Cisco VPN Cleint not working over Microsoft PPTP

Unanswered Question
Mar 19th, 2007
User Badges:

Home user needs to connect to Cisco VPNC via IPsec to access corporate network.

At his home, user connected to service provider using ethernet and private addressing

To access an Internet, service provider requires user to establish PPTP to providers' server with address via default gateway,

then user acquires public IP address.

After PPTP establishment, routing table changes.

Default gw points to PPTP peer,

except the host route to PPTP tunnel endpoint,

which still go via

When user starts Cisco VPN Client,

he is successfully authenticated and establishes SA,

but Cisco VPN Client discards host route to PPTP endpoint (i.e.

And after a small timeout both connection drop, PPTP and IPsec.

Is there any workaround for such a trouble?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kaachary Mon, 03/19/2007 - 09:42
User Badges:
  • Cisco Employee,

IPSec connection will not work on a PPTP tunnel. AS it will encrypt the PPTP packet, and this way the ISP will drop it. Your PPTP connection will go down resulting in drop of your IPSEc connection as well.

You can use WebVPN though over PPTP.

*Please rate if it helped.


kaachary Mon, 03/19/2007 - 09:43
User Badges:
  • Cisco Employee,

SSL client will also not work. You have to use pure WebVPN connection.

valeriy_k Mon, 03/19/2007 - 14:21
User Badges:

Thanx a lot for a quick answer.

Nevertheless I cannot accept such a simple argument.

Not every packet sent out the computer network interface should be encrypted.

Packets sent out to the address of the VPNC itself are never encrypted once again.

So the same behavior should be with the packets sent out to PPTP endpoint.

Please, provide more details, why this does not happen.

Thanx in advance.

kaachary Mon, 03/19/2007 - 14:51
User Badges:
  • Cisco Employee,


The cisco vpn client can't run over another transport protocol. The vpn adapter

will be intercepting traffic and forwarding it over the vpn adaptor and over the ethernet

adaptor, even the pptp traffic. So the vpn client after it connects, it is encrypting the

pptp traffic and tries to send it to the concentrator. but then that breaks the pptp

connection, and after that goes down, ipsec itself breaks.

One workaround to get this working is to use Split-tunneling. That way PPTP traffic would be in clear text , rest all other traffic would be tunneled throug VPN adaptor.

I hope it answers your questions.

*Please rate if helped.


valeriy_k Mon, 03/19/2007 - 16:26
User Badges:

Thanx a lot for your answer.

First of all, it's not possible to use split tunneling.

Because we serving 10K corporate users, and they are using too many different service providers.

This particular provider uses big ethernet network, which overlaps with our corporate addressing.

And there is no acceptable way to provide host root exception in split tunneling policy.

And there is limited routing table entries in split tunneling, not enough to accommodate all russian/israelis/etc providers.

According to routing table, unencrypted traffic passes directly to "Cisco Systems VPN Adapter".

In case of user manipulates routing table, there is "Deterministic Network Enhancer" protocol suit, binded to network adapter.

This protocol suit uses policy, loaded into it by "Cisco Systems VPN Client", when it connects to VPNC.

For Cisco VPN Client it's possible to determine, that particular WAN adapter is a PPTP connection,

and add additional policy to "Cisco Systems VPN Adapter" and "Deterministic Network Enhancer"

to except traffic destined to PPTP endpoint.

I assume the situation described is a bug in Cisco Systems VPN Client.


This Discussion