cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
19090
Views
20
Helpful
11
Replies

Is it possible to configure site-to-site PPTP VPN on cisco routers?

rasz92101
Level 1
Level 1

Hi everybody!

I need to know if there is any possible way to configure site-to-site PPTP VPN connection on cisco routers. 

If it is, how to configure this?

1 Accepted Solution

Accepted Solutions

Hi,

I am also a university teacher and to be honest, I do not see much of a point in focusing on PPTP. It is a relatively simple protocol, that's for sure, but it has drawbacks and especially when considering a site-to-site VPN, I do not see a compelling reason to prefer PPTP to other solutions, such as L2TP, IPsec, or even a plain GRE. It is not a typical solution especially between Cisco routers (as can also be seen by the difficulty you have encountered yourself when trying to find out how a PPTP client can be configured), and the PPTP is long considered obsolete. I am afraid that if the thesis focuses primarily or only on PPTP, it will not be representative. What are the particular reasons of your professor to stick with PPTP?

In any case, let's see how the configuration can be done. The PPTP Remote Access Server is configured as follows:

ip local pool PPTP_Clients 192.168.1.11 192.168.1.200
!
interface Loopback0
 ip address 10.255.255.5 255.255.255.255
!
interface Loopback1
 ip address 192.168.1.1 255.255.255.255
!
interface Virtual-Template1
 ip unnumbered Loopback1
 peer default ip address pool PPTP_Clients
!
vpdn enable
!
vpdn-group PPTP_RAS
 accept-dialin
  protocol pptp
  virtual-template 1
 source-ip 10.255.255.5

Here, the PPTP_Clients pool holds a pool of IP addresses to be assigned to PPTP clients, starting from 192.168.1.11 and going up to 192.168.1.200. The Loopback0 interface represents the IP address of the Remote Access Server. It does not have to be a loopback address, though, it can (and probably would) be the Remote Access Server's uplink interface to internet, carrying a public IP address. The Loopback1 interface holds the IP address of the RAS used for every incoming PPP session tunneled across PPTP - it is the IP address that every PPTP client will see over its own PPP virtual interface. This Loopback1 is then referred to in the Virtual-Template1 interface configuration that shares the IP address of Lo1 using the IP Unnumbered feature. The configuration of the VPDN and the corresponding VPDN group then specifies the tunneling protocol in use, the Virtual-Template interface to be used for incoming PPTP clients, and the source IP address the RAS should use - the IP address from Lo0 is used here.

The PPTP Client is configured as follows:

service internal
!
vpdn enable
!
vpdn-group PPTP_CLIENT
 request-dialin
  protocol pptp
  pool-member 1
 initiate-to ip 10.255.255.5
!
interface Dialer0
 ip address negotiated
 encapsulation ppp
 dialer pool 1
 dialer string 1234
 dialer persistent
 dialer vpdn

First and foremost, you need to enter the service internal command. This command is used to enable some hidden IOS features and commands including the PPTP client functionality. Obviously, Cisco itself does not consider the PPTP client functionality on routers to be interesting to most people and therefore hides the feature. Without the service internal command, the VPDN group will not allow you to specify the PPTP as the tunneling protocol and will pretend no such protocol is supported.

The VPDN group specifies the IP address of the PPTP RAS (I am again referring to its Lo0 address 10.255.255.5) and declares the VPDN group as a possible "interface" to be used by a Dialer interface when making calls.

Next, the Dialer0 interface is configured. This is the client PPP interface. It is configured for PPP encapsulation and to obtain the IP address from the RAS. The specific configuration lies in the dialer commands:

  • dialer pool 1 tells the Dialer0 interface to use any interface to do the actual "dialing" that is assigned to pool 1 - in this case, it is the VPDN PPTP client group (which is not exactly an "interface" but certainly provides a communication service similar to an interface)
  • dialer string 1234 is only a phony command used to satisfy the obligatory requirements of a dialer interface to have a number to dial. This string is never used with PPTP session but the IOS will refuse to activate the interface without a dialer string configured
  • dialer persistent tells IOS to "place a call", that is, initiate the PPTP tunnel immediately as soon as the Dialer0 interface is activated. Otherwise, the interface would need to wait for a specific traffic to trigger the call. This approach was used with dialed lines such as POTS or ISDN but has no meaning with PPTP sessions
  • dialer vpdn allows the Dialer0 interface to also use VPDN groups as interfaces to do the calls. Without this command, the Dialer0 interface would only be looking for physical interfaces capable of truly placing a phone call (or for PPPoE clients but let's not complicate things here too much).

After configuring your Dialer0 interface this way, you may need to shutdown and no shutdown it to force the IOS to start the interface using all configuration. I've seen situations where the PPTP session did not come up right after creating the Dialer0 configuration, and shutting/unshutting it was necessary to kick IOS into action.

Please be sure that you can ping the RAS server from the client before actually trying to start the PPTP session.

Please let me know if this worked for you!

Best regards,
Peter

View solution in original post

11 Replies 11

Peter Paluch
Cisco Employee
Cisco Employee

Hello,

Yes, it should be possible to configure a Cisco IOS router to act both as a PPTP client and a PPTP server. What functionality do you exactly need? In addition, if both endpoints of the tunnel are Cisco routers, why would you want them to tunnel traffic using PPTP? Using GRE or PPP+L2TP would be much simpler and more straightforward.

Best regards,
Peter

Hi,

I have to write a thesis and one of the subjects is to compare tunnels between cisco routers. I spoke with the professor and he would like to use PPTP VPN only if it possible. I was looking for any information on cisco website about configuration PPTP tunnels but I found nothing, only configuration for PPTP server to remote access. I also found one topic (link below) where it says that you cannot configure PPTP client.

https://supportforums.cisco.com/discussion/10866831/how-configure-cisco-router-pptp-client

 

Hi,

I am also a university teacher and to be honest, I do not see much of a point in focusing on PPTP. It is a relatively simple protocol, that's for sure, but it has drawbacks and especially when considering a site-to-site VPN, I do not see a compelling reason to prefer PPTP to other solutions, such as L2TP, IPsec, or even a plain GRE. It is not a typical solution especially between Cisco routers (as can also be seen by the difficulty you have encountered yourself when trying to find out how a PPTP client can be configured), and the PPTP is long considered obsolete. I am afraid that if the thesis focuses primarily or only on PPTP, it will not be representative. What are the particular reasons of your professor to stick with PPTP?

In any case, let's see how the configuration can be done. The PPTP Remote Access Server is configured as follows:

ip local pool PPTP_Clients 192.168.1.11 192.168.1.200
!
interface Loopback0
 ip address 10.255.255.5 255.255.255.255
!
interface Loopback1
 ip address 192.168.1.1 255.255.255.255
!
interface Virtual-Template1
 ip unnumbered Loopback1
 peer default ip address pool PPTP_Clients
!
vpdn enable
!
vpdn-group PPTP_RAS
 accept-dialin
  protocol pptp
  virtual-template 1
 source-ip 10.255.255.5

Here, the PPTP_Clients pool holds a pool of IP addresses to be assigned to PPTP clients, starting from 192.168.1.11 and going up to 192.168.1.200. The Loopback0 interface represents the IP address of the Remote Access Server. It does not have to be a loopback address, though, it can (and probably would) be the Remote Access Server's uplink interface to internet, carrying a public IP address. The Loopback1 interface holds the IP address of the RAS used for every incoming PPP session tunneled across PPTP - it is the IP address that every PPTP client will see over its own PPP virtual interface. This Loopback1 is then referred to in the Virtual-Template1 interface configuration that shares the IP address of Lo1 using the IP Unnumbered feature. The configuration of the VPDN and the corresponding VPDN group then specifies the tunneling protocol in use, the Virtual-Template interface to be used for incoming PPTP clients, and the source IP address the RAS should use - the IP address from Lo0 is used here.

The PPTP Client is configured as follows:

service internal
!
vpdn enable
!
vpdn-group PPTP_CLIENT
 request-dialin
  protocol pptp
  pool-member 1
 initiate-to ip 10.255.255.5
!
interface Dialer0
 ip address negotiated
 encapsulation ppp
 dialer pool 1
 dialer string 1234
 dialer persistent
 dialer vpdn

First and foremost, you need to enter the service internal command. This command is used to enable some hidden IOS features and commands including the PPTP client functionality. Obviously, Cisco itself does not consider the PPTP client functionality on routers to be interesting to most people and therefore hides the feature. Without the service internal command, the VPDN group will not allow you to specify the PPTP as the tunneling protocol and will pretend no such protocol is supported.

The VPDN group specifies the IP address of the PPTP RAS (I am again referring to its Lo0 address 10.255.255.5) and declares the VPDN group as a possible "interface" to be used by a Dialer interface when making calls.

Next, the Dialer0 interface is configured. This is the client PPP interface. It is configured for PPP encapsulation and to obtain the IP address from the RAS. The specific configuration lies in the dialer commands:

  • dialer pool 1 tells the Dialer0 interface to use any interface to do the actual "dialing" that is assigned to pool 1 - in this case, it is the VPDN PPTP client group (which is not exactly an "interface" but certainly provides a communication service similar to an interface)
  • dialer string 1234 is only a phony command used to satisfy the obligatory requirements of a dialer interface to have a number to dial. This string is never used with PPTP session but the IOS will refuse to activate the interface without a dialer string configured
  • dialer persistent tells IOS to "place a call", that is, initiate the PPTP tunnel immediately as soon as the Dialer0 interface is activated. Otherwise, the interface would need to wait for a specific traffic to trigger the call. This approach was used with dialed lines such as POTS or ISDN but has no meaning with PPTP sessions
  • dialer vpdn allows the Dialer0 interface to also use VPDN groups as interfaces to do the calls. Without this command, the Dialer0 interface would only be looking for physical interfaces capable of truly placing a phone call (or for PPPoE clients but let's not complicate things here too much).

After configuring your Dialer0 interface this way, you may need to shutdown and no shutdown it to force the IOS to start the interface using all configuration. I've seen situations where the PPTP session did not come up right after creating the Dialer0 configuration, and shutting/unshutting it was necessary to kick IOS into action.

Please be sure that you can ping the RAS server from the client before actually trying to start the PPTP session.

Please let me know if this worked for you!

Best regards,
Peter

Great explanation, thanks for sharing.

Hi,

Thank you for help. I tried your configuration in GNS3 and it works perfectly. I will talk with my professor if he really wants PPTP tunnel in the thesis. 

Hi , I would like to configure a cisco router 800 series to be a VPN client knowing that the server will be a server 2008 machine with PPTP.

Is that possible ?

Peter,

Great info thank you - although Cisco still tells me this functionality is not supported (specifically the PPTP client) and will not work. Is it required that both ends be a Cisco router? I have a situation where we have a 1941 and a requirement for a PPTP client to something like a watchguard unit on the other end.

Regards,

JR

Hi JR,

I have tested a couple IOSes including some recent versions - 15.3(3)XB12 and 15.5(3)M - and I can confirm that the PPTP client functionality is still there and is working fine. I have come across a bug, though: The IOS PPTP client in these recent IOS versions does not install a host route toward the PPTP server automatically (seems to be some glitch related to the PPP IPCP code). However, this can be worked around by simply having proper static routes configured out the Dialer interface on the client. The server does not exhibit this problem.

Is it required that both ends be a Cisco router?

I do not believe so. It should be possible to have either party to be a non-Cisco device. I haven't tried it personally but from what I can tell after observing the PPTP session setup in Wireshark, it seems to be completely ordinary.

Best regards,
Peter

Hi, I have successfully tested it against Ubuntu 14.04 (package pptpd), with MPPE 128 bit and one way authentication. (IOS image c1900-universalk9-mz.SPA.153-3.M2.bin )

Some modifications for Dialer0 were needed:

interface Dialer0
 ip address negotiated
 encapsulation ppp
 dialer pool 1
 dialer idle-timeout 0
 dialer string 1234
 dialer persistent
 dialer vpdn
 ppp encrypt mppe 128 required
 ppp authentication ms-chap-v2 optional
 ppp eap refuse
 ppp chap hostname HOSTNAME
 ppp chap password 0 PASS
 ppp ms-chap refuse
 ppp pap refuse

Thank you for great guide.

Good job, thanks

I configure cisco router as PPTP client.


In router everything is ok            (ping 8.8.8.8 is ok)
But
I can not ping 8.8.8.8 from pc.    (ping 8.8.8.8 -----> Request timed out.)


show interfaces dialer 0
---->Internet address is 172.16.3.37/32


Plaese HELP ME 


-----------------------------------------------------
(router to pptp server):
interface gig 0/0/0
ip address 10.96.174.225 255.255.254.0
no sh

(router to pc):
interface Gig 0/1
ip nat inside
ip address 172.21.2.1 255.255.255.0
no sh

(Pc):
172.21.2.2
255.255.255.0
172.21.2.1
------------------------------------------------------

Router :

service internal
vpdn enable

vpdn-group 1
request-dialin
protocol pptp
pool-member 1
initiate-to ip 31.24.238.222
ex

interface Dialer0
ip address negotiated
encapsulation ppp
dialer pool 1
dialer-group 1
dialer idle-timeout 0
dialer string 123
dialer vpdn
dialer persistent
ppp chap hostname pptphostname
ppp chap password 0 pptppassword
ip nat outside
ex

ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 31.24.238.222 255.255.255.255 10.96.174.1

dialer-list 1 protocol ip permit
ip nat inside source list 100 interface dialer 0 overload
access-list 100 permit ip any any

--------------------------------------------------------------------------------------

Router Config:

Router2921#show running-config

version 15.2
service config
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal

!
no aaa new-model
!
ip cef
!

no ipv6 cef
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
request-dialin
protocol pptp
pool-member 1
initiate-to ip 31.24.238.222
!
!
!
!
license udi pid CISCO2921/K9 sn FGL172711NU
hw-module sm 1
!


!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0

!
interface GigabitEthernet0/1
ip address 172.21.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
ip address 10.96.175.30 255.255.254.0
ip virtual-reassembly in
!
interface GigabitEthernet0/1/0

!
interface GigabitEthernet1/0
no ip address
shutdown
!
interface GigabitEthernet1/1
description Internal switch interface connected to Service Module
no ip address
!
interface Vlan1
no ip address
!
interface Dialer1
ip address negotiated
ip access-group 101 in
ip access-group 101 out
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer remote-name david
dialer idle-timeout 0
dialer string 1234
dialer persistent
dialer vpdn
dialer-group 1
ppp pfc local request
ppp pfc remote apply
ppp eap refuse
ppp chap hostname pptpusername
ppp chap password pptppassword
ppp ms-chap refuse
ppp pap refuse
no cdp enable
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 100 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 31.24.238.0 255.255.255.0 10.96.174.1
!
access-list 100 permit ip any any
access-list 101 permit ip any any
dialer-list 1 protocol ip permit

--------------------------------------------------------------------------------------

Router2921#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 172.16.3.234:1 172.21.2.2:1 4.2.2.4:1 4.2.2.4:1
udp 172.16.3.234:51517 172.21.2.2:51517 4.2.2.4:53 4.2.2.4:53
udp 172.16.3.234:52168 172.21.2.2:52168 4.2.2.4:53 4.2.2.4:53
udp 172.16.3.234:52579 172.21.2.2:52579 4.2.2.4:53 4.2.2.4:53
tcp 172.16.3.234:58283 172.21.2.2:58283 2.22.144.112:80 2.22.144.112:80

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco