PPTP VPN Server

From Baranoski.ca
Revision as of 13:08, 26 November 2013 by Casey (talk | contribs)
Jump to navigation Jump to search

A Cisco router can be configured as a PPTP VPN server. This is very handy, because a PPTP client is built into most operating systems, like Windows, Linux and Android.


User Config

For starters, you will need some users created. The VPN authentication mechanism can't use secret passwords, so you can only use type 7 or plaintext. It might work with external authentication like TACACS+ or RADIUS, but I haven't tried it. 

username vpnuser password vpnpassword


VPDN Config

Next, enable Virtual Private Dialup Networking (VPDN). When a user connects, they will be brought up on an "Virtual Access" interface created from the Virtual-Template interface. 

vpdn enable
!
vpdn-group 1
 description PPTP VPN
 accept-dialin
  protocol pptp
  virtual-template 1


Interface Config

There are two different options for the IP: make it "unnumbered" on one of your existing interfaces, or apply a new subnet on the interface. The former lets you drop VPN clients into your existing LAN. The latter has the handy side effect of disappearing when there are no clients connected, and being able to apply access lists and policies. The tradeoff is that the client either needs static routes to get to the other subnets, or must use the VPN as its default gateway. To send static routes to the client, see Assigning Static Routes To Clients Using DHCP. 

interface Virtual-Template1
 description PPTP VPN
 ip unnumbered FastEthernet0
 ip nat inside
 no logging event link-status
 keepalive 30
 ppp encrypt mppe 128 required
 ppp authentication ms-chap-v2

There are multiple options for the MPPE encryption and the authentication method. Using the options above makes it easy to set up the client, as you don't need to disable and enable certain protocols.


IP Assignment

Clients can be automatically assigned IP addresses from a "local pool" or from a DHCP pool.

The local pool option is simple. For a local pool, you just need to specify the start and end IPs. 

ip local pool PPTP-POOL 192.168.10.230 192.168.10.234

interface Virtual-Template1
 peer default ip address pool PPTP-POOL

The DHCP option allows you to assign parameters to the clients, like static routes, DNS servers, etc. 

ip dhcp pool PPTP-VPN
   network 192.168.10.0 255.255.255.0
   domain-name internal.local
   option 121 hex 10c0.a8c0.a80a.01
   option 249 hex 10c0.a8c0.a80a.01
   dns-server 192.168.10.1

interface Virtual-Template1
 peer default ip address dhcp-pool PPTP-VPN
Retrieved from "https://baranoski.ca/index.php?title=PPTP_VPN_Server&oldid=109"