Tunnels

Module 8

2013-01-01

Tunnels

Tunnels are a way of expanding your private network across a public

network, such as the Internet.
They are also referred to as VPNs (virtual private networks).
The concept of security is associated with VPNs. They're used since it's
not desirable to allow the users' traffic to go through unsecured and
not privately owned (by the client) networks.

2013-01-01

PPP settings

2013-01-01

PPP profile

PPP profiles represent configuration parameters to be used by PPP clients

such as, but not limited to :

Local and remote IP addresses or pools

Compression
Encryption

/ppp profile (example from a client)

add change-tcp-mss=yes name=Profile-external use-compression=\
yes use-encryption=yes use-vj-compression=no
/ppp profile (example from a server)
add change-tcp-mss=yes local-address=192.168.222.1 name=Profile-external \
remote-address=192.168.222.2 use-compression=yes use-encryption=yes \
use-vj-compression=no
add change-tcp-mss=no dns-server=192.168.5.1 local-address=192.168.5.1 name=\
Profile-internal remote-address=Pool-VPN use-compression=yes \
use-encryption=yes use-vj-compression=no

2013-01-01

PPP secret

PPP secrets are found on PPP servers and they specify the basic parameters
required to authenticate a client, such as:

Name : The user's identification

Password : The users password
Service : The protocol being serviced (If left to "any", the PPP secret will authenticate the
user through any service (PPPoE, L2TP, PPTP, etc.))

Profile : The configuration subset to be used by this user. Profiles allow parameters to be

used by many users without having to retype everything every time.

Clients do not use PPP secrets as their authentication credentials. They are
specified in the PPP client's interface under the "user" and "password" parameters.

/ppp secret
add name=Pod4-external password=pod4-123 profile=Profile-external routes=\
192.168.4.0/24
add name=alain password=alain!! profile=Profile-internal

2013-01-01

PPP status

It represents the connections' current status. Useful to debug and

verify proper operations of your tunnels.

[admin@Pod5] > /ppp active print detail

Flags: R - radius
0

name="alain" service=pppoe caller-id="28:D2:44:2C:06:EE" address=192.168.5.100 uptime=3m56s

encoding="MPPE128 statefull" session-id=0x81B00044 limit-bytes-in=0 limit-bytes-out=0

name="Pod4-external" service=pppoe caller-id="D4:CA:6D:8E:1A:97" address=192.168.222.2 uptime=37s

encoding="MPPE128 stateless" session-id=0x81B00045 limit-bytes-in=0 limit-bytes-out=0

[admin@Pod5] > /ppp active print

Flags: R - radius
#

NAME

SERVICE CALLER-ID

alain

pppoe

28:D2:44:2C:06:EE 192.168.5.100

4m12s

MPPE128 statefull

Pod4-exte... pppoe

D4:CA:6D:8E:1A:97 192.168.222.2

53s

MPPE128 stateless

2013-01-01

ADDRESS

UPTIME

ENCODING

IP pool

2013-01-01

Creating a pool

IP pools define a range of IP addresses for clients.

Useful when an interface can service many clients. Addresses are

assigned from the pool automatically.

Not only is it used for DHCP, as we saw earlier in this course, but it
can be used for PPP and Hotspot clients.

2013-01-01

Managing ranges

IP pool ranges are lists of non-overlapping IP addresses that can be

assigned to clients through services (DHCP, PPP, hotspots).
Let's demonstrate with an example. You have 50 computers on the
corporate LAN and 50 coming in from you VPN.

/ip pool
add name=Pool-PC ranges=192.168.5.50-192.168.5.99
add name=Pool-VPN ranges=192.168.5.100-192.168.5.149

2013-01-01

Managing ranges

You need to add 50 more computers in the LAN's pool.

/ip pool print

# NAME
0 Pool-PC
1 Pool-VPN

RANGES
192.168.5.50-192.168.5.99
192.168.5.100-192.168.5.149

/ip pool
set 0 ranges=192.168.5.50-192.168.5.99,192.168.5.150-192.168.5.199

/ip pool> print

# NAME

RANGES

0 Pool-PC

192.168.5.50-192.168.5.99
192.168.5.150-192.168.5.199

1 Pool-VPN

2013-01-01

192.168.5.100-192.168.5.149

10

Assigning to a service

Pools can be assigned to services such as DHCP, PPP and hotspot.

We'll see the syntax in the slides to come.

2013-01-01

11

Secure local networks

2013-01-01

12

PPPoE

Point-to-point over Ethernet is a layer 2 protocol.

It is often used by ISPs to control access to their networks.
It can be used as a method of access on any layer 2 technology, such as
802.11 or Ethernet.

2013-01-01

13

PPPoE service-name

The service-name can be seen as the SSID of 802.11, meaning that its
the network name that the client is looking for.
Unlike the SSID, if the client doesnt specify one, the access
concentrator (PPPoE server) will send all service-names that it
services. The client will respond to the first one it gets.

2013-01-01

14

Creating a PPPoE server

A PPPoE server is the device that is offering the tunneling service.

You CANNOT reach a PPPoE server through routers. Since it's a layer
2 protocol, the server can only be reached through the same Ethernet
broadcast domain on which the clients are.

It allows clients to get a secured layer 3 VPN service over a layer 2

infrastructure.

2013-01-01

15

Creating a PPPoE server

Before creating the server itself, create the configuration parameters

that you require (for values other than default), such as :

IP pools
PPP profiles
PPP secrets

Create the server interface on the physical interface facing the clients.

2013-01-01

16

Creating a PPPoE server, example

/ip pool
add name=Pool-PC ranges=192.168.5.50-192.168.5.99,192.168.5.150-192.168.5.199
add name=Pool-VPN ranges=192.168.5.100-192.168.5.149

/ppp profile
add change-tcp-mss=yes local-address=192.168.222.1 name=Profile-external \
remote-address=192.168.222.2 use-compression=yes use-encryption=yes \
use-vj-compression=no
add change-tcp-mss=no dns-server=192.168.5.1 local-address=192.168.5.1 name=\
Profile-internal remote-address=Pool-VPN use-compression=yes use-encryption=\
yes use-vj-compression=no

2013-01-01

17

Creating a PPPoE server, example

/ppp secret
add name=Pod4-external password=pod4-123 profile=Profile-external routes=\
192.168.4.0/24
add name=alain password=alain!! profile=Profile-internal

/interface pppoe-server server

add authentication=mschap2 default-profile=Profile-external disabled=no \
interface=ether1 mrru=1600 service-name=PPPoE-external
add authentication=mschap2 default-profile=Profile-internal disabled=no \
interface=ether5 mrru=1600 service-name=PPPoE-internal

2013-01-01

18

Creating a PPPoE server

Tip :
You can leave an Ethernet port without a master port, a bridge or an IP
address and the client that is connected to this port can still get Internet
access if your PPPoE server (and the PPPoE client) is properly
configured.

2013-01-01

19

Point-to-point addresses

The easiest way of setting up addresses is hardcoding them in the

configuration.
Address from /ppp secret has precedence over /ppp profile, and they
take precedence over /ip pool.
Both local and remote addresses can be unique or from a pool.
Static IP addresses or DHCP should not be used on PPPoE client
interfaces. Let the infrastructure control what is given out!

2013-01-01

20

Creating PPPoE clients on RouterOS

If you wish to use a different profile than the default ones, create it
first. You won't have to come back to it later.
Create the client interface on the interface facing the ISP.
You're done!

Tip :
Your router would not have to be configured with a DHCP client on the
WAN interface and it would still work if the PPPoE server is on the same
layer 2 infrastructure as the WAN port.

2013-01-01

21

PPPoE client on RouterOS, example

/ppp profile
add change-tcp-mss=yes name=Profile-external use-compression=yes \
use-encryption=yes use-vj-compression=no
/interface pppoe-client
add ac-name="" add-default-route=yes allow=mschap2 \
default-route-distance=1 dial-on-demand=no disabled=no \
interface=ether1 keepalive-timeout=60 max-mru=1480 max-mtu=1480 \
mrru=disabled name=Client-PPPoE password=pod4-123 profile=\
Profile-external service-name="" use-peer-dns=no user=\
Pod4-external

Enable the client interface.

2013-01-01

22

Secure remote networks communication

2013-01-01

23

PPTP clients and servers

PPTP is a layer 3 tunneling protocol and uses IP routing information and addresses to bind clients to servers.

Defining the PPTP server is almost the same thing as for PPPoE, except that no interface has to be specified.

The client is defined almost the same way as a PPPoE client, except that an IP address has to be specified for the
server.

Tip : You must permit TCP, port 1723 in the router's firewall (the PPTP server) for your tunnel to come up.

/interface pptp-server server

set authentication=mschap2 default-profile=Profile-external enabled=yes

/interface pptp-client
add add-default-route=yes allow=mschap2 connect-to=192.168.0.5 \
default-route-distance=1 dial-on-demand=no disabled=no keepalive-timeout=60 \
max-mru=1450 max-mtu=1450 mrru=1600 name=Client-PPTP password=pod4-123 profile=\
Profile-external user=Pod4-external

2013-01-01

24

SSTP clients and servers without certificates

Defining the SSTP server is almost the same thing as for PPTP, except that you specify a TCP port to connect to (443
by default).

The client is defined almost the same way as a PPTP client, except that you specify a TCP port to use to establish a
connection (443 by default).

Tip : You must permit TCP, port 443 for your tunnel to come up. Also, leave the port at 443 to ensure SSL is used for
your communications.

/interface sstp-server server

set authentication=mschap2 enabled=yes

/interface sstp-client
add add-default-route=no authentication=mschap2 certificate=none connect-to=\
192.168.0.5:443 dial-on-demand=no disabled=no http-proxy=0.0.0.0:443 \
keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=1600 name=Client-SSTP \
password=pod4-123 profile=Profile-external user=Pod4-external \
verify-server-address-from-certificate=no verify-server-certificate=n

2013-01-01

25

Setup routes between networks

Once your tunnel is up, you need routes to move packets back and
forth.
The first way, for a single client tunnel, is the route that is
automatically created for that tunnel.

/ip route print

Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
#

DST-ADDRESS

0 ADS

0.0.0.0/0

1 ADC

192.168.0.0/24

2 ADC

3 ADC

2013-01-01

PREF-SRC

GATEWAY

DISTANCE

192.168.0.254

192.168.0.5

ether1

192.168.5.0/24

192.168.5.1

Bridge-PC

192.168.5.101/32

192.168.5.1

<pptp-alain>

26

Setup routes between networks

The second way is to specify one or multiple routes within the PPP
secret for a client.

/ppp secret export

add name=Pod4-external password=pod4-123 profile=Profile-external routes=192.168.4.0/24
add name=alain password=alain!! profile=Profile-internal

/ppp secret print

Flags: X - disabled
#

NAME

SERVICE CALLER-ID

PASSWORD

PROFILE

Pod4-external

any

pod4-123

Profile-external

alain

any

alain!!

Profile-internal

REMOTE-ADDRESS

/ppp secret
set 0 routes=192.168.4.0/24,10.10.2.0/24

/ppp secret export

add name=Pod4-external password=pod4-123 profile=Profile-external routes=192.168.4.0/24,10.10.2.0/24
add name=alain password=alain!! profile=Profile-internal

2013-01-01

27

Setup routes between networks

The third way is to add static routes to one or multiple networks

across a tunnel.
This method is useful if both routers must have their own default
route, but it implies more maintenance and parameters.

/ip route
add comment="TO OFFICE LOOPBACKS" distance=1 dst-address=10.10.2.0/24 gateway=192.168.254.10
add comment="TO OFFICE NETWORKS" distance=1 dst-address=172.16.8.0/21 gateway=192.168.254.10

2013-01-01

28

Closing note

VPN Protocol
PPTP

Encryption
MPPE with RC4

Ports
1723 TCP

128 bit key

Compatible with

Notes

Windows XP, Vista, 7

PPTP is the most widely used VPN protocol today.

Mac OS X

It is easy to setup and can be used to bypass all Internet restrictions.

iPhone OS

PPTP is considered less secure.

Android

SSTP

Windows 7
SSL with AES
2048 bit key certificate

SSTP uses a generic port that is never blocked by firewalls.

443 TCP

256 bit key for encryption

You can use SSTP to bypass corporate or school firewalls.

SSTP is considered a very secure protocol.

Want to learn more?

http://wiki.mikrotik.com/wiki/Manual:Interface/PPTP
http://wiki.mikrotik.com/wiki/Manual:Interface/SSTP
http://www.highspeedvpn.net/PPTP-L2TP-SSTP-OpenVPN.aspx
http://www.squidoo.com/advantages-and-disadvantages-of-vpn-protocols
http://www.vpnonline.pl/en/protokoly-vpn-porownanie (good table here!)

2013-01-01

29

Time for a practical exercise

End of module 8

2013-01-01

30

Laboratory

Goals of the lab

2013-01-01

Create PPP profiles and secrets

Create and assign IP pools to services
Create a PPPoE VPN between a computer and a router
Create PPTP and SSTP tunnels between pods
Insure proper routing

31

Laboratory : Setup

2013-01-01

32

Laboratory : step 1
Students will pair up again for this laboratory.

Students will create three PPP profiles

Two to use with the neighbor pod.

One for the server service.

One for the client service.

One to use for locally connected clients.

Students will create two PPP secrets

Paired students will agree on syntax and content for the parameters.
For length's sake, please keep it simple!

One to allow the neighbor pod to connect to the local pod.

One to connect the locally connected clients.

2013-01-01

33

Laboratory : step 2

Create an IP pool to be used by clients wanting to connect by VPN.

Your pool will be on a different network than your existing LAN.

Assign the pool to the profile to be used by your future "corporate" VPN.

2013-01-01

34

Laboratory : step 3

Select a free port on your router and remove it from any bridge group
or master port that it may be assigned to. It must not have an IP
address or any DHCP configured on it.
Configure a PPPoE server on your router to use that port. You should
use the profile that you created for your VPN clients. Enable only
MSChap2 for authentication. Look at the course material for
compression and encryption settings.

2013-01-01

35

Laboratory : step 4

Configure your computer to connect to your router with a PPPoE client

connection.
Connect and browse away!

Warnings!

Check the interface on which you configure your server (and on which you
plug your computer).

Check the profile setting in your PPPoE server and PPP secret.

2013-01-01

36

Laboratory : step 5

Connect your computer back on a normal Ethernet interface.

The even numbered pods will create a PPTP server and a SSTP client.
The odd numbered pods will create a PPTP client and a SSTP server.
Use the profiles and secrets previously created.
SSTP must not use certificates!
Bring the VPN tunnels up and look at what's happening.

2013-01-01

37

Laboratory : step 6

Nothing? What did we forget?

Once the tunnels are up, look at the active connections' statuses.

Hint : A new firewall filter maybe?

2013-01-01

38

Laboratory : step 7

Remove static routes from your routing table. You should only have
one to your peer pod.
Ping your peer pod's LAN IP address. Does it work? But the tunnel is
still up? How can that be? (Leave the ping running)
Can you ping the remote address of your tunnel? All is not lost then.

2013-01-01

39

Laboratory : step 8

Open the PPP secret from your router and, in the "Routes" field, add
the other pod's network and mask.
Once this is done on both pods, restart your client tunnels.
Notice the effect it has in your routing table. Your peer's subnet has
appeared once the peer pod logged in. Once both tunnels are up, both
will be able to ping.
Notice also the addresses in IP address list.

2013-01-01

40

Laboratory : step 9

As usual, save the current configuration in binary and text format

using the same name format that has been used in previous labs.

Best of luck with the certification exam!!

2013-01-01

41

End of Laboratory 8

2013-01-01

42