PPTP VPN - multiple ADSL remote locations to Cental Office

From MikroTik Wiki
Revision as of 10:53, 11 October 2008 by Satman1w (talk | contribs) (New page: Configuring my Company's router, I have stumbled across few problems, fortunately solve them ("with little help from our friends.."), and now I would like to share the solution and maybe h...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Configuring my Company's router, I have stumbled across few problems, fortunately solve them ("with little help from our friends.."), and now I would like to share the solution and maybe help someone with the same problem.

I have central location connected to Internet with 10 Mbit link, public range of addresses /27 (32 addresses, 30 useful), and I also have more than 100 remote locations connected to the Internet by ADSL ol Cable. All those remote connections have to be in VPN with headquarters (HQ) and have full access to all network resources.

This is how I did it.

First You have to configure HQ router to allow HQ network to access Internet (assign private and public addresses, gateway, NAT...), than you have to set up remote routers to do the same (private address pppoe dial-up, NAT, routes... - ("http://wiki.mikrotik.com/wiki/How_to_Connect_your_Home_Network_to_xDSL_Line").

We will assume the following:

HQ public address is 80.80.80.110 subnet mask is 255.255.255.224 (/27) GW is 80.80.80.97

HQ private address is 192.168.3.254 subnet mask is 255.255.254.0 (/23) GW is 192.168.3.254


Remote public addresses are dynamic Remote private addresses are: Remote 1 10.0.1.0/24 GW is 10.0.1.254

Remote 2 10.0.2.0/24 GW is 10.0.2.254

Remote 3 10.0.3.0/24 GW is 10.0.3.254

First we will set up HQ router.

1.enabling server / interface l2tp-server server set enabled=yes max-mtu=1460 max-mru=1460 \ authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption

2.creating users (one for each remote location) / ppp secret add name="user1" service=l2tp caller-id="" password="P@ssw0rd" \ profile=default-encryption local-address=192.168.3.254 \ remote-address=10.0.1.254 routes="" limit-bytes-in=0 limit-bytes-out=0 \ comment="" disabled=no add name="user2" service=l2tp caller-id="" password="P@ssw0rd" \ profile=default-encryption local-address=192.168.3.254 \ remote-address=10.0.2.254 routes="" limit-bytes-in=0 limit-bytes-out=0 \ comment="" disabled=no add name="user3" service=l2tp caller-id="" password="P@ssw0rd" \ profile=default-encryption local-address=192.168.3.254 \ remote-address=10.0.3.254 routes="" limit-bytes-in=0 limit-bytes-out=0 \ comment="" disabled=no

3.adding routes (wil be "unknown" until remote users conect) / ip route add dst-address=10.0.1.0/24 gateway=10.0.1.254 scope=255 target-scope=10 \ comment="" disabled=no add dst-address=10.0.2.0/24 gateway=10.0.2.254 scope=255 target-scope=10 \ comment="" disabled=no add dst-address=10.0.3.0/24 gateway=10.0.3.254 scope=255 target-scope=10 \ comment="" disabled=no



Second we will set up remote router(s)

1.Creating client interface on remote location 1 /interface l2tp-client add add-default-route=no allow=pap,chap,mschap1,mschap2 comment="" \ connect-to=80.80.80.110 disabled=no max-mru=1460 max-mtu=1460 \ mrru=disabled name="l2tp-out1" password="P@ssw0rd" \ profile=default-encryption user="user1"

2. Adding route to HQ network (will be inactive until connection is established) /ip route add comment="" disabled=no distance=1 dst-address=192.168.2.0/23 \ gateway=192.168.3.254 scope=255 target-scope=10

3.Optional - if you want your remote locations to communicate with each other /ip route add comment="To other offices" disabled=no distance=1 dst-address=10.0.0.0/16 \ gateway=192.168.3.254 scope=255 target-scope=10

Repeat on each location changing username

Retrieved from "https://wiki.mikrotik.com/index.php?title=PPTP_VPN_-_multiple_ADSL_remote_locations_to_Cental_Office&oldid=9035"