Create remote VPN to office network

Q: I just bought a Routerbox and was hoping to use it to connect to my office VPN, and automatically route packets for the office over he VPN.  But, I am having problems getting the basic VPN functionality to work.  Please see attached for my config, but basically, I have a standard DLS Router and then the Mikrotik behind that.

In any case, I am configuring the mikrotik using the GUI tool, and go in and set up a New interface using PPTP and put in the destination VPN address and my user name and password.  However, when I try to connect the VPN, it is strange because the GUI says its active.  BUT, it says it is active no matter what password I put in.  It's almost as if it doesn't try to connect at all.  So the question is, once I set up the VPN interface, is there so something I need to do to get the mikrotik to actually make the connection, or does it just do it automatically?  If so, why is it saying the connection is active even if the wrong password is put in the config?


ANSWER:

 

Take a look at the log (click 'log' on winbox main menu) and review what is happening with the pptp dialler.  When it is connected, you should see a capital letter 'R' show up in the left hand column next to the pptp virtual interface in 'interfaces' list.  (see snapshot for example)

 

 

On the PPTP-client dial-out tab, I recommend that you do NOT enable “add default route” or “dial on demand”. 

 

Dial on demand will cause the connection to drop unless there is traffic attempted to send across the vpn.  If that option is disabled, the router will attempt to keep the vpn link active at all times.

 

If you enable ‘add default route’, all traffic passing through the router will be sent across that link, including traffic destined for internet locations.

 

In order to send only traffic destined for your office lan across the vpn, you will want to add a static route.  Click ‘IP->Routes’ then click ‘+’: 


 

 

In the example shown, the remote (office) network is 192.168.0.0/24 and the remote pptp gateway is 10.1.2.3 – you should modify those for your specific requirements.

 

You probably will also want to use address translation to map your LAN hosts to the vpn IP address.  Click ‘IP->firewall->NAT’ and click ‘+’.  On the ‘General’ tab, select ‘srcnat’ for the chain, and select the pptp virtual interface from the ‘out Interface’ list.  Select the ‘action’ tab, and choose ‘masquerade’

 


That is essentially all of the common steps that you need to take in order to achieve what youy are attempting to do.

 

Any more questions?  Just ask! No bother at all :-)

 

Cheers,  Mike.