Cisco VPN Cleint not working over Microsoft PPTP

valeriy_k · ‎03-19-2007

Home user needs to connect to Cisco VPNC via IPsec to access corporate network.

At his home, user connected to service provider using ethernet and private addressing 192.168.6.0/24.

To access an Internet, service provider requires user to establish PPTP to providers' server with address 192.168.1.1 via default gateway 192.168.6.254,

then user acquires public IP address.

After PPTP establishment, routing table changes.

Default gw points to PPTP peer,

except the host route to PPTP tunnel endpoint 192.168.1.1,

which still go via 192.168.6.254.

When user starts Cisco VPN Client,

he is successfully authenticated and establishes SA,

but Cisco VPN Client discards host route to PPTP endpoint (i.e. 192.168.1.1).

And after a small timeout both connection drop, PPTP and IPsec.

Is there any workaround for such a trouble?

kaachary · ‎03-19-2007

IPSec connection will not work on a PPTP tunnel. AS it will encrypt the PPTP packet, and this way the ISP will drop it. Your PPTP connection will go down resulting in drop of your IPSEc connection as well.

You can use WebVPN though over PPTP.

*Please rate if it helped.

-Kanishka

kaachary · ‎03-19-2007

SSL client will also not work. You have to use pure WebVPN connection.

valeriy_k · ‎03-19-2007

Thanx a lot for a quick answer.

Nevertheless I cannot accept such a simple argument.

Not every packet sent out the computer network interface should be encrypted.

Packets sent out to the address of the VPNC itself are never encrypted once again.

So the same behavior should be with the packets sent out to PPTP endpoint.

Please, provide more details, why this does not happen.

Thanx in advance.

kaachary · ‎03-19-2007

Hi,

The cisco vpn client can't run over another transport protocol. The vpn adapter

will be intercepting traffic and forwarding it over the vpn adaptor and over the ethernet

adaptor, even the pptp traffic. So the vpn client after it connects, it is encrypting the

pptp traffic and tries to send it to the concentrator. but then that breaks the pptp

connection, and after that goes down, ipsec itself breaks.

One workaround to get this working is to use Split-tunneling. That way PPTP traffic would be in clear text , rest all other traffic would be tunneled throug VPN adaptor.

I hope it answers your questions.

*Please rate if helped.

-Kanishka

valeriy_k · ‎03-19-2007

Thanx a lot for your answer.

First of all, it's not possible to use split tunneling.

Because we serving 10K corporate users, and they are using too many different service providers.

This particular provider uses big ethernet network, which overlaps with our corporate addressing.

And there is no acceptable way to provide host root exception in split tunneling policy.

And there is limited routing table entries in split tunneling, not enough to accommodate all russian/israelis/etc providers.

According to routing table, unencrypted traffic passes directly to "Cisco Systems VPN Adapter".

In case of user manipulates routing table, there is "Deterministic Network Enhancer" protocol suit, binded to network adapter.

This protocol suit uses policy, loaded into it by "Cisco Systems VPN Client", when it connects to VPNC.

For Cisco VPN Client it's possible to determine, that particular WAN adapter is a PPTP connection,

and add additional policy to "Cisco Systems VPN Adapter" and "Deterministic Network Enhancer"

to except traffic destined to PPTP endpoint.

I assume the situation described is a bug in Cisco Systems VPN Client.