Remote VPN using PPTP/VPDN

The Point to Point Tunneling Protocol (PPTP) is a network protocol used to create VPN tunnels between public networks. These VPN tunnels are encrypted from one end to the other and allow the secure transfer of data between them. PPTP is usually implemented between a server and a client, the server belonging to the enterprise network and the client being a remote workstation.

While PPTP's encryption algorithms do offer a certain level of security and privacy, they aren't the best encryption technologies available today. PPTP does have its weaknesses and therefore is not used for long term transactions. PPTP uses the Password Authentication Protocol and the Challenge Handshake Authentication Protocol encryption algorithms. It can offer encryption options of 40, 56 and 128 bit, depending on your needs.

Cisco routers can be set up to act as PPTP servers, alternatively known as Virtual Private Dialup Network (VPDN) servers. PPTP VPN is widely supported by all current windows platforms without the need to install a VPN client or any application.

For a router to be setup as a VPN Server/ VPDN server, the router must have a DES or 3DES IOS versions (IOS release 12.1(5)T and later versions). These are the versions that offer encryption, including the PPTP encryption we are using in these configurations. The DES or 3DES versions will have a k8 or k9 in the filename of the IOS (this can be verified on the IOS using show version command). These features must be licensed from Cisco and are not free, unless you already own that version of the IOS.
First you must make some changes on your router. First, you must enable VPDN (virtual private dial-up networking). This is used for VPN client connectivity, as opposed to site-to-site, always up, VPN connectivity. To do so use this command:
Router(config)# vpdn enable

Create a VPDN group configured to PPTP, just like the Microsoft VPN client will use, by default:
Router(config)# vpdn-group WORK-VPN
Router(config-vpdn)# accept-dialin
Router(config-vpdn)# protocol pptp
Router(config-vpdn)# virtual-template 1
Router(config-vpdn)# exit

Next, create your virtual-template that will apply to the inbound VPN connections. This template references the vlan 1 interface for its IP address. It also references a pool of IP addresses that will be handed out to VPN clients. Finally, it configures the PPP encryption and authentication mechanisms to match what the Microsoft VPN client defaults to:
Router(config)# interface Virtual-Template1
Router(config-if)# ip unnumbered vlan 1
Router(config-if)# peer default ip address pool defaultpool
Router(config-if)# ppp encrypt mppe auto required
Router(config-if)# ppp authentication ms-chap ms-chap-v2
The 'ppp encrypt' command specifies the encryption to be used. This can be set to 'auto' for maximum compatibility or can be define as using a specific value you want e.g 128 bit. The authentication is set to ms-chap and ms-chap v2 so that we can offer the best possible authentication method for this case.

Now, create the pool of IP addresses. This pool should not already be in use on the internal network you are connecting to:
Router(config)# ip local pool defaultpool 192.168.1.50 192.168.1.70

After that, create a test user:
Router(config)# username test password 0 test
Router(config)# username jane password jane123

Finally, configure authentication for PPP to use the local database. If you had a RADIUS server, this where you would point to the RADIUS server instead of the local database:
Router(config)# aaa new-model
Router(config)# aaa authentication ppp default local



CONFIGURE WINDOWS CLIENT MACHINE

Go to control Panel - Network and Internet - Network and Sharing Center,  while there, click on " Set up a new connection or network" as shown below;


On the new Window, select as indicated and then click on next


Select on " create a new connection" and click next.


Click on below as indicated;
Input the details as requested below, internet address being the internet IP  of VPDN server and destination name being the name of the connection configured on your VPDN server. for our case, this was WORK-VPN. Click on next.


Input the username and password as was configured on the VPDN Server local database. Click connect for the VPN connection process to begin.


                                    END

Comments

Post a Comment

Popular posts from this blog

MPLS - L2MPLS / L2 Circuits

Image
L2MPLS L2 Circuits Before MPLS MPLS Enabled Core: Required: Head office and Branch office to be interconnected on L2 which is of full redundancy on Service Provider Core Network Configuration: 1. Select VLAN to use for the circuit. For our case we assign VLAN 200 note: Configuration only done on Edge Devices (PE) 2.Configure on PE-1 Defining presudowire class to MPLS; #pseudowire-class ethernet-port encapsulation mpls #exit Note: fa0/0 is the interface facing HQ #show run int fa0/0.200 #interface FastEthernet0/0.200 #encapsulation dot1Q 200 #xconnect 3.3.3.3 200 pw-class ethernet-port 3. Configure on PE-3: Defining presudowire class to MPLS; #pseudowire-class ethernet-port #encapsulation mpls #exit Note: fa0/0 is the interface facing HQ # no shut #interface FastEthernet0/0.200 #encapsulation dot1Q 200 #Xconnect 1.1.1.1 200 pw-class ethernet-port Troubleshooting; Make sure that the CEF is enabled ...
Read more

Enterprise Soln: High Availability - VRRP / HSRP

Image
  VRRP:  Virtual Router Redundancy Protocol Implementation Topology:   Configurations; Primary-Router: Interface gi0/1 description LAN vrrp 1 ip 10.1.1.254 vrrp 1 priority 110  vrrp 1 track gi0/0 65   ///default is 10 vrrp 1 track 100 decrement 65    // Track internet Track Internet Reachability: R1(config)#ip sla monitor 10 R1(config-sla-monitor)#type echo protocol ipIcmpEcho 8.8.8.8 R1(config-sla-monitor-echo)#frequency 5 R1(config-sla-monitor-echo)#exit R1(config)#ip sla monitor schedule 10 life forever start-time now R1(config)#track  100 rtr 10 Secondary-Router: interface gi0/1 description LAN-sec-gw ip address 10.1.1.2 255.255.255.0 vrrp 1 ip 10.1.1.254 vrrp 1 priority 90      vrrp 1 track 1 gi0/0 20 Note: 1) Default Priority is 100 (higher is better) ; So you need to set the Secondary Router with a slightly lower Value 2) No need to s...
Read more

GRE over IPSec Site to Site VPN

Image
IPSEC VERSUS IPSEC GRE As we mentioned, GRE provides no form of payload confidentiality or encryption. If the packet are sniffed over the public transit networks, their contents are in plain-text. IPSec solves this security concerns in GRE by encrypting part or all of the GRE packets GRE OVER IPSEC TUNNEL: GRE over IPSec tunnels supports multicast traffic whiles the standalone IPSec does not. It is for this reason why it is advisable to implement GRE over IPSec tunnels where routing protocols like EIGRP or OSPF are in use. Such protocols which need to send routing information across the tunnel through multicast, GRE over Multicast would be the most suitable since it allow and provide secure transport via the tunnel for these services. There are two IPSec tunnel modes – tunnel and transport. This configuration example will show the default, tunnel-mode IPSec encryption which protects the entire GRE header and payload. Setup: Steps to follow : - Create GRE ...
Read more