Connecting two subnets PPTP

Sakura · ‎05-26-2016

Hi,

I have a question with a Cisco 1921, working with a VPN interface.

Version are: Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M5, RELEASE SOFTWARE (fc1)

The problem are:

I have two networks:

- First: (net (172.x.x.x)) -> (soft firewall, linux) -> Cisco 1921 -> Internet

- Second: (net (192.x.x.x)) -> Cisco 1921 -> Internet

The first network have a VPN server on linux machine, granting IPs of another subnet. Firewall are the network gateway.

The second network have a VDSLoPOTS connected to grant Internet Access. Cisco 1921 are the gateway, doing NAT translation for network.

I've configured PPTP VPN client on second net's Cisco, and, with adequate configuration, I can see Network 1 from Network 2 (with NAT too). But, I cannot see Network 2 from Network 1.

Configuration:

!
vpdn enable
!
vpdn-group PPTPC
request-dialin
protocol pptp
rotary-group 2
initiate-to ip x.x.x.x
!
controller VDSL 0/0/0
!
interface GigabitEthernet0/1
ip address 192.x.x.x
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Ethernet0/0/0
no ip address
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxx
ppp chap password 0 xxx
ppp pap sent-username xxx password 0 xxx
no cdp enable
!
interface Dialer2
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1360
dialer in-band
dialer idle-timeout 0
dialer string 2
dialer vpdn
dialer-group 2
no peer neighbor-route
ppp authentication pap chap ms-chap-v2 callin
ppp chap hostname xxx
ppp chap password 0 xxx
no cdp enable
!
ip forward-protocol nd
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map R2 interface Dialer2 overload
ip nat inside source route-map R0 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 172.x.x.x Dialer2
!
access-list 1 permit 192.x.x.x
access-list 3 permit 172.x.x.x
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
no cdp run
!
!
!
route-map R2 permit 1
match interface Dialer2
!
route-map R0 permit 1
match interface Dialer0
!
!
!
control-plane
!
!
banner exec ^CC^C
banner login ^CC^C
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 1 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end

Routing table:

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, Dialer0
      172.x.x.x is variably subnetted, 2 subnets, 2 masks
C        172.x.x.x is directly connected, Dialer2 <-- My VPN address
S        172.x.x.x is directly connected, Dialer2 <-- Remote subnet
      1.1.0.0/32 is subnetted, 2 subnets
C        1.1.1.1 is directly connected, Dialer0
C        1.1.1.67 is directly connected, Dialer0
      192.x.x.x is variably subnetted, 2 subnets, 2 masks
C        192.x.x.x is directly connected, GigabitEthernet0/1
L        192.x.x.x is directly connected, GigabitEthernet0/1

(1.1.0.0 represents Internet Access IP)

Questions:

1º, I cannot enable MPPE. Why?

2º, Can I connect NET1 and NET2 without NAT? I want all host to see between him.

I can configure anything on Cisco router at second net, and Linux machine on first net. I cannot change configuration of Cisco router on first net.

Philip D'Ath · ‎05-26-2016

Does the Linux PPTP server have a route for your subnet via the dynamic connection that is formed? This is going to be tricky.

I don't think you are doing to succeed. If the 1941 has a crypto licence I would change over to IPSec. I would use strongswan on the Linux box.

Sakura · ‎05-30-2016

I have the route at Linux server.

Maybe, I can try to use IPSec on cisco box, but, my knowledge about them are really limited. I haven't a CCNA, and I have some ciscos boxes for creating a WAN between sites. I'm trying to learn how to use each command and configuration for doing the correct configuration for each site and connection.

The final configuration, are, to have 3 different networks, on different offices, connected between them with VPNs or another tecnology who allows me to see from any network, the another two. My suggested topology are use a central point -the linux box at main office-, and connect the other networks to them.

Now I have more problems too, because, the test site have changed internet connection, and, I have the new connection configured but now I cannot see the linux box IP or any other machine, with the same pptp configuration from top.

Sakura · ‎06-07-2016

I've try to use IPsec, but, i doesn't know how to configure them between Linux box (server) and Cisco. Can someone give me a hand on this?

I need the server on a Linux Box, because, when I have them working, I need to connect another Ciscos to them. Also, the linux box have the best connection and static IP. (At least, one of the Cisco will be working with dynamic IP assignment).

Philip D'Ath · ‎06-07-2016

I would use strongswan on Linux, but you are in for a lot of work.

You would be better off getting an extra Cisco box and putting it next to the Linux box to do the VPN work.