Document Revision 1.4 (Tue Aug 09 12:01:21 GMT 2005) : This Document Applies To V2.9

PPTP
Document revision 1.4 (Tue Aug 09 12:01:21 GMT 2005)

This document applies to V2.9
Table of Contents
Table of Contents
General Information
Summary
Quick Setup Guide
Specifications
Related Documents
Description
Additional Documents
PPTP Client Setup
Property Description
Example
Monitoring PPTP Client
Example
PPTP Server Setup
Description
Example
PPTP Users
Description
PPTP Server User Interfaces
Description
Example
PPTP Application Examples
Router-to-Router Secure Tunnel Example
Connecting a Remote Client via PPTP Tunnel
PPTP Setup for Windows
Sample instructions for PPTP (VPN) installation and client setup - Windows 98SE
Troubleshooting
Description
General Information
Summary
PPTP (Point to Point Tunnel Protocol) supports encrypted tunnels over !P. The NikroTik RouterOS
implementation includes support for PPTP client and server.
General applications of PPTP tunnels:
Page 1 of 12
Copyright 1999-2006, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
For secure router-to-router tunnels over the !nternet
To link (bridge) local !ntranets or LANs (when Eo!P is also used)
For mobile or remote clients to remotely access an !ntranetfLAN of a company (see PPTP setup for
Windows for more information)
Each PPTP connection is composed of a server and a client. The NikroTik RouterOS may function as a server
or client - or, for various configurations, it may be the server for some connections and client for other
connections. For example, the client created below could connect to a Windows 2000 server, another
NikroTik Router, or another router which supports a PPTP server.
Quick Setup Guide
To make a PPTP tunnel between 2 NikroTik routers with !P addresses 10.5.8.104 (PPTP server) and
10.1.0.172 (PPTP client), follow the next steps.
Setup on PPTP server:

1.
Add a user:
[admin@PPTP-Server] ppp secret> add name=jack password=pass \
\... local-address=10.0.0.1 remote-address=10.0.0.2
2.
Enable the PPTP server:
[admin@PPTP-Server] interface pptp-server server> set enabled=yes
Setup on PPTP client:

1.
Add the PPTP client:
[admin@PPTP-Client] interface pptp-client> add user=jack password=pass \
\... connect-to=10.5.8.104 disabled=no
Specifications
Packages required: ppp
License required: level1 (limited to 1 tunnel), level3 (limited to 200 tunnels), level5
Home menu level: /interface pptp-server, /interface pptp-client
Standards and Technologies: PPTP (RFC 2637)
Hardware usage: Not significant
Related Documents
Software Package Nanagement
!P Addresses and ARP
PPP User AAA
Eo!P
Description
Page 2 of 12
PPTP is a secure tunnel for transporting !P traffic using PPP. PPTP encapsulates PPP in virtual lines that run
over !P. PPTP incorporates PPP and NPPE (Nicrosoft Point to Point Encryption) to make encrypted links. The
purpose of this protocol is to make well-managed secure connections between routers as well as between
routers and PPTP clients (clients are available for andfor included in almost all OSs including Windows).
PPTP includes PPP authentication and accounting for each PPTP connection. Full authentication and
accounting of each connection may be done through a RAD!US client or locally.
NPPE +0bit RC+ and NPPE 128bit RC+ encryption are supported.
PPTP traffic uses TCP port 1723 and !P protocol GRE (Generic Routing Encapsulation, !P protocol !D +7), as
assigned by the !nternet Assigned Numbers Authority (!ANA). PPTP can be used with most firewalls and
routers by enabling traffic destined for TCP port 1723 and protocol +7 traffic to be routed through the
firewall or router.
PPTP connections may be limited or impossible to setup though a masqueradedfNAT !P connection. Please
see the Nicrosoft and RFC links at the end of this section for more information.
Additional Documents
http:ffmsdn.microsoft.comflibraryfbackgrndfhtmlfunderstanding_pptp.htm
http:ffsupport.microsoft.comfsupportfkbfarticlesfq162f8f+7.asp
http:ffwww.ietf.orgfrfcfrfc2637.txt?number=2637
PPTP Client Setup
Home menu level: /interface pptp-client
add-default-route (yes | no; default: no) - whether to use the server which this client is connected
to as its default router (gateway)
allow (multiple choice: mschap2, mschap1, chap, pap; default: mschap2, mschap1, chap, pap) -
the protocol to allow the client to use for authentication
connect-to (IP address) - The IP address of the PPTP server to connect to
mru (integer; default: 1460) - Maximum Receive Unit. The optimal value is the MRU of the
interface the tunnel is working over decreased by 40 (so, for 1500-byte ethernet link, set the MRU
to 1460 to avoid fragmentation of packets)
mtu (integer; default: 1460) - Maximum Transmission Unit. The optimal value is the MTU of the
interface the tunnel is working over decreased by 40 (so, for 1500-byte ethernet link, set the MTU
name (name; default: pptp-outN) - interface name for reference
password (text; default: "") - user password to use when logging to the remote server
profile (name; default: default) - profile to use when connecting to the remote server
Page 3 of 12
user (text) - user name to use when logging on to the remote server
Example
To set up PPTP client named test2 using unsername john with password john to connect to the 10.1.1.12
PPTP server and use it as the default gateway:
[admin@MikroTik] interface pptp-client> add name=test2 connect-to=10.1.1.12 \
\... user=john add-default-route=yes password=john
[admin@MikroTik] interface pptp-client> print
Flags: X - disabled, R - running
0 X name="test2" mtu=1460 mru=1460 connect-to=10.1.1.12 user="john"
password="john" profile=default add-default-route=yes
[admin@MikroTik] interface pptp-client> enable 0
Monitoring PPTP Client
Command name: /interface pptp-client monitor
encoding (text) - encryption and encoding (if asymmetric, seperated with '/') being used in this
connection
status (text) - status of the client
Dialing - attempting to make a connection
Verifying password... - connection has been established to the server, password verification in
progress
Connected - self-explanatory
Terminated - interface is not enabled or the other side will not establish a connection uptime
(time) - connection time displayed in days, hours, minutes and seconds
uptime (time) - connection time displayed in days, hours, minutes and seconds
Example
Example of an established connection:
[admin@MikroTik] interface pptp-client> monitor test2
uptime: 4h35s
encoding: MPPE 128 bit, stateless
status: Connected
[admin@MikroTik] interface pptp-client>
PPTP Server Setup
Home menu level: /interface pptp-server server
Description
The PPTP server creates a dynamic interface for each connected PPTP client. The PPTP connection count
from clients depends on the license level you have. Level1 license allows 1 PPTP client, Level3 or Level+
Page 4 of 12
licenses up to 200 clients, and Level5 or Level6 licenses do not have PPTP client limitations.
To create PPTP users, you should consult the PPP secret and PPP Profile manuals. !t is also possible to use
the NikroTik router as a RAD!US client to register the PPTP users, see the manual how to do it.
authentication (multiple choice: pap | chap | mschap1 | mschap2; default: mschap2) -
authentication algorithm
default-profile - default profile to use
enabled (yes | no; default: no) - defines whether PPTP server is enabled or not
keepalive-timeout (time; default: 30) - defines the time period (in seconds) after which the router is
starting to send keepalive packets every second. If no traffic and no keepalive responses has came
for that period of time (i.e. 2 * keepalive-timeout), not responding client is proclaimed disconnected
mru (integer; default: 1460) - Maximum Receive Unit. The optimal value is the MRU of the
interface the tunnel is working over decreased by 40 (so, for 1500-byte ethernet link, set the MRU
mtu (integer; default: 1460) - Maximum Transmission Unit. The optimal value is the MTU of the
interface the tunnel is working over decreased by 40 (so, for 1500-byte ethernet link, set the MTU
Example
To enable PPTP server:
[admin@MikroTik] interface pptp-server server> set enabled=yes
[admin@MikroTik] interface pptp-server server> print
enabled: yes
mtu: 1460
mru: 1460
authentication: mschap2,mschap1
keepalive-timeout: 30
default-profile: default
[admin@MikroTik] interface pptp-server server>
PPTP Users
Description
The PPTP users are authenticated through a RAD!US server (if configured), and if RAD!US fails, then the
local PPP user databese is used. See the respective manual sections for more information:
RAD!US client
PPP User AAA
PPTP Server User Interfaces
Home menu level: /interface pptp-server
Page 5 of 12
Description
There are two types of items in PPTP server configuration - static users and dynamic connections. A dynamic
connection can be established if the user database or the default-profile has its local-address and
remote-address set correctly. When static users are added, the default profile may be left with its default
values and only PPP user (in /ppp secret) should be configured. Note that in both cases PPP users must be
configured properly.
client-address (IP address) - shows (cannot be set here) the IP address of the connected client
encoding (text) - encryption and encoding (if asymmetric, separated with '/') being used in this
connection
mtu (integer) - (cannot be set here) client's MTU
name (name) - interface name
uptime (time) - shows how long the client is connected
user (name) - the name of the user that is configured statically or added dynamically
Example
To add a static entry for ex1 user:
[admin@MikroTik] interface pptp-server> add user=ex1
[admin@MikroTik] interface pptp-server> print
Flags: X - disabled, D - dynamic, R - running
# NAME USER MTU CLIENT-ADDRESS UPTIME ENC...
0 DR <pptp-ex> ex 1460 10.0.0.202 6m32s none
1 pptp-in1 ex1
[admin@MikroTik] interface pptp-server>
!n this example an already connected user ex is shown besides the one we just added.
PPTP Application Examples
Router-to-Router Secure Tunnel Example
The following is an example of connecting two !ntranets using an encrypted PPTP tunnel over the !nternet.
Page 6 of 12
There are two routers in this example:
[HomeOffice|
!nterface LocalHomeOffice 10.150.2.25+f2+
!nterface To!nternet 192.168.80.1f2+
[RemoteOffice|
!nterface LocalRemoteOffice 10.150.1.25+f2+
Each router is connected to a different !SP. One router can access another router through the !nternet.
On the Preforma PPTP server a user must be set up for the client:
[admin@HomeOffice] ppp secret> add name=ex service=pptp password=lkjrht
local-address=10.0.103.1 remote-address=10.0.103.2
[admin@HomeOffice] ppp secret> print detail
Flags: X - disabled
0 name="ex" service=pptp caller-id="" password="lkjrht" profile=default
local-address=10.0.103.1 remote-address=10.0.103.2 routes==""
[admin@HomeOffice] ppp secret>
Then the user should be added in the PPTP server list:
[admin@HomeOffice] interface pptp-server> add user=ex
[admin@HomeOffice] interface pptp-server> print
0 pptp-in1 ex
Page 7 of 12
[admin@HomeOffice] interface pptp-server>
And finally, the server must be enabled:
[admin@HomeOffice] interface pptp-server server> set enabled=yes
[admin@HomeOffice] interface pptp-server server> print
enabled: yes
mtu: 1460
mru: 1460
authentication: mschap2
[admin@HomeOffice] interface pptp-server server>
Add a PPTP client to the RemoteOffice router:
[admin@RemoteOffice] interface pptp-client> add connect-to=192.168.80.1 user=ex \
\... password=lkjrht disabled=no
[admin@RemoteOffice] interface pptp-client> print
0 R name="pptp-out1" mtu=1460 mru=1460 connect-to=192.168.80.1 user="ex"
password="lkjrht" profile=default add-default-route=no
[admin@RemoteOffice] interface pptp-client>
Thus, a PPTP tunnel is created between the routers. This tunnel is like an Ethernet point-to-point connection
between the routers with !P addresses 10.0.103.1 and 10.0.103.2 at each router. !t enables 'direct'
communication between the routers over third party networks.
To route the local !ntranets over the PPTP tunnel you need to add these routes:
[admin@HomeOffice] > ip route add dst-address 10.150.1.0/24 gateway 10.0.103.2
Page 8 of 12
[admin@RemoteOffice] > ip route add dst-address 10.150.2.0/24 gateway 10.0.103.1
On the PPTP server it can alternatively be done using routes parameter of the user configuration:
Flags: X - disabled
[admin@HomeOffice] ppp secret> set 0 routes="10.150.1.0/24 10.0.103.2 1"
Flags: X - disabled
routes="10.150.1.0/24 10.0.103.2 1"
[admin@HomeOffice] ppp secret>
Test the PPTP tunnel connection:
[admin@RemoteOffice]> /ping 10.0.103.1
10.0.103.1 pong: ttl=255 time=3 ms
10.0.103.1 pong: ttl=255 time=3 ms
10.0.103.1 pong: ttl=255 time=3 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 3/3.0/3 ms
Test the connection through the PPTP tunnel to the LocalHomeOffice interface:
[admin@RemoteOffice]> /ping 10.150.2.254
10.150.2.254 pong: ttl=255 time=3 ms
10.150.2.254 pong: ttl=255 time=3 ms
10.150.2.254 pong: ttl=255 time=3 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 3/3.0/3 ms
To bridge a LAN over this secure tunnel, please see the example in the 'Eo!P' section of the manual. To set
the maximum speed for traffic over this tunnel, please consult the 'Queues' section.
Connecting a Remote Client via PPTP Tunnel
The following example shows how to connect a computer to a remote office network over PPTP encrypted
tunnel giving that computer an !P address from the same network as the remote office has (without need of
bridging over Eo!P tunnels)
Please, consult the respective manual on how to set up a PPTP client with the software You are using.
Page 9 of 12
The router in this example:
[RemoteOffice|
!nterface Office 10.150.1.25+f2+
The client computer can access the router through the !nternet.
On the PPTP server a user must be set up for the client:
[admin@RemoteOffice] ppp secret> add name=ex service=pptp password=lkjrht
[admin@RemoteOffice] ppp secret> print detail
Flags: X - disabled
[admin@RemoteOffice] ppp secret>
Then the user should be added in the PPTP server list:
[admin@RemoteOffice] interface pptp-server> add name=FromLaptop user=ex
[admin@RemoteOffice] interface pptp-server> print
0 FromLaptop ex
[admin@RemoteOffice] interface pptp-server>
And the server must be enabled:
Page 10 of 12
[admin@RemoteOffice] interface pptp-server server> set enabled=yes
[admin@RemoteOffice] interface pptp-server server> print
enabled: yes
mtu: 1460
mru: 1460
authentication: mschap2
[admin@RemoteOffice] interface pptp-server server>
Finally, the proxy APR must be enabled on the 'Office' interface:
[admin@RemoteOffice] interface ethernet> set Office arp=proxy-arp
[admin@RemoteOffice] interface ethernet> print
# NAME MTU MAC-ADDRESS ARP
0 R ToInternet 1500 00:30:4F:0B:7B:C1 enabled
1 R Office 1500 00:30:4F:06:62:12 proxy-arp
[admin@RemoteOffice] interface ethernet>
PPTP Setup for Windows
Nicrosoft provides PPTP client support for Windows NT, 2000, NE, 98SE, and 98. Windows 98SE, 2000, and
NE include support in the Windows setup or automatically install PPTP. For 95, NT, and 98, installation
requires a download from Nicrosoft. Nany !SPs have made help pages to assist clients with Windows PPTP
installation.
http:ffwww.real-time.comfCustomer_SupportfPPTP_Configfpptp_config.html
http:ffwww.microsoft.comfwindows95fdownloadsfcontentsfWUAdminToolsfS_WUNetworkingToolsfW95WinsockUpgradefDefault.asp
Sample instructions for PPTP (VPN) installation and client setup -
Windows 98SE
!f the vPN (PPTP) support is installed, select 'Dial-up Networking' and 'Create a new connection'. The option
to create a 'vPN' should be selected. !f there is no 'vPN' options, then follow the installation instructions
below. When asked for the 'Host name or !P address of the vPN server', type the !P address of the router.
Double-click on the 'new' icon and type the correct user name and password (must also be in the user
database on the router or RAD!US server used for authentication).
The setup of the connections takes nine seconds after selection the 'connect' button. !t is suggested that the
connection properties be edited so that 'NetBEU!', '!PXfSPX compatible', and 'Log on to network' are
unselected. The setup time for the connection will then be two seconds after the 'connect' button is selected.
To install the 'virtual Private Networking' support for Windows 98SE, go to the 'Setting' menu from the main
'Start' menu. Select 'Control Panel', select 'AddfRemove Program', select the 'Windows setup' tab, select the
'Communications' software for installation and 'Details'. Go to the bottom of the list of software and select
'virtual Private Networking' to be installed.
Troubleshooting
Description
I use firewall and I cannot establish PPTP connection

Page 11 of 12
Nake sure the TCP connections to port 1723 can pass through both directions between your sites. Also,
!P protocol +7 should be passed through
Page 12 of 12

Document Revision 1.4 (Tue Aug 09 12:01:21 GMT 2005) : This Document Applies To V2.9

Uploaded by

Copyright:

Available Formats

Document Revision 1.4 (Tue Aug 09 12:01:21 GMT 2005) : This Document Applies To V2.9

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Document Revision 1.4 (Tue Aug 09 12:01:21 GMT 2005) : This Document Applies To V2.9

Uploaded by

Copyright:

Available Formats

PPTP

Document revision 1.4 (Tue Aug 09 12:01:21 GMT 2005)

For secure router-to-router tunnels over the !nternet

To link (bridge) local !ntranets or LANs (when Eo!P is also used)

Setup on PPTP server:

Setup on PPTP client:

I use firewall and I cannot establish PPTP connection

You might also like

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.