09-17-2014 01:33 AM - edited 03-04-2019 11:46 PM
Hi everybody!
I need to know if there is any possible way to configure site-to-site PPTP VPN connection on cisco routers.
If it is, how to configure this?
Solved! Go to Solution.
09-18-2014 07:54 PM
Hi,
I am also a university teacher and to be honest, I do not see much of a point in focusing on PPTP. It is a relatively simple protocol, that's for sure, but it has drawbacks and especially when considering a site-to-site VPN, I do not see a compelling reason to prefer PPTP to other solutions, such as L2TP, IPsec, or even a plain GRE. It is not a typical solution especially between Cisco routers (as can also be seen by the difficulty you have encountered yourself when trying to find out how a PPTP client can be configured), and the PPTP is long considered obsolete. I am afraid that if the thesis focuses primarily or only on PPTP, it will not be representative. What are the particular reasons of your professor to stick with PPTP?
In any case, let's see how the configuration can be done. The PPTP Remote Access Server is configured as follows:
ip local pool PPTP_Clients 192.168.1.11 192.168.1.200
!
interface Loopback0
ip address 10.255.255.5 255.255.255.255
!
interface Loopback1
ip address 192.168.1.1 255.255.255.255
!
interface Virtual-Template1
ip unnumbered Loopback1
peer default ip address pool PPTP_Clients
!
vpdn enable
!
vpdn-group PPTP_RAS
accept-dialin
protocol pptp
virtual-template 1
source-ip 10.255.255.5
Here, the PPTP_Clients pool holds a pool of IP addresses to be assigned to PPTP clients, starting from 192.168.1.11 and going up to 192.168.1.200. The Loopback0 interface represents the IP address of the Remote Access Server. It does not have to be a loopback address, though, it can (and probably would) be the Remote Access Server's uplink interface to internet, carrying a public IP address. The Loopback1 interface holds the IP address of the RAS used for every incoming PPP session tunneled across PPTP - it is the IP address that every PPTP client will see over its own PPP virtual interface. This Loopback1 is then referred to in the Virtual-Template1 interface configuration that shares the IP address of Lo1 using the IP Unnumbered feature. The configuration of the VPDN and the corresponding VPDN group then specifies the tunneling protocol in use, the Virtual-Template interface to be used for incoming PPTP clients, and the source IP address the RAS should use - the IP address from Lo0 is used here.
The PPTP Client is configured as follows:
service internal
!
vpdn enable
!
vpdn-group PPTP_CLIENT
request-dialin
protocol pptp
pool-member 1
initiate-to ip 10.255.255.5
!
interface Dialer0
ip address negotiated
encapsulation ppp
dialer pool 1
dialer string 1234
dialer persistent
dialer vpdn
First and foremost, you need to enter the service internal command. This command is used to enable some hidden IOS features and commands including the PPTP client functionality. Obviously, Cisco itself does not consider the PPTP client functionality on routers to be interesting to most people and therefore hides the feature. Without the service internal command, the VPDN group will not allow you to specify the PPTP as the tunneling protocol and will pretend no such protocol is supported.
The VPDN group specifies the IP address of the PPTP RAS (I am again referring to its Lo0 address 10.255.255.5) and declares the VPDN group as a possible "interface" to be used by a Dialer interface when making calls.
Next, the Dialer0 interface is configured. This is the client PPP interface. It is configured for PPP encapsulation and to obtain the IP address from the RAS. The specific configuration lies in the dialer commands:
After configuring your Dialer0 interface this way, you may need to shutdown and no shutdown it to force the IOS to start the interface using all configuration. I've seen situations where the PPTP session did not come up right after creating the Dialer0 configuration, and shutting/unshutting it was necessary to kick IOS into action.
Please be sure that you can ping the RAS server from the client before actually trying to start the PPTP session.
Please let me know if this worked for you!
Best regards,
Peter
09-17-2014 03:11 PM
Hello,
Yes, it should be possible to configure a Cisco IOS router to act both as a PPTP client and a PPTP server. What functionality do you exactly need? In addition, if both endpoints of the tunnel are Cisco routers, why would you want them to tunnel traffic using PPTP? Using GRE or PPP+L2TP would be much simpler and more straightforward.
Best regards,
Peter
09-18-2014 01:04 AM
Hi,
I have to write a thesis and one of the subjects is to compare tunnels between cisco routers. I spoke with the professor and he would like to use PPTP VPN only if it possible. I was looking for any information on cisco website about configuration PPTP tunnels but I found nothing, only configuration for PPTP server to remote access. I also found one topic (link below) where it says that you cannot configure PPTP client.
https://supportforums.cisco.com/discussion/10866831/how-configure-cisco-router-pptp-client
09-18-2014 07:54 PM
Hi,
I am also a university teacher and to be honest, I do not see much of a point in focusing on PPTP. It is a relatively simple protocol, that's for sure, but it has drawbacks and especially when considering a site-to-site VPN, I do not see a compelling reason to prefer PPTP to other solutions, such as L2TP, IPsec, or even a plain GRE. It is not a typical solution especially between Cisco routers (as can also be seen by the difficulty you have encountered yourself when trying to find out how a PPTP client can be configured), and the PPTP is long considered obsolete. I am afraid that if the thesis focuses primarily or only on PPTP, it will not be representative. What are the particular reasons of your professor to stick with PPTP?
In any case, let's see how the configuration can be done. The PPTP Remote Access Server is configured as follows:
ip local pool PPTP_Clients 192.168.1.11 192.168.1.200
!
interface Loopback0
ip address 10.255.255.5 255.255.255.255
!
interface Loopback1
ip address 192.168.1.1 255.255.255.255
!
interface Virtual-Template1
ip unnumbered Loopback1
peer default ip address pool PPTP_Clients
!
vpdn enable
!
vpdn-group PPTP_RAS
accept-dialin
protocol pptp
virtual-template 1
source-ip 10.255.255.5
Here, the PPTP_Clients pool holds a pool of IP addresses to be assigned to PPTP clients, starting from 192.168.1.11 and going up to 192.168.1.200. The Loopback0 interface represents the IP address of the Remote Access Server. It does not have to be a loopback address, though, it can (and probably would) be the Remote Access Server's uplink interface to internet, carrying a public IP address. The Loopback1 interface holds the IP address of the RAS used for every incoming PPP session tunneled across PPTP - it is the IP address that every PPTP client will see over its own PPP virtual interface. This Loopback1 is then referred to in the Virtual-Template1 interface configuration that shares the IP address of Lo1 using the IP Unnumbered feature. The configuration of the VPDN and the corresponding VPDN group then specifies the tunneling protocol in use, the Virtual-Template interface to be used for incoming PPTP clients, and the source IP address the RAS should use - the IP address from Lo0 is used here.
The PPTP Client is configured as follows:
service internal
!
vpdn enable
!
vpdn-group PPTP_CLIENT
request-dialin
protocol pptp
pool-member 1
initiate-to ip 10.255.255.5
!
interface Dialer0
ip address negotiated
encapsulation ppp
dialer pool 1
dialer string 1234
dialer persistent
dialer vpdn
First and foremost, you need to enter the service internal command. This command is used to enable some hidden IOS features and commands including the PPTP client functionality. Obviously, Cisco itself does not consider the PPTP client functionality on routers to be interesting to most people and therefore hides the feature. Without the service internal command, the VPDN group will not allow you to specify the PPTP as the tunneling protocol and will pretend no such protocol is supported.
The VPDN group specifies the IP address of the PPTP RAS (I am again referring to its Lo0 address 10.255.255.5) and declares the VPDN group as a possible "interface" to be used by a Dialer interface when making calls.
Next, the Dialer0 interface is configured. This is the client PPP interface. It is configured for PPP encapsulation and to obtain the IP address from the RAS. The specific configuration lies in the dialer commands:
After configuring your Dialer0 interface this way, you may need to shutdown and no shutdown it to force the IOS to start the interface using all configuration. I've seen situations where the PPTP session did not come up right after creating the Dialer0 configuration, and shutting/unshutting it was necessary to kick IOS into action.
Please be sure that you can ping the RAS server from the client before actually trying to start the PPTP session.
Please let me know if this worked for you!
Best regards,
Peter
09-18-2014 07:54 PM
Great explanation, thanks for sharing.
09-20-2014 10:07 AM
Hi,
Thank you for help. I tried your configuration in GNS3 and it works perfectly. I will talk with my professor if he really wants PPTP tunnel in the thesis.
10-16-2014 04:43 AM
Hi , I would like to configure a cisco router 800 series to be a VPN client knowing that the server will be a server 2008 machine with PPTP.
Is that possible ?
12-01-2015 09:53 AM
Peter,
Great info thank you - although Cisco still tells me this functionality is not supported (specifically the PPTP client) and will not work. Is it required that both ends be a Cisco router? I have a situation where we have a 1941 and a requirement for a PPTP client to something like a watchguard unit on the other end.
Regards,
JR
12-01-2015 02:27 PM
Hi JR,
I have tested a couple IOSes including some recent versions - 15.3(3)XB12 and 15.5(3)M - and I can confirm that the PPTP client functionality is still there and is working fine. I have come across a bug, though: The IOS PPTP client in these recent IOS versions does not install a host route toward the PPTP server automatically (seems to be some glitch related to the PPP IPCP code). However, this can be worked around by simply having proper static routes configured out the Dialer interface on the client. The server does not exhibit this problem.
Is it required that both ends be a Cisco router?
I do not believe so. It should be possible to have either party to be a non-Cisco device. I haven't tried it personally but from what I can tell after observing the PPTP session setup in Wireshark, it seems to be completely ordinary.
Best regards,
Peter
06-08-2016 08:30 AM
Hi, I have successfully tested it against Ubuntu 14.04 (package pptpd), with MPPE 128 bit and one way authentication. (IOS image c1900-universalk9-mz.SPA.153-3.M2.bin )
Some modifications for Dialer0 were needed:
interface Dialer0
ip address negotiated
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer string 1234
dialer persistent
dialer vpdn
ppp encrypt mppe 128 required
ppp authentication ms-chap-v2 optional
ppp eap refuse
ppp chap hostname HOSTNAME
ppp chap password 0 PASS
ppp ms-chap refuse
ppp pap refuse
Thank you for great guide.
02-04-2017 07:01 AM
Good job, thanks
03-28-2017 12:12 AM
I configure cisco router as PPTP client.
In router everything is ok (ping 8.8.8.8 is ok)
But
I can not ping 8.8.8.8 from pc. (ping 8.8.8.8 -----> Request timed out.)
show interfaces dialer 0
---->Internet address is 172.16.3.37/32
Plaese HELP ME
-----------------------------------------------------
(router to pptp server):
interface gig 0/0/0
ip address 10.96.174.225 255.255.254.0
no sh
(router to pc):
interface Gig 0/1
ip nat inside
ip address 172.21.2.1 255.255.255.0
no sh
(Pc):
172.21.2.2
255.255.255.0
172.21.2.1
------------------------------------------------------
Router :
service internal
vpdn enable
vpdn-group 1
request-dialin
protocol pptp
pool-member 1
initiate-to ip 31.24.238.222
ex
interface Dialer0
ip address negotiated
encapsulation ppp
dialer pool 1
dialer-group 1
dialer idle-timeout 0
dialer string 123
dialer vpdn
dialer persistent
ppp chap hostname pptphostname
ppp chap password 0 pptppassword
ip nat outside
ex
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 31.24.238.222 255.255.255.255 10.96.174.1
dialer-list 1 protocol ip permit
ip nat inside source list 100 interface dialer 0 overload
access-list 100 permit ip any any
--------------------------------------------------------------------------------------
Router Config:
Router2921#show running-config
version 15.2
service config
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
!
no aaa new-model
!
ip cef
!
no ipv6 cef
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
request-dialin
protocol pptp
pool-member 1
initiate-to ip 31.24.238.222
!
!
!
!
license udi pid CISCO2921/K9 sn FGL172711NU
hw-module sm 1
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
!
interface GigabitEthernet0/1
ip address 172.21.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
ip address 10.96.175.30 255.255.254.0
ip virtual-reassembly in
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet1/0
no ip address
shutdown
!
interface GigabitEthernet1/1
description Internal switch interface connected to Service Module
no ip address
!
interface Vlan1
no ip address
!
interface Dialer1
ip address negotiated
ip access-group 101 in
ip access-group 101 out
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer remote-name david
dialer idle-timeout 0
dialer string 1234
dialer persistent
dialer vpdn
dialer-group 1
ppp pfc local request
ppp pfc remote apply
ppp eap refuse
ppp chap hostname pptpusername
ppp chap password pptppassword
ppp ms-chap refuse
ppp pap refuse
no cdp enable
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 100 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 31.24.238.0 255.255.255.0 10.96.174.1
!
access-list 100 permit ip any any
access-list 101 permit ip any any
dialer-list 1 protocol ip permit
--------------------------------------------------------------------------------------
Router2921#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 172.16.3.234:1 172.21.2.2:1 4.2.2.4:1 4.2.2.4:1
udp 172.16.3.234:51517 172.21.2.2:51517 4.2.2.4:53 4.2.2.4:53
udp 172.16.3.234:52168 172.21.2.2:52168 4.2.2.4:53 4.2.2.4:53
udp 172.16.3.234:52579 172.21.2.2:52579 4.2.2.4:53 4.2.2.4:53
tcp 172.16.3.234:58283 172.21.2.2:58283 2.22.144.112:80 2.22.144.112:80
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide