Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PPTP with multiple VRFs

I want to support PPTP remote access for multiple communities of customers. Each community has an MPLS VPN on the core MPLS network. I have tried to configure multiple VPDN groups, echo mapped to its own Virtual-Template interface, each group supporting PPTP dialin. The problem is that all PPTP connections get an address via the "default" VPDN group (the one marked "! Default PPTP VPDN group"). I want to place a PPTP client on their correct VRF based on the Radius group they are in. I am using CiscoSecure ACS 3.2 on Windows 2000 as the authentication server. I am using a 1760 for testing as the PPTP server.

Here's part of my config. Can anyone help?

aaa authentication login 00101-data group radius

aaa authentication login 00102-data group radius

aaa authorization network 00101-data group radius

aaa authorization network 00102-data group radius

!

ip vrf 00101-data

rd 101:10

route-target export 101:10

route-target import 101:10

!

ip vrf 00102-data

rd 102:10

route-target export 102:10

route-target import 102:10

!

vpdn enable

!

vpdn-group 00101-data

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 101

vpn vrf 00101-data

!

vpdn-group 00102-data

accept-dialin

protocol pptp

virtual-template 102

vpn vrf 00102-data

!

interface FastEthernet0/0.8

description This is the interface where PPTP connections come in

encapsulation dot1Q 8

ip address 1.1.1.1 255.255.255.0

!

interface FastEthernet0/0.201

description msp-pe01 vrf 00101-data

encapsulation dot1Q 201

ip vrf forwarding 00101-data

ip address 10.208.1.5 255.255.255.252

no cdp enable

!

interface FastEthernet0/0.202

description msp-pe01 vrf 00102-data

encapsulation dot1Q 202

ip vrf forwarding 00102-data

ip address 10.208.1.9 255.255.255.252

no cdp enable

!

interface Virtual-Template101

ip vrf forwarding 00101-data

ip unnumbered FastEthernet0/0.201

ip tcp header-compression

peer default ip address pool 00101-data-pool

no keepalive

compress mppc

vpdn authorization 00101-data

ppp max-bad-auth 5

ppp encrypt mppe auto

ppp authentication ms-chap ms-chap-v2 00101-data

ppp ipcp dns 10.250.4.2 10.250.4.3

ppp ipcp wins 10.250.4.2 10.250.4.3

!

interface Virtual-Template102

ip vrf forwarding 00102-data

ip unnumbered FastEthernet0/0.202

ip tcp header-compression

peer default ip address pool 00102-data-pool

no keepalive

compress mppc

vpdn authorization 00102-data

ppp max-bad-auth 5

ppp encrypt mppe auto

ppp authentication ms-chap ms-chap-v2 00102-data

ppp ipcp dns 10.250.4.2 10.250.4.3

ppp ipcp wins 10.250.4.2 10.250.4.3

!

ip local pool 00101-data-pool 10.248.1.3 10.248.1.30

ip local pool 00102-data-pool 10.248.1.32 10.248.1.63

2 REPLIES
Cisco Employee

Re: PPTP with multiple VRFs

IOS does not have a VRF-aware PPTP solution, only VRF-aware IPSec. I don't believe there's any work under way for this feature either.

VRF-aware IPSec can be found here (introduced in 12.2(15)T):

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ft_vrfip.htm

New Member

Re: PPTP with multiple VRFs

I have it working now with the help of a TAC engineer (case F171414). AAA passes back to the router's Virtual-Template interface the VRF, unnumbered interface name, pool name, DNS, WINS and whatever needs to be configured in the VT interface for a particular group. To do this, the user's group in ACS must be configured with Cisco AV-pairs of the type "lcp:interface-config#1:". Following the colon, you specify VT interface commands, like "ip vrf forwarding vrf-name", etc.

The problem I have now is that if I require MPPE or compression on the Windows 2000 PPTP client, then connect, packets don't flow to hosts in the VRF for 10-45 seconds. Once they DO flow, CPU utilization on the 1760 PPTP router is high, usually 35-42% for when one client is downloading Windows share files at about 1 Mbps.

At one point in my testing, I had compression and MPPE encryption working for just one group and CPU was never more than about 5-7% for similar download bandwidth. This also on the same 1760 (running 12.3(5a)). At the same time, MPPE error debugging shows that keys are being missed and must be recalculated. Sample of debugs:

Vi3 MPPE: missed 1 key changes, recomputing (every few seconds)

MPPE: CCP TX (pkt won't compress) len 1302 reset 0 (LOTS AND LOTS OF THESE when there is traffic)

Can anyone suggest debugs, config settings that can help determine the cause of the high CPU and/or debug messages?

1100
Views
0
Helpful
2
Replies