Tutorial Mikrotik VPN : Point to Point Tunnel Protocol

(PPTP)

Summary

PPTP (Point to Point Tunnel Protocol) supports encrypted tunnels over IP. The MikroTik

RouterOS feat includes hold fot PPTP machine and server.

General applications of PPTP tunnels:

* For bonded router-to-router tunnels over the Internet

* To unification (bridge) topical Intranets or LANs (when EoIP is also used)

* For ambulatory or far clients to remotely admittance an Intranet/LAN of a consort (see

PPTP falsehood for Windows for more information)

Each PPTP unification is imperturbable of a machine and a client.

The MikroTik RouterOS haw duty as a machine or machine – or, for assorted configurations, it

haw be the machine for whatever connections and machine for additional connections. For

example, the machine created beneath could enter to a Windows 2000 server, additional

MikroTik Router, or additional router which supports a PPTP server.

Description

PPTP is a bonded delve for transporting IP reciprocation using PPP. PPTP encapsulates UPPP

in realistic lines that separate over IP. PPTP incorporates UPPP and MPPE (Microsoft Point to

Point Encryption) to attain encrypted links. The determine of this prescript is to attain

well-managed bonded connections between routers as substantially as between routers and

PPTP clients (clients are acquirable for and/or included in nearly every OSs including

Windows).

PPTP includes UPPP marker and business for apiece PPTP connection. Full marker and

business of apiece unification haw be finished finished a RADIUS machine or locally.

MPPE 40bit RC4 and MPPE 128bit RC4 coding are supported.

PPTP reciprocation uses prescript opening 1723 and IP prescript GRE (Generic Routing

Encapsulation, IP prescript ID 47), as appointed by the cyberspace Assigned Numbers

Authority (IANA). PPTP crapper be utilised with most firewalls and routers by sanctioning

reciprocation sure for prescript opening 1723 and prescript 47 reciprocation to be routed

finished the firewall or router.

IP connection. Please wager the Microsoft and RFC course at the modify of this country for

more information.

PPTP Client Setup

Submenu take : /interface pptp-client

Property Description

name (name; default: pptp-out1) – programme study for reference

mtu (integer; default: 1460) – Maximum Transmit Unit. The best continuance is the MTU of

the programme the delve is employed over attenuated by 40 (so, for 1500-byte ethernet

link, ordered the MTU to 1460 to refrain fragmentation of packets)

mru (integer; default: 1460) – Maximum Receive Unit. The best continuance is the MTU of

the programme the delve is employed over attenuated by 40 (so, for 1500-byte ethernet

link, ordered the MRU to 1460 to refrain fragmentation of packets)

connect-to (IP address)- the IP come of the PPTP machine to enter to

user (string)- individual study to ingest when logging on to the far server

password (string; default: “”)- individual countersign to ingest when logging to the far server

profile (name; default: default) – strikingness to ingest when conjunctive to the far server

add-default-route (yes | no; default: no) – whether to ingest the machine which this machine

is adjoining to as its choice router (gateway)

Example

To ordered up PPTP machine titled test2 using username john with countersign john to enter

to the 10.1.1.12 PPTP machine and ingest it as the choice gateway:

[admin@MikroTik] programme pptp-client> add name=test2 connect-to=10.1.1.12 \

\… user=john add-default-route=yes password=john

[admin@MikroTik] programme pptp-client> print

Flags: X – disabled, R – running

0 X name=”test2″ mtu=1460 mru=1460 connect-to=10.1.1.12 user=”john”

password=”john” profile=default add-default-route=yes

[admin@MikroTik] programme pptp-client> enable 0

Command study : /interface pptp-client monitor

Property Description

Statistics:

uptime (time) – unification instance displayed in days, hours, minutes, and seconds

encoding (string) – coding and coding (if asymmetric, distributed with ‘/’) existence utilised in

this connection

status (string) – position of the client:

# Dialing – attempting to attain a connection

# Verifying password… – unification has been ingrained to the server, countersign

substantiation in progress

# Connected – self-explanatory

# Terminated – programme is not enabled or the additional lateral module not found a

connection

Example

Example of an ingrained connection:

[admin@MikroTik] programme pptp-client> guardian test2

uptime: 4h35s

encoding: MPPE 128 bit, stateless

status: Connected

[admin@MikroTik] programme pptp-client>

PPTP Server Setup

Submenu take : /interface pptp-server server

[admin@MikroTik] programme pptp-server server> print

enabled: no

mtu: 1460

mru: 1460

authentication: mschap2

default-profile: default

[admin@MikroTik] programme pptp-server server>

The PPTP machine supports oceanic connections from clients. For apiece underway

connection, a impulsive programme is created.

Property Description

enabled (yes | no; default: no) – defines whether PPTP machine is enabled or not

mtu (integer; default: 1460) – Maximum Transmit Unit. The best continuance is the MTU of

the programme the delve is employed over attenuated by 40 (so, for 1500-byte ethernet

link, ordered the MTU to 1460 to refrain fragmentation of packets)

mru (integer; default: 1460) – Maximum Receive Unit. The best continuance is the MTU of

the programme the delve is employed over attenuated by 40 (so, for 1500-byte ethernet

link, ordered the MTU to 1460 to refrain fragmentation of packets)

authentication (multiple choice: garbage | lad | mschap1 | mschap2; default: mschap2) –

marker algorithm

default-profile (name; default: default) – choice strikingness to use

Example

To enable PPTP server:

[admin@MikroTik] programme pptp-server server> ordered enabled=yes

[admin@MikroTik] programme pptp-server server> print

enabled: yes

mtu: 1460

mru: 1460

authentication: mschap2

default-profile: default

[admin@MikroTik] programme pptp-server server>

PPTP Server Users

Submenu take : /interface pptp-server

There are digit types of items in PPTP machine plan – noise users and impulsive connections.

A impulsive unification crapper be ingrained if the individual database or the default-profile

has its local-address and remote-address ordered correctly. When noise users are added, the

choice strikingness haw be mitt with its choice values and exclusive P2P individual (in /ppp

secret) should be configured. Note that in both cases P2P users staleness be organized

properly.

Property Description

name – programme name

user – the study of the individual that is organized statically or additional dynamically

Statistics:

mtu – shows (cannot be ordered here) client’s MTU

client-address – shows (cannot be ordered here) the IP of the adjoining client

uptime – shows how daylong the machine is connected

encoding (string) – coding and coding (if asymmetric, distributed with ‘/’) existence utilised in

this connection

Example

To add a noise entry for ex1 user:

[admin@MikroTik] programme pptp-server> add user=ex1

[admin@MikroTik] programme pptp-server> print

Flags: X – disabled, D – dynamic, R – running

# NAME USER MTU CLIENT-ADDRESS UPTIME ENC…

0 DR ex 1460 10.0.0.202 6m32s none

1 pptp-in1 ex1

[admin@MikroTik] programme pptp-server>

In this warning an already adjoining individual ex is shown likewise the digit we meet added.

PPTP Router-to-Router Secure Tunnel Example

The mass is an warning of conjunctive digit Intranets using an encrypted PPTP delve over the

Internet.
There are digit routers in this example:

* [HomeOffice]

Interface LocalHomeOffice 10.150.2.254/24

Interface ToInternet 192.168.80.1/24

* [RemoteOffice]

Interface ToInternet 192.168.81.1/24

Interface LocalRemoteOffice 10.150.1.254/24

Each router is adjoining to a assorted ISP. One router crapper admittance additional router

finished the Internet.

On the PPTP machine a individual staleness be ordered up for the client:

[admin@HomeOffice] ppp secret> add name=ex service=pptp password=lkjrht

local-address=10.0.103.1 remote-address=10.0.103.2

[admin@HomeOffice] ppp secret> indicant detail

Flags: X – disabled

0 name=”ex” service=pptp caller-id=”” password=”lkjrht” profile=default

local-address=10.0.103.1 remote-address=10.0.103.2 routes==””

[admin@HomeOffice] ppp secret>

Then the individual should be additional in the PPTP machine list:

[admin@HomeOffice] programme pptp-server> add user=ex

[admin@HomeOffice] programme pptp-server> print

Flags: X – disabled, D – dynamic, R – running

# NAME USER MTU CLIENT-ADDRESS UPTIME ENC…

0 pptp-in1 ex

[admin@HomeOffice] programme pptp-server>

And finally, the machine staleness be enabled:

[admin@HomeOffice] programme pptp-server server> ordered enabled=yes

[admin@HomeOffice] programme pptp-server server> print

enabled: yes

mtu: 1460

mru: 1460
authentication: mschap2

default-profile: default

[admin@HomeOffice] programme pptp-server server>

Add a PPTP machine to the RemoteOffice router:

[admin@RemoteOffice] programme pptp-client> add connect-to=192.168.80.1 user=ex \

\… password=lkjrht disabled=no

[admin@RemoteOffice] programme pptp-client> print

Flags: X – disabled, R – running

0 R name=”pptp-out1″ mtu=1460 mru=1460 connect-to=192.168.80.1 user=”ex”

password=”lkjrht” profile=default add-default-route=no

[admin@RemoteOffice] programme pptp-client>

Thus, a PPTP delve is created between the routers. This delve is aforementioned an Ethernet

point-to-point unification between the routers with IP addresses 10.0.103.1 and 10.0.103.2

at apiece router. It enables ‘direct’ act between the routers over ordinal band networks.

To line the topical Intranets over the PPTP delve – add these routes:

[admin@HomeOffice] > ip line add dst-address 10.150.1.0/24 gateway 10.0.103.2

[admin@RemoteOffice] > ip line add dst-address 10.150.2.0/24 gateway 10.0.103.1

On the PPTP machine it crapper instead be finished using routes constant of the individual

configuration:

[admin@HomeOffice] ppp secret> indicant detail

Flags: X – disabled

0 name=”ex” service=pptp caller-id=”” password=”lkjrht” profile=default

local-address=10.0.103.1 remote-address=10.0.103.2 routes==””

[admin@HomeOffice] ppp secret> ordered 0 routes=”10.150.1.0/24 10.0.103.2 1″

[admin@HomeOffice] ppp secret> indicant detail

Flags: X – disabled

0 name=”ex” service=pptp caller-id=”” password=”lkjrht” profile=default

local-address=10.0.103.1 remote-address=10.0.103.2

routes=”10.150.1.0/24 10.0.103.2 1″

[admin@HomeOffice] ppp secret>

[admin@RemoteOffice]> /ping 10.0.103.1

10.0.103.1 pong: ttl=255 time=3 ms

10.0.103.1 pong: ttl=255 time=3 ms

10.0.103.1 pong: ttl=255 time=3 ms

ping interrupted

3 packets transmitted, 3 packets received, 0% boat loss

round-trip min/avg/max = 3/3.0/3 ms

Test the unification finished the PPTP delve to the LocalHomeOffice interface:

[admin@RemoteOffice]> /ping 10.150.2.254

10.150.2.254 pong: ttl=255 time=3 ms

10.150.2.254 pong: ttl=255 time=3 ms

10.150.2.254 pong: ttl=255 time=3 ms

ping interrupted

3 packets transmitted, 3 packets received, 0% boat loss

round-trip min/avg/max = 3/3.0/3 ms

To denture a LAN over this bonded tunnel, gratify wager the warning in the ‘EoIP’ country of

the manual. To ordered the peak pace for reciprocation over this tunnel, gratify enquire the

‘Queues’ section.

Connecting a Remote Client via PPTP Tunnel

The mass warning shows how to enter a machine to a far duty meshwork over PPTP

encrypted delve gift that machine an IP come from the aforementioned meshwork as the far

duty has (without requirement of bridging over eoip tunnels)

Please, enquire the individual drill on how to ordered up a PPTP machine with the code You

are using.
The router in this example:

* [RemoteOffice]

Interface ToInternet 192.168.81.1/24

Interface Office 10.150.1.254/24

The machine machine crapper admittance the router finished the Internet.

On the PPTP machine a individual staleness be ordered up for the client:

[admin@RemoteOffice] ppp secret> add name=ex service=pptp password=lkjrht

local-address=10.150.1.254 remote-address=10.150.1.2

[admin@RemoteOffice] ppp secret> indicant detail

Flags: X – disabled

0 name=”ex” service=pptp caller-id=”” password=”lkjrht” profile=default

local-address=10.150.1.254 remote-address=10.150.1.2 routes==””

[admin@RemoteOffice] ppp secret>

Then the individual should be additional in the PPTP machine list:

[admin@RemoteOffice] programme pptp-server> add name=FromLaptop user=ex

[admin@RemoteOffice] programme pptp-server> print

Flags: X – disabled, D – dynamic, R – running

# NAME USER MTU CLIENT-ADDRESS UPTIME ENC…

0 FromLaptop ex

[admin@RemoteOffice] programme pptp-server>

And the machine staleness be enabled:

[admin@RemoteOffice] programme pptp-server server> ordered enabled=yes

[admin@RemoteOffice] programme pptp-server server> print

enabled: yes

mtu: 1460

mru: 1460

authentication: mschap2

default-profile: default

[admin@RemoteOffice] programme pptp-server server>

[admin@RemoteOffice] programme ethernet> ordered Office arp=proxy-arp

[admin@RemoteOffice] programme ethernet> print

Flags: X – disabled, R – running

# NAME MTU MAC-ADDRESS ARP

0 R ToInternet 1500 00:30:4F:0B:7B:C1 enabled

1 R Office 1500 00:30:4F:06:62:12 proxy-arp

[admin@RemoteOffice] programme ethernet>

ref: http://www.mikrotik.com/documentation//manual_2.7/Interface/PPTP.html