Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Module 8
2013-01-01
Tunnels
2013-01-01
PPP settings
2013-01-01
PPP profile
2013-01-01
PPP secret
PPP secrets are found on PPP servers and they specify the basic parameters
required to authenticate a client, such as:
Profile : The configuration subset to be used by this user. Profiles allow parameters to be
Clients do not use PPP secrets as their authentication credentials. They are
specified in the PPP client's interface under the "user" and "password" parameters.
/ppp secret
add name=Pod4-external password=pod4-123 profile=Profile-external routes=\
192.168.4.0/24
add name=alain password=alain!! profile=Profile-internal
2013-01-01
PPP status
NAME
SERVICE CALLER-ID
alain
pppoe
28:D2:44:2C:06:EE 192.168.5.100
4m12s
MPPE128 statefull
Pod4-exte... pppoe
D4:CA:6D:8E:1A:97 192.168.222.2
53s
MPPE128 stateless
2013-01-01
ADDRESS
UPTIME
ENCODING
IP pool
2013-01-01
Creating a pool
Not only is it used for DHCP, as we saw earlier in this course, but it
can be used for PPP and Hotspot clients.
2013-01-01
Managing ranges
/ip pool
add name=Pool-PC ranges=192.168.5.50-192.168.5.99
add name=Pool-VPN ranges=192.168.5.100-192.168.5.149
2013-01-01
Managing ranges
RANGES
192.168.5.50-192.168.5.99
192.168.5.100-192.168.5.149
/ip pool
set 0 ranges=192.168.5.50-192.168.5.99,192.168.5.150-192.168.5.199
RANGES
0 Pool-PC
192.168.5.50-192.168.5.99
192.168.5.150-192.168.5.199
1 Pool-VPN
2013-01-01
192.168.5.100-192.168.5.149
10
Assigning to a service
2013-01-01
11
2013-01-01
12
PPPoE
2013-01-01
13
PPPoE service-name
The service-name can be seen as the SSID of 802.11, meaning that its
the network name that the client is looking for.
Unlike the SSID, if the client doesnt specify one, the access
concentrator (PPPoE server) will send all service-names that it
services. The client will respond to the first one it gets.
2013-01-01
14
You CANNOT reach a PPPoE server through routers. Since it's a layer
2 protocol, the server can only be reached through the same Ethernet
broadcast domain on which the clients are.
2013-01-01
15
IP pools
PPP profiles
PPP secrets
Create the server interface on the physical interface facing the clients.
2013-01-01
16
/ip pool
add name=Pool-PC ranges=192.168.5.50-192.168.5.99,192.168.5.150-192.168.5.199
add name=Pool-VPN ranges=192.168.5.100-192.168.5.149
/ppp profile
add change-tcp-mss=yes local-address=192.168.222.1 name=Profile-external \
remote-address=192.168.222.2 use-compression=yes use-encryption=yes \
use-vj-compression=no
add change-tcp-mss=no dns-server=192.168.5.1 local-address=192.168.5.1 name=\
Profile-internal remote-address=Pool-VPN use-compression=yes use-encryption=\
yes use-vj-compression=no
2013-01-01
17
/ppp secret
add name=Pod4-external password=pod4-123 profile=Profile-external routes=\
192.168.4.0/24
add name=alain password=alain!! profile=Profile-internal
2013-01-01
18
Tip :
You can leave an Ethernet port without a master port, a bridge or an IP
address and the client that is connected to this port can still get Internet
access if your PPPoE server (and the PPPoE client) is properly
configured.
2013-01-01
19
Point-to-point addresses
2013-01-01
20
If you wish to use a different profile than the default ones, create it
first. You won't have to come back to it later.
Create the client interface on the interface facing the ISP.
You're done!
Tip :
Your router would not have to be configured with a DHCP client on the
WAN interface and it would still work if the PPPoE server is on the same
layer 2 infrastructure as the WAN port.
2013-01-01
21
/ppp profile
add change-tcp-mss=yes name=Profile-external use-compression=yes \
use-encryption=yes use-vj-compression=no
/interface pppoe-client
add ac-name="" add-default-route=yes allow=mschap2 \
default-route-distance=1 dial-on-demand=no disabled=no \
interface=ether1 keepalive-timeout=60 max-mru=1480 max-mtu=1480 \
mrru=disabled name=Client-PPPoE password=pod4-123 profile=\
Profile-external service-name="" use-peer-dns=no user=\
Pod4-external
2013-01-01
22
2013-01-01
23
PPTP is a layer 3 tunneling protocol and uses IP routing information and addresses to bind clients to servers.
Defining the PPTP server is almost the same thing as for PPPoE, except that no interface has to be specified.
The client is defined almost the same way as a PPPoE client, except that an IP address has to be specified for the
server.
Tip : You must permit TCP, port 1723 in the router's firewall (the PPTP server) for your tunnel to come up.
/interface pptp-client
add add-default-route=yes allow=mschap2 connect-to=192.168.0.5 \
default-route-distance=1 dial-on-demand=no disabled=no keepalive-timeout=60 \
max-mru=1450 max-mtu=1450 mrru=1600 name=Client-PPTP password=pod4-123 profile=\
Profile-external user=Pod4-external
2013-01-01
24
Defining the SSTP server is almost the same thing as for PPTP, except that you specify a TCP port to connect to (443
by default).
The client is defined almost the same way as a PPTP client, except that you specify a TCP port to use to establish a
connection (443 by default).
Tip : You must permit TCP, port 443 for your tunnel to come up. Also, leave the port at 443 to ensure SSL is used for
your communications.
/interface sstp-client
add add-default-route=no authentication=mschap2 certificate=none connect-to=\
192.168.0.5:443 dial-on-demand=no disabled=no http-proxy=0.0.0.0:443 \
keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=1600 name=Client-SSTP \
password=pod4-123 profile=Profile-external user=Pod4-external \
verify-server-address-from-certificate=no verify-server-certificate=n
2013-01-01
25
Once your tunnel is up, you need routes to move packets back and
forth.
The first way, for a single client tunnel, is the route that is
automatically created for that tunnel.
DST-ADDRESS
0 ADS
0.0.0.0/0
1 ADC
192.168.0.0/24
2 ADC
3 ADC
2013-01-01
PREF-SRC
GATEWAY
DISTANCE
192.168.0.254
192.168.0.5
ether1
192.168.5.0/24
192.168.5.1
Bridge-PC
192.168.5.101/32
192.168.5.1
<pptp-alain>
26
The second way is to specify one or multiple routes within the PPP
secret for a client.
NAME
SERVICE CALLER-ID
PASSWORD
PROFILE
Pod4-external
any
pod4-123
Profile-external
alain
any
alain!!
Profile-internal
REMOTE-ADDRESS
/ppp secret
set 0 routes=192.168.4.0/24,10.10.2.0/24
2013-01-01
27
/ip route
add comment="TO OFFICE LOOPBACKS" distance=1 dst-address=10.10.2.0/24 gateway=192.168.254.10
add comment="TO OFFICE NETWORKS" distance=1 dst-address=172.16.8.0/21 gateway=192.168.254.10
2013-01-01
28
Closing note
VPN Protocol
PPTP
Encryption
MPPE with RC4
Ports
1723 TCP
Compatible with
Notes
Mac OS X
iPhone OS
Android
SSTP
Windows 7
SSL with AES
2048 bit key certificate
http://wiki.mikrotik.com/wiki/Manual:Interface/PPTP
http://wiki.mikrotik.com/wiki/Manual:Interface/SSTP
http://www.highspeedvpn.net/PPTP-L2TP-SSTP-OpenVPN.aspx
http://www.squidoo.com/advantages-and-disadvantages-of-vpn-protocols
http://www.vpnonline.pl/en/protokoly-vpn-porownanie (good table here!)
2013-01-01
29
End of module 8
2013-01-01
30
Laboratory
2013-01-01
31
Laboratory : Setup
2013-01-01
32
Laboratory : step 1
Students will pair up again for this laboratory.
Paired students will agree on syntax and content for the parameters.
For length's sake, please keep it simple!
2013-01-01
33
Laboratory : step 2
2013-01-01
34
Laboratory : step 3
Select a free port on your router and remove it from any bridge group
or master port that it may be assigned to. It must not have an IP
address or any DHCP configured on it.
Configure a PPPoE server on your router to use that port. You should
use the profile that you created for your VPN clients. Enable only
MSChap2 for authentication. Look at the course material for
compression and encryption settings.
2013-01-01
35
Laboratory : step 4
Warnings!
Check the interface on which you configure your server (and on which you
plug your computer).
Check the profile setting in your PPPoE server and PPP secret.
2013-01-01
36
Laboratory : step 5
2013-01-01
37
Laboratory : step 6
Once the tunnels are up, look at the active connections' statuses.
2013-01-01
38
Laboratory : step 7
Remove static routes from your routing table. You should only have
one to your peer pod.
Ping your peer pod's LAN IP address. Does it work? But the tunnel is
still up? How can that be? (Leave the ping running)
Can you ping the remote address of your tunnel? All is not lost then.
2013-01-01
39
Laboratory : step 8
Open the PPP secret from your router and, in the "Routes" field, add
the other pod's network and mask.
Once this is done on both pods, restart your client tunnels.
Notice the effect it has in your routing table. Your peer's subnet has
appeared once the peer pod logged in. Once both tunnels are up, both
will be able to ping.
Notice also the addresses in IP address list.
2013-01-01
40
Laboratory : step 9
2013-01-01
41
End of Laboratory 8
2013-01-01
42