Difference between revisions of "PPTP VPN Server"

From Baranoski.ca
Jump to navigation Jump to search
(Created page with "A Cisco router can be configured as a PPTP VPN server. This is very handy, because a PPTP client is built into most operating systems, like Windows, Linux and Android. For s...")
 
Line 1: Line 1:
 
A Cisco router can be configured as a PPTP VPN server.  This is very handy, because a PPTP client is built into most operating systems, like Windows, Linux and Android.
 
A Cisco router can be configured as a PPTP VPN server.  This is very handy, because a PPTP client is built into most operating systems, like Windows, Linux and Android.
  
 +
 +
==User Config==
 
For starters, you will need some users created.  The VPN authentication mechanism can't use secret passwords, so you can only use type 7 or plaintext.  It might work with external authentication like TACACS+ or RADIUS, but I haven't tried it.
 
For starters, you will need some users created.  The VPN authentication mechanism can't use secret passwords, so you can only use type 7 or plaintext.  It might work with external authentication like TACACS+ or RADIUS, but I haven't tried it.
  
Line 7: Line 9:
 
</PRE>
 
</PRE>
  
Next, enable Virtual Private Dialup Networking (VPDN).  When a user connects, they will be brought up on an interface created from the Virtual-Template interface.
+
 
 +
==VPDN Config==
 +
Next, enable Virtual Private Dialup Networking (VPDN).  When a user connects, they will be brought up on an "Virtual Access" interface created from the Virtual-Template interface.
  
 
<PRE>
 
<PRE>
Line 20: Line 24:
  
  
 +
==Interface Config==
 +
There are two different options for the IP: make it "unnumbered" on one of your existing interfaces, or apply a new subnet on the interface.  The former lets you drop VPN clients into your existing LAN.  The latter has the handy side effect of disappearing when there are no clients connected, and being able to apply access lists and policies.  The tradeoff is that the client either needs static routes to get to the other subnets, or must use the VPN as its default gateway.  To send static routes to the client, see [[Assigning Static Routes To Clients Using DHCP]].
 +
 +
<PRE>
 
interface Virtual-Template1
 
interface Virtual-Template1
 
  description PPTP VPN
 
  description PPTP VPN
no ip dhcp client request router
 
! name of the LAN interface below
 
 
  ip unnumbered FastEthernet0
 
  ip unnumbered FastEthernet0
no ip redirects
 
 
  ip nat inside
 
  ip nat inside
ip virtual-reassembly
 
ip route-cache flow
 
 
  no logging event link-status
 
  no logging event link-status
peer default ip address pool PPTP-POOL
 
 
  keepalive 30
 
  keepalive 30
  ppp encrypt mppe 40
+
  ppp encrypt mppe 128 required
  ppp authentication pap chap ms-chap
+
  ppp authentication ms-chap-v2
!
+
</PRE>
 +
 
 +
There are multiple options for the MPPE encryption and the authentication method.  Using the options above makes it easy to set up the client, as you don't need to disable and enable certain protocols.
 +
 
 +
 
 +
==IP Assignment==
 +
Clients can be automatically assigned IP addresses from a "local pool" or from a DHCP pool. 
 +
 
 +
The local pool option is simple.  For a local pool, you just need to specify the start and end IPs.
 +
 
 +
<PRE>
 
ip local pool PPTP-POOL 192.168.10.230 192.168.10.234
 
ip local pool PPTP-POOL 192.168.10.230 192.168.10.234
 +
 +
interface Virtual-Template1
 +
peer default ip address pool PPTP-POOL
 +
</PRE>
 +
 +
The DHCP option allows you to assign parameters to the clients, like static routes, DNS servers, etc.
 +
 +
<PRE>
 +
ip dhcp pool PPTP-VPN
 +
  network 192.168.10.0 255.255.255.0
 +
  domain-name internal.local
 +
  option 121 hex 10c0.a8c0.a80a.01
 +
  option 249 hex 10c0.a8c0.a80a.01
 +
  dns-server 192.168.10.1
 +
 +
interface Virtual-Template1
 +
peer default ip address dhcp-pool PPTP-VPN
 +
</PRE>

Revision as of 13:08, 26 November 2013

A Cisco router can be configured as a PPTP VPN server. This is very handy, because a PPTP client is built into most operating systems, like Windows, Linux and Android.


User Config

For starters, you will need some users created. The VPN authentication mechanism can't use secret passwords, so you can only use type 7 or plaintext. It might work with external authentication like TACACS+ or RADIUS, but I haven't tried it.

username vpnuser password vpnpassword


VPDN Config

Next, enable Virtual Private Dialup Networking (VPDN). When a user connects, they will be brought up on an "Virtual Access" interface created from the Virtual-Template interface.

vpdn enable
!
vpdn-group 1
 description PPTP VPN
 accept-dialin
  protocol pptp
  virtual-template 1


Interface Config

There are two different options for the IP: make it "unnumbered" on one of your existing interfaces, or apply a new subnet on the interface. The former lets you drop VPN clients into your existing LAN. The latter has the handy side effect of disappearing when there are no clients connected, and being able to apply access lists and policies. The tradeoff is that the client either needs static routes to get to the other subnets, or must use the VPN as its default gateway. To send static routes to the client, see Assigning Static Routes To Clients Using DHCP.

interface Virtual-Template1
 description PPTP VPN
 ip unnumbered FastEthernet0
 ip nat inside
 no logging event link-status
 keepalive 30
 ppp encrypt mppe 128 required
 ppp authentication ms-chap-v2

There are multiple options for the MPPE encryption and the authentication method. Using the options above makes it easy to set up the client, as you don't need to disable and enable certain protocols.


IP Assignment

Clients can be automatically assigned IP addresses from a "local pool" or from a DHCP pool.

The local pool option is simple. For a local pool, you just need to specify the start and end IPs.

ip local pool PPTP-POOL 192.168.10.230 192.168.10.234

interface Virtual-Template1
 peer default ip address pool PPTP-POOL

The DHCP option allows you to assign parameters to the clients, like static routes, DNS servers, etc.

ip dhcp pool PPTP-VPN
   network 192.168.10.0 255.255.255.0
   domain-name internal.local
   option 121 hex 10c0.a8c0.a80a.01
   option 249 hex 10c0.a8c0.a80a.01
   dns-server 192.168.10.1

interface Virtual-Template1
 peer default ip address dhcp-pool PPTP-VPN