Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
409
Views
0
Helpful
1
Replies

1921 routing issues: SSH via LAN works, but SSH via PPTP doesn't

freeman6351
Level 1
Level 1

‎02-17-2016 08:56 AM - edited ‎03-08-2019 04:37 AM

I've run into some routing issues and hope someone can help. I have a new 1921 router setup which replaced a McAfee SG router/firewall that has multiple IPsec VPN tunnels to remote sites.

While connected directly to the LAN of the new 1921 router, I'm able to ssh to all remote equipment without issue. All data is routing correctly over the IPsec tunnels from remote sites to servers on the 1921 LAN. When I connect remotely to the 1921 router via Windows PPTP (all other PC LAN connections disabled) I'm unable to ssh to the routers terminating at the other end of the IPsec tunnels (examples 10.253.6.1, 10.17.0.1), but can still ping them. I can still ssh to devices behind those endpoint routers when connected to the 1921 remotely via PPTP.

When connected to the router via LAN, there are static routes configured on the PCs as each user has 2 NICs (one for unsecured office internet and one to the secured 1921 LAN). When connected to the 1921 router via PPTP I'm connected to the internet first via wifi (doesn't matter where from) and then start the Windows PPTP connection. All office PCs have the same setup and issue, but worked fine with the McAfee router before the 1921 was installed.

PC persistant route example:
Persistent Routes:
Network Address               Netmask              Gateway Address     Metric
10.17.0.0                           255.255.0.0          10.253.0.1                1
10.253.0.0                         255.255.0.0          10.253.0.1                1
197.168.0.0                       255.255.0.0          10.253.0.1                1

(yes, I know that last one is normally a public routable IP, but that remote network is using it as a LAN subnet)

Unless I have "Use default gateway on remote network" checked on the Windows PPTP connection, I can't ssh or rdp to other subnets on remote networks outside of 10.x.x.x (example 197.168.111.x), but I can when connected to the 1921 router direct via LAN. This was also working with the original McAfee router and remote users don't want "Use default gateway on remote network" checked so they can still access other internet resources.

How can I get routing to work the same via PPTP as it does when connected directly to the 1921 LAN without impacting the routing that is already working?

Another odd issue is when I'm connected to the 1921 router via PPTP, SSH to the router is very slow with 3 - 5 seconds for sh run to type in and then display. SSH access to the 1921 router via LAN and console respond normally.

I've attached the sanitized 1921 configuration. Any ideas on configuration changes would correct the above issues?

Labels:
Preview file
25 KB
0 Helpful
1 Reply 1

Philip D'Ath
VIP Alumni
VIP Alumni

‎02-17-2016 09:48 PM

Please please please don't use PPTP.  It is a very old protocol.  It is not officially supported by Cisco any more.  It is cryptographically weak.  It should not be deployed anywhere anymore.

You could either use the Cisco IPSec VPN Client to your router if you don't have Windows 10, or you could buy some AnyConnect licences (relatively cheap) and use that instead.

0 Helpful
Customers Also Viewed These Support Documents