PPTP Tunnel

Document revision 1.7 (January 16, 2008, 9:10 GMT)

This document applies to V3.0

Table of Contents
Table of Contents
General Information
Summary
Quick Setup Guide
Specifications
Description
Additional Documents
PPTP Client Setup
Property Description
Notes
Example
Monitoring PPTP Client
Property Description
Example
PPTP Server Setup
Description
Property Description
Notes
Example
PPTP Tunnel Interfaces
Description
Property Description
Example
PPTP Application Examples
Router-to-Router Secure Tunnel Example
Connecting a Remote Client via PPTP Tunnel
PPTP Setup for Windows
Sample instructions for PPTP (VPN) installation and client setup - Windows 98SE
Troubleshooting
Description

General Information

Summary

 

 
  
  
  

       

 

    
 !
   
  

"   

   
  #

•  
$
$

   
 
 

Page 1 of 12
Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•   % !% %  
 
  &'(
•  %  
 
)&'(      
 !   
  

*   
          
   
   
   
  
+    %
 + 
 !
     
     
 

 
  , - +
  

 ! .    

  / . 0111 +  

 
+   
 
 . 
   

Quick Setup Guide

   
  !
. 0  
 .
       

   
+  .
 -



• 2 %
    
#
1. '  #
[admin@PPTP-Server] ppp secret> add name=user password=passwd \
\... local-address=10.0.0.1 remote-address=10.0.0.2

2. * ! 
  #
[admin@PPTP-Server] interface pptp-server server> set enabled=yes

• 2 %
    

#
1. '
   
#
[admin@PPTP-Client] interface pptp-client> add user=user password=passwd \
\... connect-to=10.5.8.104 disabled=no

Specifications
Packages required: ppp
License required: level1 (limited to 1 tunnel), level3 (limited to 200 tunnels), level5
Home menu level: /interface pptp-server, /interface pptp-client
Standards and Technologies: PPTP (RFC 2637)
Hardware usage: Not significant

Description

   
  
 
 % 
   %     
   
  


    
    * 


 
* 
 
   
   
 
 
 
  . $ %   
  !
. 
  .  !
.

     
  
   !    )      
     % / .


      
  
  3 
 ! 


 
 $4 5611   %

   !% %      % 7% 2
 
 72

 .
   . *
 

      . 

 ! 
 
 !% % .

*  !%   
 
  

  
'2    *
 
$  
   
+      
 '2


Page 2 of 12
Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
     


   
 %     
  , 


  

 %    
  !  
%  '83  
  

* 91!
29   * 50:!
29  
  



   2 
5;0<    
 "* "  
 % *  
 +  
 8 9;+ 
%  !
 
 
'%  (! '

 '('   !  .
 
.   

 !  !  %
  
   2 
5;0<   
 9;
 
 ! 

%

.  


  
   ! 
  ! 
 

%  =)('   
   

 
  ,2   
 ! .    
 

Additional Documents

• 

#)) 
) !)!% )
 ) 
  %>


• 

#))

)
)!)
 )=5?0):)9;
• 

#))...
%) ) 0?<;
-
@ !A0?<;
• 

#))...
%) ) <1;:
-
@ !A<1;:
• 

#))...
%) ) <1;B
-
@ !A<1;B

PPTP Client Setup

Home menu level: /interface pptp-client

Property Description
add-default-route (yes | no; default: no) - whether to use the server which this client is connected
to as its default router (gateway)
allow (multiple choice: mschap2, mschap1, chap, pap; default: mschap2, mschap1, chap, pap) -
the protocol to allow the client to use for authentication
connect-to (IP address) - The IP address of the PPTP server to connect to
max-mru (integer; default: 1460) - Maximum Receive Unit. The optimal value is the MRU of the
interface the tunnel is working over decreased by 40 (so, for 1500-byte Ethernet link, set the MRU
to 1460 to avoid fragmentation of packets)
max-mtu (integer; default: 1460) - Maximum Transmission Unit. The optimal value is the MTU of
the interface the tunnel is working over decreased by 40 (so, for 1500-byte Ethernet link, set the
MTU to 1460 to avoid fragmentation of packets)
mrru (integer: 512..65535; default: disabled) - maximum packet size that can be received on the
link. If a packet is bigger than tunnel MTU, it will be split into multiple packets, allowing full size
IP or Ethernet packets to be sent over the tunnel
• disabled - disable MRRU on this link
name (name; default: pptp-outN) - interface name for reference
password (text; default: "") - user password to use when logging to the remote server
profile (name; default: default) - profile to use when connecting to the remote server

Page 3 of 12
Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
user (text) - user name to use when logging on to the remote server

Notes

  % 3    !  %  
      %     
  
  
!% 


     3  / . 
 !  !   (
. %
%+ 

 % !

 + C(%

 
$  
  %     
 C  3  
 5?59  

 %   
  
3
       !  !   !
 

Example

 
   
    %     .
 . 
  


 
     

  
%
.#
[admin@MikroTik] interface pptp-client> add name=test2 connect-to=10.1.1.12 \
\... user=john add-default-route=yes password=john
[admin@MikroTik] interface pptp-client> print
Flags: X - disabled, R - running
0 X name="test2" max-mtu=1460 max-mru=1460 mrru=disabled connect-to=10.1.1.12
user="john" password="john" profile=default add-default-route=yes
allow=pap,chap,mschap1,mschap2
[admin@MikroTik] interface pptp-client> enable 0

Monitoring PPTP Client

Command name: /interface pptp-client monitor

Property Description
encoding (text) - encryption and encoding (if asymmetric, separated with '/') being used in this
connection
idle-time (read-only: time) - time since the last packet has been transmitted over this link
mru (read-only: integer) - effective MRU of the link
mtu (read-only: integer) - effective MTU of the link
status (text) - status of the client
• dialing - attempting to make a connection
• verifying password... - connection has been established to the server, password verification in
progress
• connected - self-explanatory
• terminated - interface is not enabled or the other side will not establish a connection
uptime (time) - connection time displayed in days, hours, minutes and seconds

Example

*-    
!   
 #
[admin@MikroTik] interface pptp-client> monitor test2
status: "connected"
uptime: 6h44m9s
idle-time: 6h44m9s
encoding: "MPPE128 stateless"

Page 4 of 12
Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
 mtu: 1460
mru: 1460
[admin@MikroTik] interface pptp-client>

PPTP Server Setup

Home menu level: /interface pptp-server server

Description

   
    
     
   
    
 

  
   
      & 5    . 5   
+ & <  & 9
  
 011  
+   & 6  & ?    
   


 

Property Description
authentication (multiple choice: pap | chap | mschap1 | mschap2; default: mschap2) -
authentication algorithm
default-profile - default profile to use
enabled (yes | no; default: no) - defines whether PPTP server is enabled or not
keepalive-timeout (time; default: 30) - defines the time period (in seconds) after which the router is
starting to send keepalive packets every second. If no traffic and no keepalive responses has came
for that period of time (i.e. 2 * keepalive-timeout), not responding client is proclaimed disconnected
max-mru (integer; default: 1460) - Maximum Receive Unit. The optimal value is the MRU of the
interface the tunnel is working over decreased by 40 (so, for 1500-byte ethernet link, set the MRU
to 1460 to avoid fragmentation of packets)
max-mtu (integer; default: 1460) - Maximum Transmission Unit. The optimal value is the MTU of
the interface the tunnel is working over decreased by 40 (so, for 1500-byte ethernet link, set the
MTU to 1460 to avoid fragmentation of packets)
mrru (integer: 512..65535; default: disabled) - maximum packet size that can be received on the
link. If a packet is bigger than tunnel MTU, it will be split into multiple packets, allowing full size
IP or Ethernet packets to be sent over the tunnel
• disabled - disable MRRU on this link

Notes

  % 3    !  %  
      %     
  
  
!% 


     3  / . 
 !  !   (
. %
%+ 

 % !

 + C(%

 
$  
  %     
 C  3  
 5?59  

 %   
  
3
       !  !   !
 

Example

  !   #
[admin@MikroTik] interface pptp-server server> set enabled=yes
[admin@MikroTik] interface pptp-server server> print
enabled: yes

Page 5 of 12
Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
 max-mtu: 1460
max-mru: 1460
mrru: disabled
authentication: mschap2,mschap1
keepalive-timeout: 30
default-profile: default
[admin@MikroTik] interface pptp-server server>

PPTP Tunnel Interfaces

Home menu level: /interface pptp-server

Description

 
.
  
  
   
     %
 $ 

     
 
  ' 
   
  
  
! 

 %  

 
  
  

  
   
   
 
  
    .   
 . 
 
 
   8  
   

 


  . 
    
   
    

   -
 % 

 
   
 
  

 + 
  
!
. 

  
     !
   8 

   .    
     
   
+  
 ! 

  

  
 

  
  %
   - +  . +     


  

+ 
  

 
  ) 
. 
  
   
 %
  

 !
    
!  %   $ 

 
  
 
  %
 

Property Description
client-address (read-only: IP address) - shows the IP address of the connected client
encoding (read-only: text) - encryption and encoding (if asymmetric, separated with '/') being used
in this connection
mru (read-only: integer) - client's MRU
mtu (read-only: integer) - client's MTU
name (name) - interface name
uptime (read-only: time) - shows how long the client is connected
user (name) - the name of the user that is configured statically or added dynamically

Example

   

 
   #
[admin@MikroTik] interface pptp-server> add user=ex1
[admin@MikroTik] interface pptp-server> print
Flags: X - disabled, D - dynamic, R - running
# NAME USER MTU CLIENT-ADDRESS UPTIME ENC...
0 DR <pptp-ex> ex 1460 10.0.0.202 6m32s none
1 pptp-in1 ex1
[admin@MikroTik] interface pptp-server>


 -      
    . !
   . D
 (.
 
 
   !      .  
  %
   %  
 

Page 6 of 12
Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
PPTP Application Examples

Router-to-Router Secure Tunnel Example

  . %   -    
 %
. 
 
  %   
 
  
 
 


 
. 
 
 - #

• EF G

  & F  515610069)09

  
 
5B05?::15)09
• E
 G

  
 
5B05?::55)09

  & 
  515615069)09

* 
   

   
   
    
 

%
 
 



     
! 
 
  
#
[admin@HomeOffice] ppp secret> add name=ex service=pptp password=lkjrht \
\... local-address=10.0.103.1 remote-address=10.0.103.2
[admin@HomeOffice] ppp secret> print detail
Flags: X - disabled
0 name="ex" service=pptp caller-id="" password="lkjrht" profile=default
local-address=10.0.103.1 remote-address=10.0.103.2 routes==""

Page 7 of 12
Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
 [admin@HomeOffice] ppp secret>


    !  
   
#
[admin@HomeOffice] interface pptp-server> add user=ex
[admin@HomeOffice] interface pptp-server> print
Flags: X - disabled, D - dynamic, R - running
# NAME USER MTU CLIENT-ADDRESS UPTIME ENC...
0 pptp-in1 ex
[admin@HomeOffice] interface pptp-server>

'    +
  
!  ! #
[admin@HomeOffice] interface pptp-server server> set enabled=yes
[admin@HomeOffice] interface pptp-server server> print
enabled: yes
max-mtu: 1460
max-mru: 1460
mrru: disabled
authentication: mschap2
keepalive-timeout: 30
default-profile: default
[admin@HomeOffice] interface pptp-server server>

'    


 
  
#
[admin@RemoteOffice] interface pptp-client> add connect-to=192.168.80.1 user=ex \
\... password=lkjrht disabled=no
[admin@RemoteOffice] interface pptp-client> print
Flags: X - disabled, R - running
0 R name="pptp-out1" mtu=1460 mru=1460 mrru=disabled connect-to=192.168.80.1
user="ex" password="lkjrht" profile=default add-default-route=no
allow=pap,chap,mschap1,mschap2
[admin@RemoteOffice] interface pptp-client>

+  
   
 !
.
 
 
     *
 

$
$
 

!
.
 
 .
   51151<5   51151<0 
 
 
 !  H
H
 
 !
.
 
 
 
 
.

Page 8 of 12
Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
 

  
 
 
 
   
 
 
#
[admin@HomeOffice] > ip route add dst-address 10.150.1.0/24 gateway 10.0.103.2
[admin@RemoteOffice] > ip route add dst-address 10.150.2.0/24 gateway 10.0.103.1


   
 
 
  !    %   
 
   %
 #
[admin@HomeOffice] ppp secret> print detail
Flags: X - disabled
0 name="ex" service=pptp caller-id="" password="lkjrht" profile=default
local-address=10.0.103.1 remote-address=10.0.103.2 routes==""
[admin@HomeOffice] ppp secret> set 0 routes="10.150.1.0/24 10.0.103.2 1"
[admin@HomeOffice] ppp secret> print detail
Flags: X - disabled
0 name="ex" service=pptp caller-id="" password="lkjrht" profile=default
local-address=10.0.103.1 remote-address=10.0.103.2
routes="10.150.1.0/24 10.0.103.2 1"
[admin@HomeOffice] ppp secret>



 
   
 #
[admin@RemoteOffice]> /ping 10.0.103.1
10.0.103.1 pong: ttl=255 time=3 ms
10.0.103.1 pong: ttl=255 time=3 ms
10.0.103.1 pong: ttl=255 time=3 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 3/3.0/3 ms



  

%
 
 

 & F  
 #

Page 9 of 12
Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
 [admin@RemoteOffice]> /ping 10.150.2.254
10.150.2.254 pong: ttl=255 time=3 ms
10.150.2.254 pong: ttl=255 time=3 ms
10.150.2.254 pong: ttl=255 time=3 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 3/3.0/3 ms

 !%  &'( 
 
  +   
 -  
 H*H 
 
     

 -  
  

  +    

 HIH 
 

Connecting a Remote Client via PPTP Tunnel

  . % -  . .

  
 

  
   
.    


  % %


    
  
. 
 
    .

 
!% %  *
  

 +  

 
    .
 
    
.

 
. J   %

 
 
 - #

• E
 G

  
 
5B05?::55)09

    515615069)09

  

  
 

%
 
 


Page 10 of 12
Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.

     
! 
 
  
#
[admin@RemoteOffice] ppp secret> add name=ex service=pptp password=lkjrht
local-address=10.150.1.254 remote-address=10.150.1.2
[admin@RemoteOffice] ppp secret> print detail
Flags: X - disabled
0 name="ex" service=pptp caller-id="" password="lkjrht" profile=default
local-address=10.150.1.254 remote-address=10.150.1.2 routes==""
[admin@RemoteOffice] ppp secret>


  
 !  
  

#
[admin@RemoteOffice]
[admin@RemoteOffice]
Flags: X - disabled,
# NAME
0 FromLaptop
[admin@RemoteOffice]
interface pptp-server> add name=FromLaptop user=ex
interface pptp-server> print
D - dynamic, R - running
USER MTU CLIENT-ADDRESS UPTIME ENC...
ex
interface pptp-server>

' 
  
!  ! #
[admin@RemoteOffice] interface pptp-server server> set enabled=yes
[admin@RemoteOffice] interface pptp-server server> print
enabled: yes
max-mtu: 1460
max-mru: 1460
mrru: disabled
authentication: mschap2
keepalive-timeout: 30
default-profile: default
[admin@RemoteOffice] interface pptp-server server>

,  +
 - ' 
!  !  
 H H 
 #
[admin@RemoteOffice] interface ethernet> set Office arp=proxy-arp
[admin@RemoteOffice] interface ethernet> print
Flags: X - disabled, R - running
# NAME MTU MAC-ADDRESS ARP
0 R ToInternet 1500 00:30:4F:0B:7B:C1 enabled
1 R Office 1500 00:30:4F:06:62:12 proxy-arp
[admin@RemoteOffice] interface ethernet>

PPTP Setup for Windows


   

 / . (+ 0111+ *+ B:*+   B: / . B:*+ 0111+  
*    

 / . 
  

   
  , B6+ (+   B:+  
 

=  .   
        %
 
 
 .
 / . 
 
 
 

• 

#))... $
)2
>
)>2 %)
> %

• 

#))...
). .B6). )

)/3'  )>/3(
. % )/B6/ 3

Sample instructions for PPTP (VPN) installation and client setup -

Windows 98SE


 K(  
  
 +  
H8 $ (
. %H   H2
  .  
 H  


 
  HK(H   !  
 
   HK(H 
 +
  .
  
 
  

 
! . /  
 HF
    
 K( H+

   
 

8! $  
 H .H   

 
    . 
  ! 
 

Page 11 of 12
Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.

! 
 
  '83    


 

 
 
  
 
     
  

 H 
H !

  
 %%




 
 
 ! 
 

H(
7*3H+ HL)L 
! H+   H&% 
 
.H 
  
  

 
  
 .
 !
.   

 H 
H !

   


  

 HK
 
 (
. %H 
 / . B:*+ %

 H

 %H   
 
H

H    
H2
   H+  
H') %H+  

 H/ . 
H
!+  


H2 
 H 
.   
 
   H8
 H "

 !

 
 
 
.    

HK
 
 (
. %H
 !  
 

Troubleshooting

Description

•        ! ""#"  

 
 2  
 
 
5;0<  
% !
 
  !
.  
 ' +
 
 9;   ! 
%

Page 12 of 12
Copyright 1999-2007, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.