I need to configure PPTP VPN in the following simple scenario:
Remote workstation needs access to a server in LAN. There is a condition and I can't use IPsec (there are some servers inside LAN and NAT static translations are configured for them).
I configured PPTP according the steps on cisco.com, but in fact i have connectivity only to internal interface of Cisco2921. Not the network. I can ping Gi0/0 from remote workstation but can't ping Server.
Here is the part of config:
ip local pool REMOTE_VPN_USERS 192.168.100.100 192.168.100.110
interface virtual-template 1
peer default ip address pool REMOTE_VPN_USERS
ip unnumbered gi0/0
ppp encrypt mppe auto
ppp authentication ms-chap-v2 eap
The final aim is to gain access to remote servers e.g. via RDP. Would appreciate for your help.
I guess you are pinging G0/0 because it's installed on remote client as peer-address for the tunnel.
I'm not sure, but guess that remote client has no route over the tunnel (for MS Windows, it's a special checkbox under TCP/IP) for the remote subnet.
PS: EasyVPN allows to encapsulate IPSec into UDP and TCP.
VV, thanks for reply
But how should I tune the tunnel in order this route to be installed automatically? Is it possible? I need this solution to be as simple as possible.
Basically I considered using EasyVPN as an option, but after discovering that it's using an IPsec (means with ESP) I thought that i can't use it (because of static translations mentioned above). Could EasyVPN serve as workaround for this problem?
Try examine "route print" on your Windows client to see actual routing table.
How to tune routing on VPN - see Configuring Routing on a VPN Client (Microsoft).
EasyVPN supports UDP and TCP encapsulation.
I've checked: route to 192.168.100.0/24 is present at the remote workstation. I've tried both tick and untick the checkbox but result is the same.
The server inside the LAN works good with IPsec clients through the tunnel terminated on another device on the same LAN. That's why i excluded it from troubleshooting.
Any more ideas about PPTP ?
P.S. I've started to discover EasyVPN tuning.
I guess there could be an issue on your LAN routing.
Could you try to trace clients' IP-address from the server?
here it is (client ip is 192.168.100.102):
Tracing route to 192.168.100.102 over a maximum of 30 hops
1 1 ms <1 ms <1 ms 192.168.100.50
2 * * * Request timed out.
3 * * * Request timed out.
and so on
This router also performs PAT for 192.168.100.0/24. I'm not sure.. could it be the reason?
ip access-list standard LAN
permit 192.168.100.0 0.0.0.255
route-map NAT_WAN1 permit 10
match ip address LAN
match interface GigabitEthernet0/1
Maybe NAT process is performed earlier than traffic is encrypted and send off the tunnel??
Basically, routing seems good: default routes in one direction (with PAT) and static translations in back direction. Nothing complicated.
Could you share the links (if you remember any) to materials, where EasyVPN encapsulation is mentioned? I would greatly appreciate it