Difference between revisions of "PPTP VPN Server"
(Created page with "A Cisco router can be configured as a PPTP VPN server. This is very handy, because a PPTP client is built into most operating systems, like Windows, Linux and Android. For s...") |
|||
(2 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
A Cisco router can be configured as a PPTP VPN server. This is very handy, because a PPTP client is built into most operating systems, like Windows, Linux and Android. | A Cisco router can be configured as a PPTP VPN server. This is very handy, because a PPTP client is built into most operating systems, like Windows, Linux and Android. | ||
− | For starters, you will need some users created. The VPN authentication mechanism can't use secret passwords, so you can only use type 7 or plaintext | + | |
+ | ==User Config== | ||
+ | For starters, you will need some users created. You can either use local accounts or external authentication. | ||
+ | |||
+ | ===Local Accounts=== | ||
+ | The VPN authentication mechanism can't use secret passwords, so you can only use type 7 or plaintext. | ||
<PRE> | <PRE> | ||
Line 7: | Line 12: | ||
</PRE> | </PRE> | ||
− | Next, enable Virtual Private Dialup Networking (VPDN). When a user connects, they will be brought up on an interface created from the Virtual-Template interface. | + | ===External Authentication=== |
+ | I haven't tried RADIUS, but I have confirmed TACACS+. | ||
+ | |||
+ | <PRE> | ||
+ | aaa authentication ppp default group tacacs+ | ||
+ | </PRE> | ||
+ | |||
+ | |||
+ | ==VPDN Config== | ||
+ | Next, enable Virtual Private Dialup Networking (VPDN). When a user connects, they will be brought up on an "Virtual Access" interface created from the Virtual-Template interface. | ||
<PRE> | <PRE> | ||
Line 20: | Line 34: | ||
+ | ==Interface Config== | ||
+ | There are two different options for the IP: make it "unnumbered" on one of your existing interfaces, or apply a new subnet on the interface. The former lets you drop VPN clients into your existing LAN. The latter has the handy side effect of disappearing when there are no clients connected, and being able to apply access lists and policies. The tradeoff is that the client either needs static routes to get to the other subnets, or must use the VPN as its default gateway. To send static routes to the client, see [[Assigning Static Routes To Clients Using DHCP]]. | ||
+ | |||
+ | <PRE> | ||
interface Virtual-Template1 | interface Virtual-Template1 | ||
description PPTP VPN | description PPTP VPN | ||
− | |||
− | |||
ip unnumbered FastEthernet0 | ip unnumbered FastEthernet0 | ||
− | |||
ip nat inside | ip nat inside | ||
− | |||
− | |||
no logging event link-status | no logging event link-status | ||
− | |||
keepalive 30 | keepalive 30 | ||
− | ppp encrypt mppe | + | ppp encrypt mppe 128 required |
− | ppp authentication | + | ppp authentication ms-chap-v2 |
− | + | </PRE> | |
+ | |||
+ | There are multiple options for the MPPE encryption and the authentication method. Using the options above makes it easy to set up the client, as you don't need to disable and enable certain protocols. | ||
+ | |||
+ | |||
+ | ==IP Assignment== | ||
+ | Clients can be automatically assigned IP addresses from a "local pool" or from a DHCP pool. | ||
+ | |||
+ | The local pool option is simple. For a local pool, you just need to specify the start and end IPs. | ||
+ | |||
+ | <PRE> | ||
ip local pool PPTP-POOL 192.168.10.230 192.168.10.234 | ip local pool PPTP-POOL 192.168.10.230 192.168.10.234 | ||
+ | |||
+ | interface Virtual-Template1 | ||
+ | peer default ip address pool PPTP-POOL | ||
+ | </PRE> | ||
+ | |||
+ | The DHCP option allows you to assign parameters to the clients, like static routes, DNS servers, etc. | ||
+ | |||
+ | <PRE> | ||
+ | ip dhcp pool PPTP-VPN | ||
+ | network 192.168.10.0 255.255.255.0 | ||
+ | domain-name internal.local | ||
+ | option 121 hex 10c0.a8c0.a80a.01 | ||
+ | option 249 hex 10c0.a8c0.a80a.01 | ||
+ | dns-server 192.168.10.1 | ||
+ | |||
+ | interface Virtual-Template1 | ||
+ | peer default ip address dhcp-pool PPTP-VPN | ||
+ | </PRE> | ||
+ | |||
+ | |||
+ | ==Client Setup== | ||
+ | In Windows, the only change that might be necessary in the client is to disable using the default gateway from the network. It should get it's DNS servers and any static routes from PPTP. | ||
+ | |||
+ | Ubuntu doesn't seem to get the DNS servers from DHCP (maybe it uses another option), so you're best off configuring the connection for "Get addresses only", then manually specifying the DNS server IP(s). |
Latest revision as of 10:42, 16 December 2015
A Cisco router can be configured as a PPTP VPN server. This is very handy, because a PPTP client is built into most operating systems, like Windows, Linux and Android.
User Config
For starters, you will need some users created. You can either use local accounts or external authentication.
Local Accounts
The VPN authentication mechanism can't use secret passwords, so you can only use type 7 or plaintext.
username vpnuser password vpnpassword
External Authentication
I haven't tried RADIUS, but I have confirmed TACACS+.
aaa authentication ppp default group tacacs+
VPDN Config
Next, enable Virtual Private Dialup Networking (VPDN). When a user connects, they will be brought up on an "Virtual Access" interface created from the Virtual-Template interface.
vpdn enable ! vpdn-group 1 description PPTP VPN accept-dialin protocol pptp virtual-template 1
Interface Config
There are two different options for the IP: make it "unnumbered" on one of your existing interfaces, or apply a new subnet on the interface. The former lets you drop VPN clients into your existing LAN. The latter has the handy side effect of disappearing when there are no clients connected, and being able to apply access lists and policies. The tradeoff is that the client either needs static routes to get to the other subnets, or must use the VPN as its default gateway. To send static routes to the client, see Assigning Static Routes To Clients Using DHCP.
interface Virtual-Template1 description PPTP VPN ip unnumbered FastEthernet0 ip nat inside no logging event link-status keepalive 30 ppp encrypt mppe 128 required ppp authentication ms-chap-v2
There are multiple options for the MPPE encryption and the authentication method. Using the options above makes it easy to set up the client, as you don't need to disable and enable certain protocols.
IP Assignment
Clients can be automatically assigned IP addresses from a "local pool" or from a DHCP pool.
The local pool option is simple. For a local pool, you just need to specify the start and end IPs.
ip local pool PPTP-POOL 192.168.10.230 192.168.10.234 interface Virtual-Template1 peer default ip address pool PPTP-POOL
The DHCP option allows you to assign parameters to the clients, like static routes, DNS servers, etc.
ip dhcp pool PPTP-VPN network 192.168.10.0 255.255.255.0 domain-name internal.local option 121 hex 10c0.a8c0.a80a.01 option 249 hex 10c0.a8c0.a80a.01 dns-server 192.168.10.1 interface Virtual-Template1 peer default ip address dhcp-pool PPTP-VPN
Client Setup
In Windows, the only change that might be necessary in the client is to disable using the default gateway from the network. It should get it's DNS servers and any static routes from PPTP.
Ubuntu doesn't seem to get the DNS servers from DHCP (maybe it uses another option), so you're best off configuring the connection for "Get addresses only", then manually specifying the DNS server IP(s).