Rick Frey Consulting PPTP & L2TP

Similar documents
Application Note: Onsight Device VPN Configuration V1.1

7.1. Remote Access Connection

This chapter describes how to set up and manage VPN service in Mac OS X Server.

IP Security. IPSec, PPTP, OpenVPN. Pawel Cieplinski, AkademiaWIFI.pl. MUM Wroclaw

How To Configure L2TP VPN Connection for MAC OS X client

How To Configure Apple ipad for Cyberoam L2TP

VPN s and Mobile Apps for Security Camera Systems: EyeSpyF-Xpert

Matrix Technical Support Mailer 167 NAVAN CNX200 PPTP VPN with Windows Client

Virtual Private Network and Remote Access Setup

Cisco Which VPN Solution is Right for You?

Joe Davies Principal Writer Windows Server Documentation

PPTP Server Access Through The

INTRODUCTION... 2 Windows Windows Mac OS X Ubuntu Advanced routing Windows Mac OS X Ubuntu...

VPN. Date: 4/15/2004 By: Heena Patel

DSL-G604T Install Guides

How to Setup PPTP VPN Between a Windows PPTP Client and the DIR-130.

NAS 322 Connecting Your NAS to a VPN

How to setup PPTP VPN connection with DI-804HV or DI-808HV using Windows PPTP client

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Corporate VPN Using Mikrotik Cloud Feature. By SOUMIL GUPTA BHAYA Mikortik Certified Trainer

VPN. VPN For BIPAC 741/743GE

Defender EAP Agent Installation and Configuration Guide

Issue 1 April 2, 2009 Using the VT2442 Web User Interface

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client

Fireware How To Authentication

Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

ERserver. iseries. Remote Access Services: PPP connections

Guideline for setting up a functional VPN

I. What is VPN? II. Types of VPN connection. There are two types of VPN connection:

Table of Contents. Cisco Cisco VPN Client FAQ

OSBRiDGE 5XLi. Configuration Manual. Firmware 3.10R

External Authentication with Windows 2008 Server with Routing and Remote Access Service Authenticating Users Using SecurAccess Server by SecurEnvoy

Internet Access Setup

LOHU 4951L Outdoor Wireless Access Point / Bridge

Schedule. MikroTik RouterOS Training User Management. Instructor. Housekeeping. Topics Overview. Course Objective 8/1/2014

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Building scalable IPSec infrastructure with MikroTik. IPSec, L2TP/IPSec, OSPF

ASA and Native L2TP IPSec Android Client Configuration Example

GregSowell.com. Mikrotik VPN

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

Setting up VPN connection: DI-824VUP+ with Windows PPTP client

Setting up VPN Access for Remote Diagnostics Support

Multi-Homing Security Gateway

V310 Support Note Version 1.0 November, 2011

Internet Access Setup

Step-by-Step Guide for Creating and Testing Connection Manager Profiles in a Test Lab

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

VPN Solutions. Lesson 10. etoken Certification Course. April 2004

DFL-210/260, DFL-800/860, DFL-1600/2500 How to setup IPSec VPN connection

Enable VPN PPTP Server Function

Module 6. Configuring and Troubleshooting Routing and Remote Access. Contents:

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

ADMINISTRATION GUIDE Cisco Small Business

Chapter 5 Virtual Private Networking Using IPsec

UIP1868P User Interface Guide

IHSVPN IHS Secure Network Access

MCTS Guide to Microsoft Windows 7. Chapter 14 Remote Access

Network Security Firewall Manual Building Networks for People

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004

DSL-2600U. User Manual V 1.0

Understanding the Cisco VPN Client

Virtual Private Network and Remote Access

Wireless Network Configuration Guide

Creating a VPN Using Windows 2003 Server and XP Professional

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

Chapter 2 Connecting the FVX538 to the Internet

GPRS / 3G Services: VPN solutions supported

Using a VPN with Niagara Systems. v0.3 6, July 2013

CS 393/682 Network Security. Nasir Memon Polytechnic University Module 7 Virtual Private Networks

TK C -25 C 95% RH EMC TK701G TK701U TK704G TK704U TK704W. TK-Series Cellular Router

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

AN OVERVIEW OF REMOTE ACCESS VPNS: ARCHITECTURE AND EFFICIENT INSTALLATION

Protecting the Home Network (Firewall)

Configuring a FortiGate unit as an L2TP/IPsec server

Sophos UTM. Remote Access via SSL. Configuring UTM and Client

Firewall Defaults and Some Basic Rules

Cisco QuickVPN Installation Tips for Windows Operating Systems

Quick Start Guide. WRV210 Wireless-G VPN Router with RangeBooster. Cisco Small Business

D-Link DFL-700. Manual

How To Industrial Networking

Formación MTCUME. MikroTik Certified User Manager Engineer. Pre-requisitos: - Certificación MTCNA

VPN SECURITY. February The Government of the Hong Kong Special Administrative Region

Unified Services Routers

Steps for Basic Configuration

VPN L2TP Application. Installation Guide

Zeroshell: VPN Host-to-Lan

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

P-660R-TxC Series. ADSL2+ Access Router. Quick Start Guide

Configuring a BANDIT Product for Virtual Private Networks

WISP 101. The DO s and DON T s of becoming a Wireless ISP

ISG50 Application Note Version 1.0 June, 2011

Scenario 1: One-pair VPN Trunk

ZyWALL 2. Internet Security Gateway. Compact Guide Version 3.62 April 2004

MANUFACTURER RamSoft Incorporated 243 College St, Suite 100 Toronto, ON M5T 1R5 CANADA

Funkwerk UTM Release Notes (english)

Transcription:

Rick Frey Consulting www.rickfreyconsulting.com PPTP & L2TP

PPTP 2 www.rickfreyconsulting.com

PPTP as Client VPN 3 www.rickfreyconsulting.com

PPTP as Site to Site VPN 4 www.rickfreyconsulting.com

Point to Point Tunneling Protocol PPTP specification was published in July 1999 as RFC 2637 PPTP has not been proposed nor ratified as a standard by the Internet Engineering Task Force. PPTP uses a control channel over TCP and a GRE tunnel to encapsulate PPP packets. A PPTP tunnel is initiated by communication to the peer on TCP port 1723. This TCP connection is then used to initiate and manage a second GRE tunnel to the same peer. PPTP uses IP protocol number 47 with non GRE standard packets The GRE tunnel is used to carry encapsulated PPP packets. 5 www.rickfreyconsulting.com

PPTP & MikroTik PPTP can be bridged using the BCP (Bridging Control Protocol) Bridging of PPTP tunnels only works between ROS devices ROS supports MLPPP over PPTP You must use the PPTP Firewall Service Port (NAT Helpers) to connect to/from your private LAN ROS will always choose the highest security option when multiple authentication methods are selected 6 www.rickfreyconsulting.com

PPTP & Microsoft Windows PPTP was the first VPN protocol that was supported by Microsoft Dial-up Networking All releases of Microsoft Windows since Windows 95 OSR2 are bundled with a PPTP client, although they are limited to only 2 concurrent outbound connections. The Microsoft implementation uses single DES in the MS- CHAP authentication protocol Windows Vista and later support the use of PEAP (Protected EAP) with PPTP Windows Vista removed support for using the MSCHAPv1 protocol to authenticate remote access connections. 7 www.rickfreyconsulting.com

PPTP & Microsoft Windows The authentication methods that will work between current Windows OSs and MikroTik are: PAP (Unencrypted Passwords) CHAP (Challenge Handshake Authentication Protocol) MSCHAPv2 (Microsoft CHAP) Proxy-ARP has to be enabled on the router (LAN interface/ never the WAN interface) 8 www.rickfreyconsulting.com

PPTP Server Setup 9 www.rickfreyconsulting.com

PPTP Server Settings Enabled or Disabled Max Maximum Transmission Unit Max Receive Unit Max Received Reconstructed Unit How long to wait before sending packets to the client to confirm they are still connected 10 www.rickfreyconsulting.com

PPTP Server Settings Profile to be used Authentication Method 11 www.rickfreyconsulting.com

PPTP Client 12 www.rickfreyconsulting.com

Creating a New PPTP Client 13 www.rickfreyconsulting.com

PPTP Client Settings Administrative Name Tunnel Type Layer 2 Max Transmission Unit Max Packet size the client can send without fragmentation Max Receive Unit Max the client can receive without fragmentation Multilink Maximum Received Reconstructed Unit Used with MLPPP 14 www.rickfreyconsulting.com

PPTP Client Settings IP address of server Username Password Profile to be used How long to keep the connection alive before timing out When selected, the tunnel will only establish when traffic is generated Do not use Whether to add a default route (all traffic goes through tunnel) & distance Authentication Methods Allowed 15 www.rickfreyconsulting.com

PPTP Client Settings Status Tab provides connection info 16 www.rickfreyconsulting.com

PPTP Client Settings Traffic Tab provide details on the traffic going through the tunnel 17 www.rickfreyconsulting.com

PPTP LAB 1) Pair up with another student and decide who will be the server and who will be the client 2) Connect an Ethernet cable between you and assign the interfaces a /30 address (Remember to remove the interfaces from any bridges or switch groups) 3) Connect your PPTP tunnel and verify that you can ping both sides of the tunnel IP address 4) Switch roles and create a new tunnel. 18 www.rickfreyconsulting.com

PPTP With RADIUS 19 www.rickfreyconsulting.com

RADIUS Settings 20 www.rickfreyconsulting.com

RADIUS Settings Which service is going to talk to the RADIUS server Caller ID (Not usually required) - PPPoE - service name, PPTP - server's IP address, L2TP - server's IP address. Windows Domain (Not usually required) 21 www.rickfreyconsulting.com

RADIUS Settings Address of RADIUS Server (Use 127.0.0.1 when Usermanager is running on the same router) Shared secret with RADIUS server Standard RADIUS ports How long to wait for a reply before it times out. Set to seconds, not milliseconds 22 www.rickfreyconsulting.com

RADIUS Settings Whether or not this configuration is for a backup RADIUS server Realm also known as user domain. Used by some ISP s RADIUS servers Source address of packets to be sent to the RADIUS server. (Not usually used) 23 www.rickfreyconsulting.com

RADIUS Settings The Status Tab is where you can see if the service to be used is sending info to the RADIUS server and whether or not the RADIUS server is replying to those requests 24 www.rickfreyconsulting.com

Usermanager Default Login is admin No password 25 www.rickfreyconsulting.com

Userman Settings Step 1 The RADIUS server has to know which routers (NAS Nodes) its talking to 26 www.rickfreyconsulting.com

Userman Settings Step 2 Create a New Profile that is going to be applied to the user 27 www.rickfreyconsulting.com

Userman Settings Step 2 (Cont) Set the Validity Set the Start to Now Then Save the Profile 28 www.rickfreyconsulting.com

Userman Settings Step 3 Set the Userman & Password Then Save the User Notice that the Actual profile does not show up at first 29 www.rickfreyconsulting.com

Userman Settings Step 4 Log out and then log back in 30 www.rickfreyconsulting.com

Userman Settings Verify the user has the correct profile 31 www.rickfreyconsulting.com

PPTP Client Settings Delete any secrets from the router and restart the PPTP Client When the client has reconnected, verify that that there is an R flag for RADIUS 32 www.rickfreyconsulting.com

PPTP & RADIUS Lab 1) With the same partner from the previous lab, recreate your tunnels using RADIUS. Make sure your local databases are clear of any secrets. 2) Switch roles and verify that both of you are able to create the tunnel client and set up the server/ RADIUS 33 www.rickfreyconsulting.com

Adding Dynamic Queues Dynamically created queues can be added by utilizing the Limitations feature in the Usermanager Profile 34 www.rickfreyconsulting.com

Adding Dynamic Queues Remember to add the limit and save the profile 35 www.rickfreyconsulting.com

Adding Dynamic Queues New Limitation Set by RADIUS Client has to reconnect before it will be created 36 www.rickfreyconsulting.com

Dynamic Queue Lab Set a new limitation of 1 Meg up and 1 Med down and test with the bandwidth test tool. Remember to test to IP address of the tunnel and not the IP address of the router. Swap roles and test the other direction. 37 www.rickfreyconsulting.com

L2TP 38 www.rickfreyconsulting.com

L2TP as Client VPN 39 www.rickfreyconsulting.com

L2TP as Site to Site VPN 40 www.rickfreyconsulting.com

L2TP Published in 1999 as proposed standard RFC 2661. A new version of this protocol, L2TPv3, appeared as proposed standard RFC 3931 in 2005. MikroTik implements most of this standard. (L2TPv3 adds security.) UDP port 1701 is used only for link establishment, tunnel traffic will use any available UDP port (which may or may not be 1701) This allows L2TP tunnels to traverse most firewalls L2TP can be used by some verisionso Microsoft Windows, but is difficult to setup without IPSEC. Other tunnels are recommends for this application. 41 www.rickfreyconsulting.com

L2TP in MikroTik Functionally, an L2TP is identically to the PPTP tunnel; exact same setup L2TP tunnels can be encrypted when both the server and client are MikroTik routers. There can be limited connectivity with other OSs, but the results may be unpredictable. 42 www.rickfreyconsulting.com

L2TP Lab Repeats the step of the PPTP lab with a L2TP connection. Leave the PPTP tunnel functional Take turns with your partner creating a L2TP client and connecting to the server through RADIUS. Hint: You are going to have to modify the User in Usermanager for both tunnels to become active. 43 www.rickfreyconsulting.com

L2TP Lab This is what it will look like when you are done. 44 www.rickfreyconsulting.com

L2TP & IPSEC Starting with ROS 6.16 there is a 1 button L2TP/ IPSEC server setup This preconfigures the L2TP server and IPSEC to used a Road Warrior configuration that is compatible with most vendors Will work with RADIUS 45 www.rickfreyconsulting.com

L2TP & IPSEC 46 www.rickfreyconsulting.com

L2TP & IPSEC LAB Take turns with your partner creating a L2TP/IPSEC client and connecting to the server through RADIUS. Observe the L2TP interface and status Observe the IPSEC settings that are dynamically created 47 www.rickfreyconsulting.com

Tunnel Comparaison Tunnel Introduced Layer Port Port can be changed Default MTU Authentication Protocols Encryption Protocols Encryption Level Clients can call home Bridging or BCP Supported GRE Oct 1994 3 N/A No 1476 N/A N/A None No No IPIP Oct 1996 3 N/A No 1500 N/A N/A None No No VLAN 1998 2 N/A No 1500 N/A N/A None N/A Yes IPSEC Nov 1998 3 UDP 500 Yes N/A None MD5 SHA1 SHA256 SHA512 None DES, 3DES, AES, Blowfish, Twofish, Camellia None, 64bits, 128bit, 192bit, 256bit Yes No PPPoE Feb 1999 2 N/A N/A 1480 PAP CHAP MSCHAP v1 MSCHAP v2 None MPPE 40bit MPPE 128bit None or 40bit or 128bit N/A Yes PPtP July 1999 3 TCP 1723 No 1450 PAP CHAP MSCHAP v1 MSCHAP v2 None MPPE 40bit MPPE 128bit None or 40bit or 128bit Yes Yes L2TP Aug 1999 3 UDP 1701 No 1450 PAP CHAP MSCHAP v1 MSCHAP v2 None MPPE 40bit MPPE 128bit None or 40bit or 128bit Yes Yes OVPN May 2001 3 TCP 1194 Yes 1500 None MD5 SHA1 None Blowfish 128 AES 128 AES 192 AES 256 None 128bit, 192bit, or 256bit Yes Yes EOIP Sept 2002 3 N/A No 1500 N/A N/A None No Yes SSTP Jan 2007 3 TCP 443 Yes 1500 PAP CHAP MSCHAP v1 MSCHAP v2 TLS 1.0 None MPPE 40bit MPPE 128bit TLS 1.0 None or 40bit or 128bit or 256bit Yes Yes 48 www.rickfreyconsulting.com

Tunnel Comparaison of Loss Tunnel Initial Bandwidth With Tunnel % of Loss GRE 691M RX 195M RX 71.80% IPIP 691M RX 204M RX 70.50% VLAN 691M RX 582M RX 15.80% IPSEC 691M RX 667M RX 3.50% PPPoE 691M RX 94M RX 86.40% PPtP 691M RX 61M RX 91.20% L2TP 691M RX 59M RX 91.50% OVPN 691M RX 29M RX 95.90% EOIP 691M RX 190M RX 72.50% SSTP 691M RX 29M RX 95.80% 49 www.rickfreyconsulting.com

End of Module 50 www.rickfreyconsulting.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information