Configure Cisco Router for Remote Access PPTP VPN Connections
In this installment we’ll run through the configuration of a Cisco router to support PPTP VPN remote access clients. Much has been documented in the last decade over the the weaknesses of using a PPTP VPN in combination with MS-CHAP-V2 for authentication, which is a commonly supported and simpler configuration. Namely, PPTP/MS-CHAP-V2 relies on a strong user password to be used to limit the ability of hackers to compromise the VPN session. The advantage of using the PPTP VPN is that it is fairly simple to set up and will allow Windows and Mac clients to access our secured network without installing the Cisco VPN client software. More secure configurations of PPTP are available using EAP-TLS for the authentication, these involve configuring client certificates and are beyond the scope of this article. In a future posting I plan to discuss the set up a more secure IPSec based VPN with a Cisco router.
In this example I will make use of the fantastic GNS3/Dynamips software for router emulation. I have set up a router with the NM16-ESW adapter to give the router basic switching functionality to test with an internal VLAN. The router is also configured with NAT overload for the internal network. Here is my network diagram, pretty basic configuration with an external network and an internal VLAN network:
The initial router configuration basically consists of configured IP addresses on interfaces, VLAN set up, and NAT activated:
! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! no aaa new-model memory-size iomem 5 ip cef ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! interface FastEthernet0/0 ip address 192.168.10.2 255.255.255.0 ip nat outside ip virtual-reassembly speed 100 full-duplex ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface FastEthernet1/0 switchport access vlan 10 ! interface FastEthernet1/1 ! interface Vlan1 no ip address ! interface Vlan10 ip address 192.168.2.254 255.255.255.0 ip nat inside ip virtual-reassembly ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 192.168.10.254 ! ip http server no ip http secure-server ip nat inside source list nat-addresses interface FastEthernet0/0 overload ! ip access-list standard nat-addresses permit 192.168.2.0 0.0.0.255 ! control-plane ! line con 0 line aux 0 line vty 0 4 ! end
Initially we’ll start by setting up a local account on the Cisco router itself to use for VPN client authentication. Later once we’ve confirmed that this configuration works we’ll move on to modifying it to authenticate users against a central Radius server to ease our administrative burdens.
Let’s begin by adding a user to the local router database. We’ll use the secret command modifier instead of password to specify a type 5 password that uses the MD5 hashing algorithm. This is more secure and will make decryption tougher:
R1(config)# conf t R1(config)# username aaron secret MyPassword
Now we need to activate aaa new model to expose new commands:
R1(config)# aaa new-model
Set up ppp authentication for local database by default:
R1(config)# aaa authentication ppp default local
We must provide authorization for the client computer, in this case we’ll do this automatically if the user has successfully authenticated:
R1(config)# aaa authorization network default if-authenticated
Now we need to activate VPDN which along with dial up networking will activate remote access PPTP VPN connections:
R1(config)# vpdn enable
Enter the VPDN group configuration for group VPN:
R1(config)# vpdn-group VPN
Configure the VPDN group for dialin connections which is how we define our inbound PPTP VPN connections. Also specify PPTP as the protocol to be used and a virtual template with additional parameters for these connections:
R1(config-vpdn)# accept-dialin R1(config-vpdn-acc-in)# protocol pptp R1(config-vpdn-acc-in)# virtual-template 1
Type exit twice to return to get out of vpdn config.
Now we need to configure a virtual interface that VPN clients will use when connecting to the router:
R1(config)# interface Virtual-Template1
In my example the client will bind to VLAN 10 which is my internal LAN interface, standard Ethernet/FastEthernet ports can also be used:
R1(config-if)# ip unnumbered Vlan 10
We’ll tell the PPTP VPN clients to use an IP address from a pool defined locally on the router:
R1(config-if)# peer default ip address pool PPTP-VPN-POOL
We need to set up encryption and authentication for the PPP tunnel. I’ll tell it to require Microsoft 128-bit which XP supports and I’ll use MS-CHAP-V2 for authentication:
R1(config-if)# ppp encrypt mppe 128 R1(config-if)# ppp authentication ms-chap-v2 R1(config-if)# exit
Now create the local pool of IP addresses for the VPN clients to use when connected to our internal network and save our configuration:
R1(config)# ip local pool PPTP-VPN-POOL 192.168.2.200 192.168.2.210 R1(config)# exit R1# copy run start
Aaron Walrath - Another IT Guy's Meanderings 
hai, aaron…nice to meet u…
i need to setup this pptp remote access vpn by using gns3 in coming 2 days. i have followed what you have written at here, but i cannot configure the router. i even dont know how to configure the router with NAT overload and those VLAN setup and IP address configuration. im new to GNS3…
can you teach me step by step on how to do this? i need to success establish the VPN connection at the end by using this topology..
Plz could u send me the copy of this?
the first step until the end.
URGENT!!!!
thanks a lot….
Hi Cindy,
I’m sorry but I don’t have any detailed instructions on setting up a router initially step by step. But if want to have a router set up the same as what I did you can basically copy and paste the initial config that I provided into the router console at the “configure terminal” prompt. One thing that I may not have included in the article is configuring vlan’s, before you copy the config you will need to set up the non-standard vlan 10 that I used in the vlan database of the router. This can different depending on the switch/router hardware involved, but for this GNS3 router with the NM16-ESW switch module at the enable mode you would enter something like:
vlan database
vlan 10
apply
Also I would highly recommend checking out the excellent documentation and videos that you can find over at the GNS3 website, http://www.gns3.net/. They have a lot of detail including how to set up GNS3 from scratch including the initial router configuration all the way up to very advanced network topology scenarios.
Best Wishes,
Aaron
Hi Aaron,
I want to know how did you connect the two clouds the vlan clouds and external clouds. Which interfaces you used for the two clouds?
Hi Waple,
It’s been a while since I have done anything in GNS3. But from what I can remember I believe I had to tie each cloud to a network device configured on the system running GNS3. It could be an actual physical NIC, or if you are running this on Windows you could install the Microsoft loopback adapter as an additional NIC. If you are in a virtual machine you could make network interfaces within that. Also if you have something like VMware Workstation/Server installed on a host and run GNS3 there you to create several private “host only” network adapters.
Best Wishes,
Aaron
What if I need to enter a password for the router? Where do I key it in and how do I do it?
@ papa..Read the article attentively..then You will get your answer.
hi Aaron, thanks for your blog, i need help
i traying configure a cisco 887 and i have a problem in this part:
ISATELNET#conf term
Enter configuration commands, one per line. End with CNTL/Z.
ISATELNET(config)# interface Virtual-Template1
ISATELNET(config-if)#ip unnumbered Vlan 1
ISATELNET(config-if)#peer default ip address pool PPTP-VPN-POOL
^
% Invalid input detected at ‘^’ marker.
ISATELNET(config-if)#ppp encrypt mppe 128
^
% Invalid input detected at ‘^’ marker.
ISATELNET(config-if)# ppp authentication ms-chap-v2
^
% Invalid input detected at ‘^’ marker.
put “marker” in the P
Vlan is the Lan where i have my LAN, can you help me thanks
traslated with google
How do I surf the internet using the tunnel, ie, I want to navigate using the remote connection and not the local connection. I noticed that when configuring pptp server VPDN remote hosts do not get the default gateway. The question is, how do I navigate the internet using remote access (through vpn tunnel).