Page 1 of 1
pptp client is connected but we cannot ping remote ip
Posted: Sat Aug 27, 2022 12:05 pm
by retaheri
we have a pptp server that has public ip address and some branches using pptp client to connect to the headquarter. so some connections (and sometimes all of them) have problem: connection is active but cannot be ping the remote address and then those branches cannot use local resources and services on headquarter (like web and file sharing)! so we have to remove connection to automatically connect again.
we change mtu to multiple times and now is on 1350.
Re: pptp client is connected but we cannot ping remote ip [SOLVED]
Posted: Sat Aug 27, 2022 3:28 pm
by sindy
PPTP uses GRE as a transport protocol, and GRE is a very old protocol that does not use the notion of ports, so it has problems with most NATs. PPTP is also insecure by today's criteria.
So given that configuring PPTP is equally complex or equally simple as configuring L2TP, I'd suggest to switch over to L2TP. Without IPsec, you can get the same level of (in)security like with PPTP, but without the issues related to use of GRE; with IPsec, which requires ticking one more checkbox and entering a pre-shared secret, you'll get much more security.
If you cannot even ping, MTU is not the root cause of your issue.
Re: pptp client is connected but we cannot ping remote ip
Posted: Sun Aug 28, 2022 7:58 am
by retaheri
thanks alot. we used this solution (l2tp) for some branches without any problem but because pptp was faster, almoust all of our branches used that.
Re: pptp client is connected but we cannot ping remote ip
Posted: Sun Aug 28, 2022 9:30 am
by sindy
What absolute speeds are we talking about, what is the percentual difference between PPTP and L2TP on the same branch, and what router models are involved? And do you use the same /ppp profile (with or without encryption) for both PPTP and L2TP? The only difference between the two that could affect throughput is that the L2TP encapsulates the PPP messages into UDP packets whereas PPTP encapsulates them into GRE packets, but both have their own additional headers so it should not cause a noticeable difference. Did you enable IPsec for L2TP but not for PPTP?
Re: pptp client is connected but we cannot ping remote ip
Posted: Sun Aug 28, 2022 10:18 am
by retaheri
pptp server: RB2011UiAS-2HnD/6.48 (stable)
use IPsec: yes
l2tp mtu: 1450
pptp mtu: 1350
l2tp profile: use encryption, default
limit: only one
same profile for pptp server and l2tp server just we select l2tp service in secret.
pptp client: RB750/6.48 (stable)
profile: use encryption , yes
reason fo mtu difference was some devices of attendance system that did not work in that mtu so we decrease it to 1350. in mtu 1450 or similar almoust all of pptp connections from branches became duplicated like: vpn-1, vpn-2, somevpn-1, somevpn-2
Re: pptp client is connected but we cannot ping remote ip
Posted: Sun Aug 28, 2022 11:39 am
by sindy
OK, so you seem to use IPsec for L2TP, that explains the difference in throughput. If you care about security of the tunnels so little that you can afford to use PPTP, you can use L2TP the same way, i.e. without the IPsec. But I'd rather recommend to replace (or just complement if port count is an issue) the 2011 by something that supports IPsec in hardware, like an hAP ac², and keep ciphering L2TP with IPsec (which also allows to disable the encryption in the /ppp profile).
As for the MTU, PPTP uses TCP for the control session, but MTU should play no role there. I'd have to see some packet captures to say more, but trying to fix PPTP is indeed flogging a dead horse.
Re: pptp client is connected but we cannot ping remote ip
Posted: Sun Aug 28, 2022 12:35 pm
by Guscht
we have a pptp server that has public ip address...
PPTP and public-IP - enough information, simply dont do this!!
Dont invest your time in such a "solution".
Re: pptp client is connected but we cannot ping remote ip
Posted: Mon Aug 29, 2022 7:43 am
by retaheri
Re: pptp client is connected but we cannot ping remote ip
Posted: Mon Aug 29, 2022 7:44 am
by retaheri
OK, so you seem to use IPsec for L2TP, that explains the difference in throughput. If you care about security of the tunnels so little that you can afford to use PPTP, you can use L2TP the same way, i.e. without the IPsec. But I'd rather recommend to replace (or just complement if port count is an issue) the 2011 by something that supports IPsec in hardware, like an hAP ac², and keep ciphering L2TP with IPsec (which also allows to disable the encryption in the /ppp profile).
As for the MTU, PPTP uses TCP for the control session, but MTU should play no role there. I'd have to see some packet captures to say more, but trying to fix PPTP is indeed flogging a dead horse.
thank you again
