You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Overview

RouterOS supports Point-to-Point Tunneling Protocol (PPTP) which is one of the obsolete methods for implementing a VPN.

Introduction

PPTP has many known security issues and we are not recommending to use it. However, this protocol is integrated into common operating systems and it is easy to set it up. PPTP can be useful in networks where security concerns are not considered.

PPTP traffic uses TCP port 1723 and IP protocol GRE (Generic Routing Encapsulation, IP protocol ID 47), as assigned by the Internet Assigned Numbers Authority (IANA). PPTP can be used with most firewalls and routers by enabling traffic destined for TCP port 1723 and protocol 47 traffic to be routed through the firewall or router.  PPTP includes PPP authentication and accounting for each PPTP connection. Full authentication and accounting of each connection may be done through a RADIUS client or locally.

Configuration example

PPTP Client

/interface pptp-client

The following example demonstrates how to set up a PPTP client with username "PPTPuser", password "StrongPass" and server 172.16.16.1:

[admin@MikroTik] > interface pptp-client add name=PPTPuser user=PPTPuser password=StrongPass connect-to=172.16.16.1 disabled=no
[admin@MikroTik] > interface pptp-client print 
Flags: X - disabled; R - running 
0 name="PPTPuser" max-mtu=1450 max-mru=1450 mrru=disabled connect-to=172.16.16.1 user="PPTPuser" password="StrongPass" profile=default-encryption 
keepalive-timeout=60 add-default-route=no dial-on-demand=no allow=pap,chap,mschap1,mschap2

PPTP Server

/interface pptp-server

An interface is created for each tunnel established to the given server. There are two types of interfaces in the L2TP server's configuration

  • Static interfaces are added administratively if there is a need to reference the particular interface name (in firewall rules or elsewhere) created for the particular user;
  • Dynamic interfaces are added to this list automatically whenever a user is connected and its username does not match any existing static entry (or in case the entry is active already, as there can not be two separate tunnel interfaces referenced by the same name);

Dynamic interfaces appear when a user connects and disappear once the user disconnects, so it is impossible to reference the tunnel created for that use in router configuration (for example, in firewall), so if you need persistent rules for that user, create a static entry for him/her. Otherwise, it is safe to use a dynamic configuration.

In both cases PPP users must be configured properly - static entries do not replace PPP configuration.
  • No labels