Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco VPN Cleint not working over Microsoft PPTP

Home user needs to connect to Cisco VPNC via IPsec to access corporate network.

At his home, user connected to service provider using ethernet and private addressing 192.168.6.0/24.

To access an Internet, service provider requires user to establish PPTP to providers' server with address 192.168.1.1 via default gateway 192.168.6.254,

then user acquires public IP address.

After PPTP establishment, routing table changes.

Default gw points to PPTP peer,

except the host route to PPTP tunnel endpoint 192.168.1.1,

which still go via 192.168.6.254.

When user starts Cisco VPN Client,

he is successfully authenticated and establishes SA,

but Cisco VPN Client discards host route to PPTP endpoint (i.e. 192.168.1.1).

And after a small timeout both connection drop, PPTP and IPsec.

Is there any workaround for such a trouble?

5 REPLIES
Cisco Employee

Re: Cisco VPN Cleint not working over Microsoft PPTP

IPSec connection will not work on a PPTP tunnel. AS it will encrypt the PPTP packet, and this way the ISP will drop it. Your PPTP connection will go down resulting in drop of your IPSEc connection as well.

You can use WebVPN though over PPTP.

*Please rate if it helped.

-Kanishka

Cisco Employee

Re: Cisco VPN Cleint not working over Microsoft PPTP

SSL client will also not work. You have to use pure WebVPN connection.

New Member

Re: Cisco VPN Cleint not working over Microsoft PPTP

Thanx a lot for a quick answer.

Nevertheless I cannot accept such a simple argument.

Not every packet sent out the computer network interface should be encrypted.

Packets sent out to the address of the VPNC itself are never encrypted once again.

So the same behavior should be with the packets sent out to PPTP endpoint.

Please, provide more details, why this does not happen.

Thanx in advance.

Cisco Employee

Re: Cisco VPN Cleint not working over Microsoft PPTP

Hi,

The cisco vpn client can't run over another transport protocol. The vpn adapter

will be intercepting traffic and forwarding it over the vpn adaptor and over the ethernet

adaptor, even the pptp traffic. So the vpn client after it connects, it is encrypting the

pptp traffic and tries to send it to the concentrator. but then that breaks the pptp

connection, and after that goes down, ipsec itself breaks.

One workaround to get this working is to use Split-tunneling. That way PPTP traffic would be in clear text , rest all other traffic would be tunneled throug VPN adaptor.

I hope it answers your questions.

*Please rate if helped.

-Kanishka

New Member

Re: Cisco VPN Cleint not working over Microsoft PPTP

Thanx a lot for your answer.

First of all, it's not possible to use split tunneling.

Because we serving 10K corporate users, and they are using too many different service providers.

This particular provider uses big ethernet network, which overlaps with our corporate addressing.

And there is no acceptable way to provide host root exception in split tunneling policy.

And there is limited routing table entries in split tunneling, not enough to accommodate all russian/israelis/etc providers.

According to routing table, unencrypted traffic passes directly to "Cisco Systems VPN Adapter".

In case of user manipulates routing table, there is "Deterministic Network Enhancer" protocol suit, binded to network adapter.

This protocol suit uses policy, loaded into it by "Cisco Systems VPN Client", when it connects to VPNC.

For Cisco VPN Client it's possible to determine, that particular WAN adapter is a PPTP connection,

and add additional policy to "Cisco Systems VPN Adapter" and "Deterministic Network Enhancer"

to except traffic destined to PPTP endpoint.

I assume the situation described is a bug in Cisco Systems VPN Client.

385
Views
0
Helpful
5
Replies
CreatePlease login to create content