Follow the instructions here: http://wiki.mikrotik.com/wiki/Manual:Metarouter importing the openwrt
image into the metarouter. Get a copy of vpnc and the tun.ko kernel module. I compiled
them which was a bit of a hassle, but ended up with these if you want to avoid the effort (and
you trust a complete stranger to compile them for you…):
http://www.sbrk.co.uk/vpnc
http://www.sbrk.co.uk/tun.ko
openwrt has a package system called opkg which allows you to point to various repositories for
new packages, but I couldn’t figure out where to point it. I’m sure there is somewhere with
these.
After insmod ./tun.ko, ./vpnc works with my imported configuration leaving the only issue to
set up networking. I bridged the openwrt metarouter and configured a route to the network
used by vpnc, set up nat on the tun0 interface in openwrt and allowed forwarding and all
is working.
There is one issue remaining in that if I reboot my rb, the bridge ports disappear, presumably
because they don’t exist until the metarouter vm starts. So, I have to go in and configure them
again after a reboot.
- MikroTik Support
- Posts: 19866
- Joined: Fri May 28, 2004 11:04 am
- Reputation: 43
- First RouterOS version: 2.3.18
- Location: Riga, Latvia
- just joined
- Posts: 1
- Joined: Thu Jan 15, 2015 5:06 pm
- Reputation: 0
- First RouterOS version: 4.0
I have successfully got mine working as well.
The metarouter image I used is: http://openwrt.wk.cz/attitude_adjustmen … tfs.tar.gz
Configure your network interface by using “uci”
- Show network configutations: “uci show network”
- Show all configurations: “uci show”
[*]Set configuration: “uci set network.wan=interface”
Mine looks as follow:
network.wan.proto=static
network.wan.ipaddr=172.16.2.6
network.wan.netmask=255.255.255.252
network.wan.ifname=eth0
network.wan.gateway=172.16.2.5
network.wan.dns=172.16.2.5
network.lan=interface
network.lan.proto=static
network.lan.ipaddr=172.16.2.2
network.lan.netmask=255.255.255.252
network.lan.ifname=eth1
Where my WAN interface are used to get internet to the image and the lan will be used to access the VPN connection.
After configuring the network settings you need to commit them and restart the network service.
Run the following commands:
- uci commit network
- /etc/init.d/network restart
For some reason the dns nameserver does not take affect and you need to modify it manually at /etc/resolve.conf and enter your dns server details, otherwise you will not be able to update and download the packages needed.
Then you can install vpnc by following the tutorial here: http://wiki.openwrt.org/vpnc.vpn
- In the file created /etc/init.d/vpnc file. remove the spaces in the first few lines between the START=75 and STOP=01. It does not work with the spaces. Unable to find start/stop on line 2 and line 3 error.
- At the steps when you try to run “/etc/init.d/vpnc enable” you get an error, first enable the file to be executable by running “chmod +x /etc/init.d/vpnc” and then you will be able to enable the automatic boot script.
- IP Tables – This one I have not figured out yet. When the metarouter restarts the IPtables are missing and you need to reapply them.
You connect the VPN by either running the startup script or the vpnc client itself.
vpnc
or
/etc/init.d/vpnc start
You can then see that the tunnel is up by using ifconfig
root@metarouter:/# ifconfig
eth0 Link encap:Ethernet HWaddr 02:0B:3E:55:A6:23
inet addr:172.16.2.6 Bcast:172.16.2.7 Mask:255.255.255.252
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2517 errors:0 dropped:0 overruns:0 frame:0
TX packets:2039 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:888004 (867.1 KiB) TX bytes:364073 (355.5 KiB)eth1 Link encap:Ethernet HWaddr 02:5B:39:4F:B5:12
inet addr:172.16.2.2 Bcast:172.16.2.3 Mask:255.255.255.252
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4787 errors:0 dropped:0 overruns:0 frame:0
TX packets:2992 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:447771 (437.2 KiB) TX bytes:679876 (663.9 KiB)lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2748 errors:0 dropped:0 overruns:0 frame:0
TX packets:2748 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:186756 (182.3 KiB) TX bytes:186756 (182.3 KiB)tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.102.253.87 P-t-P:10.102.253.87 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1412 Metric:1
RX packets:41 errors:0 dropped:0 overruns:0 frame:0
TX packets:432 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:4428 (4.3 KiB) TX bytes:31605 (30.8 KiB)
On your route make sure that you route the ip ranges you need and masquerade it as required.
Traceroute from PC going to my gateway ( mikrotik) over to metarouter into the VPN.
C:\Users\Administrator>tracert -d 10.117.12.117Tracing route to 10.117.12.117 over a maximum of 30 hops
1 <1 ms <1 ms 1 ms 10.20.0.254
2 2 ms 1 ms 1 ms 172.16.2.2
3 142 ms 36 ms 26 ms 10.102.250.2
4 213 ms 43 ms 37 ms 10.101.255.73
5 137 ms 24 ms 23 ms 10.101.255.206
6 114 ms 27 ms 26 ms 10.103.82.5
7 70 ms 201 ms 215 ms 10.251.201.0
Success.
Thank you for the tip of using metarouter and vpnc!
- just joined
- Posts: 1
- Joined: Tue Mar 17, 2015 8:30 pm
- Reputation: 0
- First RouterOS version: 6.27
Then I tried the routine http://cases.azoft.com/how-to-connect-m … cisco-vpn/ with Mikrotik-recommended imagehttp://www.mikrotik.com/download/metaro … rootfs.tgz and vpnc from http://rnd.rajven.net/openwrt/mikrotik/ … s/packages repository. This client connects to my corporate Cisco successfully and even makes appropriate routes to my internal networks. But I could not manage to get any traffic through these routes whatsoever. No ping, no telnet, no DNS request. And no errors and no warnings.
I wasted two days trying to make good usage of metarouter vpnc. Eventually I took a cheap spare router and installed DD-WRT there with vpnc. Vpnc works with two different Ciscos on my two remote jobs and provides me with two remote internal networks simultaneously. The only thing Mikrotik has to do with this it routes appropriate requests from my home network to remote networks through internal address of the second router. Works like a charm.