clients behind the mikrotik. We added a static route on the Windows server (route add 192.168.88.0 mask 255.255.255.0 192.168.30.10) that points to the IP adres of the SSTP client.

We enabled Proxy ARP on the LAN and WAN interface of the Mikrotik. All firewall rules are disabled so nothing is blocked.
There are no mangle rules configured.

We can't find any guide for this configuration. The Mikrotik act as VPN client but the local subnet must be reachable from the VPN server and other VPN clients (second Mikrotik)

Can someone help?

Regards,
Didier
 
brossler
just joined
Posts: 19
Joined: Tue Apr 15, 2014 10:42 pm
Location: Czech Republic

Re: Mikrotik as VPN client

Sun Nov 16, 2014 8:32 pm

Hi,

try setting up routes on Mikrotik device to datacenter networks. Packet knows how to get from server to router, but when it goes back, it is routed to WAN and it never reaches the server again.
 
User avatar
aacable
Member
Member
Posts: 422
Joined: Wed Sep 17, 2008 11:58 am
Location: ISLAMIC Republic of PAKISTAN
Contact:

Re: Mikrotik as VPN client

Mon Nov 17, 2014 9:17 am

Its all about proper static routes at each router and clients.
Make sure to masquerade (source) client traffic going for internet requests on WAN interface only. You dont need any PROXY ARP at any end. clients should see each other with there source ip if proper routing is configured.
something like following.
.
mt.png
You do not have the required permissions to view the files attached to this post.
_____________
Regard's

Syed Jahanzaib
Web: http://aacable.wordpress.com
Email: aacable [at] hotmail.com
 
cavere
just joined
Topic Author
Posts: 4
Joined: Tue Oct 21, 2014 9:33 pm

Re: Mikrotik as VPN client

Mon Nov 17, 2014 12:46 pm

Hello,

we added the route to the mikrotik.
also added static route on Windows server running Softether.

do i need to turn off the proxy arp on the interfaces or it doesn't matter?

from the mikrotik terminal we can ping the vpn server 192.168.30.1

from the clients behind the mikrotik we can't ping the vpn server 192.168.30.1
from the clients behind the mikrotik we can ping the mikrotik vpn assigned ip address 192.168.30.10 but not the vpn server 192.168.30.1

all firewall rules are disabled.

Route:
# nov/17/2014 11:37:53 by RouterOS 6.21.1
# software id = 0XQ7-4FIB
#
/ip route
add distance=2 dst-address=10.56.86.0/24 gateway=sstp-out1
add distance=1 dst-address=192.168.30.0/24 gateway=sstp-out1
/ip route rule
add dst-address=192.168.30.0/24 interface=sstp-out1 routing-mark=vpn
NAT
[didier@Router1] > /ip firewall nat export 
# nov/17/2014 11:38:32 by RouterOS 6.21.1
# software id = 0XQ7-4FIB
#
/ip firewall nat
add chain=srcnat dst-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="default configuration" out-interface=WAN
SSTP client
/interface sstp-client
add add-default-route=no authentication=pap,chap,mschap1,mschap2 certificate=none connect-to=monitor.cavere.b
    dial-on-demand=no disabled=no http-proxy=0.0.0.0:443 keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=
    disabled name=sstp-out1 password=***** profile=default user=mikrotik verify-server-address-from-certif
    no verify-server-certificate=no
PPP profile
[didier@Router1] /ppp profile> print 
Flags: * - default 
 0 * name="default" use-mpls=default use-compression=default use-vj-compression=default use-encryption=default 
     only-one=default change-tcp-mss=yes address-list="" 
Firewall (all rules disabled)
[didier@Router1] > /ip firewall export 
# nov/17/2014 11:45:00 by RouterOS 6.21.1
# software id = 0XQ7-4FIB
#
/ip firewall address-list
add address=192.168.88.0/24 list=LocalLAN
add address=192.168.30.0/24 list=Cavere-VPN-Network
/ip firewall filter
add chain=input disabled=yes in-interface=sstp-out1
add chain=input comment="Allow ping" disabled=yes protocol=icmp
add chain=input comment="Allow established traffic" connection-state=established disabled=yes
add chain=input comment="Allow related traffic" connection-state=related disabled=yes
add action=drop chain=input comment="default configuration" disabled=yes in-interface=WAN
add chain=forward comment="Allow established traffic" connection-state=established disabled=yes
add chain=forward comment="Allow related traffic" connection-state=related disabled=yes
add chain=forward comment="Allow new traffic" connection-state=new disabled=yes
add action=drop chain=forward comment="default configuration" connection-state=invalid disabled=yes
/ip firewall nat
add chain=srcnat dst-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="default configuration" out-interface=WAN
 
oldfogey
just joined
Posts: 1
Joined: Wed Oct 05, 2016 8:22 pm

Re: Mikrotik as VPN client

Wed Oct 05, 2016 8:50 pm

I know this is an old post, but I didn't see a satisfactory answer and as I wanted to do exactly what the original poster did and found the same issues, I thought I'd post a reply. I was particularly flummoxed by the settings to get an Asterisk VoIP phone to run over the VPN, so I have included that in this solution as well.

I wanted to use the HAP lite as a VPN CPE appliance, so that when it is switched on in a branch office the VPN is visible, and when it is switched off the VPN is not visible. I wished the existing CPE at each office (assortment of xDSL routers, LAN swtiches, servers etc) to continue to support all their existing functions.

What I did was the following, using WinBox:
0. Upgrade to router os 6.37.1
1. Under 'Interfaces' menu on Winbox, set up SSTP (or L2TP/IPSEC or OpenVPN) client to connect to Softether VPN server at the main office. User names, port numbers, IPSEC secrets and SSL certificates (in .pem format) are chosen to correspond with the SE-VPN configuration. I checked I could ping/tracert from WinBox as per the original poster - this confirms that the WAN link is working, and further configuration is to make sure the HAP is working in the mode required. At this stage, router is working like that of the original poster.
2. As the HAP is just for the VPN, under quickset/CPE set it to get an IP address from the site DHCP server, and then fix the address at the server as it will be needed for static routes
3. I disabled wireless (as the existing CPE gives wireless clients access and the hAP lite is only 2.4GHz)
4. Under IP/firewall/filter rules I added a rule to forward all packets required by the IP address plan, in my case 192.168.0.0/16.
5. Under IP/firewall/NAT, I added masquerade action to the srcnat chain
6. Under IP/Firewall/Service ports I disabled the SIP alg - not sure what the SIP alg is, but my Asterisk extension worked fine over the VPN when I disabled the SIP alg and also disabled RFC3581 treatment on the VPN extensions (from the Asterisk CLI on the PABX box)
7. Under IP/IPsec/Proposals, I created a proposal that matched my SE-VPN configuration
8. Under IP/IPsec/Policies, I created a policy to route 192.xxx.xxx.xxx (private IP assigned to HAP by DHCP) to 1.2.3.4 (1.2.3.4 is the static public IP of SE-VPN server which is behind NAT), using the proposal created in step 7 above
9. Under IP/IPsec/Peers, I created a peer to 1.2.3.4
10 Under IP/Rotes I created static routes of type 192.168.xxx.xxx/24 and directed them to the SSTP/L2TP/OVPN gateways created in step 1. I created one route for each subnet for each gateway. Only those reachable (depending on which gateway is enabled) will be active. That way you can test whether L2TP or SSTP is better, and this depends on the CPE you have.
11. I then backed up the config under Files. This config can be used more or less as-is for your other branch sites
12. At the CPE router I created static routes for the private subnets I want routed over the VPN
13. Enable one of the SSTP/L2TP/OVPN gateways and test ping/traceroute firstly from within WinBox and secondly from a PC connected to the LAN of the branch office. Check that SIP calls can be set up and received (signalling and audio) from VoIP phones in the branch office.

Hope this helps!
 
User avatar
pennytone
just joined
Posts: 19
Joined: Wed Oct 09, 2013 10:50 pm
Location: USA

Re: Mikrotik as VPN client

Tue May 30, 2017 8:33 pm

I just gave a presentation on SIP ALG at the Mikrotik MUM in Denver Colorado 2017 explaining everything about SIP ALG in RouterOS
watch here:
https://youtu.be/tM7wyKdnIKA
David

Who is online

Users browsing this forum: No registered users and 34 guests