PPTP VPN - multiple ADSL remote locations to Cental Office

From MikroTik Wiki
Jump to: navigation, search

Central location is connected to Internet with 10 Mbit link, public range of addresses /27 (32 addresses, 30 useful), and there are also more than 100 remote locations connected to the Internet by ADSL or Cable. All those remote connections have to be in VPN with headquarters (HQ) and have full access to all network resources.

First configure HQ router to allow HQ network to access Internet (assign private and public addresses, gateway, NAT...). Next set up remote routers to do the same (private address pppoe dial-up, NAT, routes...) as described in:
- http://wiki.mikrotik.com/wiki/How_to_Connect_your_Home_Network_to_xDSL_Line

Assume the following:

Address Subnet mask Gateway
HQ public 80.80.80.110 255.255.255.224 (/27) 80.80.80.97
HQ private 192.168.3.254 255.255.254.0 (/23) 192.168.3.254

Remote public addresses are dynamic

Address Subnet mask Gateway
Remote 1 private 10.0.1.0/24 255.255.255.0 (/24) 10.0.1.254
Remote 2 private 10.0.2.0/24 255.255.255.0 (/24) 10.0.2.254
Remote 3 private 10.0.3.0/24 255.255.255.0 (/24) 10.0.3.254
Remote n private 10.0.n.0/24 255.255.255.0 (/24) 10.0.n.254

First - set up HQ router.

1.enabling server

/ interface l2tp-server server
set enabled=yes max-mtu=1460 max-mru=1460 \
authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption

2.creating users (one for each remote location)

/ ppp secret
add name="user1" service=l2tp caller-id="" password="P@ssw0rd" \
profile=default-encryption local-address=192.168.3.254 \
remote-address=10.0.1.254 routes="" limit-bytes-in=0 limit-bytes-out=0 \
comment="" disabled=no
add name="user2" service=l2tp caller-id="" password="P@ssw0rd" \ profile=default-encryption local-address=192.168.3.254 \ remote-address=10.0.2.254 routes="" limit-bytes-in=0 limit-bytes-out=0 \ comment="" disabled=no
add name="user3" service=l2tp caller-id="" password="P@ssw0rd" \ profile=default-encryption local-address=192.168.3.254 \ remote-address=10.0.3.254 routes="" limit-bytes-in=0 limit-bytes-out=0 \ comment="" disabled=no

3.adding routes (will be "unknown" until remote users connect)

/ ip route
add dst-address=10.0.1.0/24 gateway=10.0.1.254 scope=255 target-scope=10 \
comment="" disabled=no
add dst-address=10.0.2.0/24 gateway=10.0.2.254 scope=255 target-scope=10 \ comment="" disabled=no
add dst-address=10.0.3.0/24 gateway=10.0.3.254 scope=255 target-scope=10 \ comment="" disabled=no

Second - set up remote router(s)

1.Creating client interface on remote location 1

/interface l2tp-client
add add-default-route=no allow=pap,chap,mschap1,mschap2 comment="" \
connect-to=80.80.80.110 disabled=no max-mru=1460 max-mtu=1460 \
mrru=disabled name="l2tp-out1" password="P@ssw0rd" \
profile=default-encryption user="user1"

2. Adding route to HQ network (will be inactive until connection is established)

/ip route
add comment="" disabled=no distance=1 dst-address=192.168.2.0/23 \
gateway=192.168.3.254 scope=255 target-scope=10

3.Optional - if you want your remote locations to communicate with each other

/ip route
add comment="To other offices" disabled=no distance=1 dst-address=10.0.0.0/16 \
gateway=192.168.3.254 scope=255 target-scope=10

Repeat on each remote location changing username


Enjoy !