PPTP VPN - multiple ADSL remote locations to Cental Office

From MikroTik Wiki
Revision as of 11:14, 11 October 2008 by Satman1w (talk | contribs)
Jump to: navigation, search

Central location is connected to Internet with 10 Mbit link, public range of addresses /27 (32 addresses, 30 useful), and there are also more than 100 remote locations connected to the Internet by ADSL ol Cable. All those remote connections have to be in VPN with headquarters (HQ) and have full access to all network resources.

First configure HQ router to allow HQ network to access Internet (assign private and public addresses, gateway, NAT...). Next set up remote routers to do the same (private address pppoe dial-up, NAT, routes...
- http://wiki.mikrotik.com/wiki/How_to_Connect_your_Home_Network_to_xDSL_Line

We will assume the following:
HQ public address is 80.80.80.110
subnet mask is 255.255.255.224 (/27)
GW is 80.80.80.97

HQ private address is 192.168.3.254
subnet mask is 255.255.254.0 (/23)
GW is 192.168.3.254


Remote public addresses are dynamic
Remote private addresses are:
Remote 1 10.0.1.0/24
GW is 10.0.1.254


Remote 2 10.0.2.0/24 GW is 10.0.2.254

Remote 3 10.0.3.0/24

GW is 10.0.3.254


First we will set up HQ router.


1.enabling server

/ interface l2tp-server server set enabled=yes max-mtu=1460 max-mru=1460 \ authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption


2.creating users (one for each remote location)

/ ppp secret

add name="user1" service=l2tp caller-id="" password="P@ssw0rd" \ profile=default-encryption local-address=192.168.3.254 \ remote-address=10.0.1.254 routes="" limit-bytes-in=0 limit-bytes-out=0 \ comment="" disabled=no

add name="user2" service=l2tp caller-id="" password="P@ssw0rd" \ profile=default-encryption local-address=192.168.3.254 \ remote-address=10.0.2.254 routes="" limit-bytes-in=0 limit-bytes-out=0 \ comment="" disabled=no

add name="user3" service=l2tp caller-id="" password="P@ssw0rd" \ profile=default-encryption local-address=192.168.3.254 \ remote-address=10.0.3.254 routes="" limit-bytes-in=0 limit-bytes-out=0 \ comment="" disabled=no

3.adding routes (wil be "unknown" until remote users conect)

/ ip route

add dst-address=10.0.1.0/24 gateway=10.0.1.254 scope=255 target-scope=10 \ comment="" disabled=no

add dst-address=10.0.2.0/24 gateway=10.0.2.254 scope=255 target-scope=10 \ comment="" disabled=no

add dst-address=10.0.3.0/24 gateway=10.0.3.254 scope=255 target-scope=10 \ comment="" disabled=no



Second we will set up remote router(s)

1.Creating client interface on remote location 1

/interface l2tp-client

add add-default-route=no allow=pap,chap,mschap1,mschap2 comment="" \ connect-to=80.80.80.110 disabled=no max-mru=1460 max-mtu=1460 \ mrru=disabled name="l2tp-out1" password="P@ssw0rd" \ profile=default-encryption user="user1"


2. Adding route to HQ network (will be inactive until connection is established)

/ip route

add comment="" disabled=no distance=1 dst-address=192.168.2.0/23 \ gateway=192.168.3.254 scope=255 target-scope=10

3.Optional - if you want your remote locations to communicate with each other

/ip route

add comment="To other offices" disabled=no distance=1 dst-address=10.0.0.0/16 \ gateway=192.168.3.254 scope=255 target-scope=10


Repeat on each location changing username

Retrieved from "https://wiki.mikrotik.com/index.php?title=PPTP_VPN_-_multiple_ADSL_remote_locations_to_Cental_Office&oldid=9039"