cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2003
Views
0
Helpful
9
Replies

PPTP VPN on Cisco 2921 ISR G2

Hi,

I need to configure PPTP VPN in the following simple scenario:

net_diagram.jpg

Remote workstation needs access to a server in LAN. There is a condition and I can't use IPsec (there are some servers inside LAN and NAT static translations are configured for them).

I configured PPTP according the steps on cisco.com, but in fact i have connectivity only to internal interface of Cisco2921. Not the network. I can ping Gi0/0 from remote workstation but can't ping Server.

Here is the part of config:

vpdn enable

vpdn-group 1

    accept-dialin

        protocol pptp

        virtual-template 1

        exit

    exit

ip local pool REMOTE_VPN_USERS 192.168.100.100 192.168.100.110

interface virtual-template 1

    encapsulation ppp

    peer default ip address pool REMOTE_VPN_USERS

    ip unnumbered gi0/0

    no keepalive

    ppp encrypt mppe auto

    ppp authentication ms-chap-v2 eap

The final aim is to gain access to remote servers e.g. via RDP. Would appreciate for your help.

9 Replies 9

Hello, Alexander.

I guess you are pinging G0/0 because it's installed on remote client as peer-address for the tunnel.

I'm not sure, but guess that remote client has no route over the tunnel (for MS Windows, it's a special checkbox under TCP/IP) for the remote subnet.

PS: EasyVPN allows to encapsulate IPSec into UDP and TCP.

VV, thanks for reply

But how should I tune the tunnel in order this route to be installed automatically? Is it possible? I need this solution to be as simple as possible.

Basically I considered using EasyVPN as an option, but after discovering that it's using an IPsec (means with ESP) I thought that i can't use it (because of static translations mentioned above). Could EasyVPN serve as workaround for this problem?

Hello, Alexanger.

Try examine "route print" on your Windows client to see actual routing table.

How to tune routing on VPN - see Configuring Routing on a VPN Client (Microsoft).

EasyVPN supports UDP and TCP encapsulation.


I've checked: route to 192.168.100.0/24 is present at the remote workstation. I've tried both tick and untick the checkbox but result is the same.

The server inside the LAN works good with IPsec clients through the tunnel terminated on another device on the same LAN. That's why i excluded it from troubleshooting.

Any more ideas about PPTP ?

P.S. I've started to discover EasyVPN tuning.

Hello, Alexander.

I guess there could be an issue on your LAN routing.

Could you try to trace clients' IP-address from the server?

Yeah,

here it is (client ip is 192.168.100.102):

Tracing route to 192.168.100.102 over a maximum of 30 hops

  1     1 ms    <1 ms    <1 ms  192.168.100.50 

  2     *        *        *     Request timed out.

  3     *        *        *     Request timed out.

and so on

This router also performs PAT for 192.168.100.0/24. I'm not sure.. could it be the reason?

ip access-list standard LAN

permit 192.168.100.0 0.0.0.255

deny   any

route-map NAT_WAN1 permit 10

match ip address LAN

match interface GigabitEthernet0/1

Maybe NAT process is performed earlier than traffic is encrypted and send off the tunnel??

VV, thanks for reply

Basically, routing seems good: default routes in one direction (with PAT) and static translations in back direction. Nothing complicated.

I've decided to give up this desperate task and moved to EasyVPN with cTCP. This solution meets my basic requirements and is better than using PPTP.

Could you share the links (if you remember any) to materials, where EasyVPN encapsulation is mentioned? I would greatly appreciate it

Yeah! It seems i've found it! Cisco Tunnel Control Protocol (cTCP)