Home > Cisco, VPN, Windows > Configure Cisco Router for Remote Access PPTP VPN Connections

Configure Cisco Router for Remote Access PPTP VPN Connections

In this installment we’ll run through the configuration of a Cisco router to support PPTP VPN remote access clients.  Much has been documented in the last decade over the the weaknesses of using a PPTP VPN in combination with MS-CHAP-V2 for authentication, which is a commonly supported and simpler configuration.  Namely, PPTP/MS-CHAP-V2 relies on a strong user password to be used to limit the ability of hackers to compromise the VPN session.  The advantage of using the PPTP VPN is that it is fairly simple to set up and will allow Windows and Mac clients to access our secured network without installing the Cisco VPN client software.  More secure configurations of PPTP are available using EAP-TLS for the authentication, these involve configuring client certificates and are beyond the scope of this article.  In a future posting I plan to discuss the set up a more secure IPSec based VPN with a Cisco router.

In this example I will make use of the fantastic GNS3/Dynamips software for router emulation.  I have set up a router with the NM16-ESW adapter to give the router basic switching functionality to test with an internal VLAN.  The router is also configured with NAT overload for the internal network.  Here is my network diagram, pretty basic configuration with an external network and an internal VLAN network:

The initial router configuration basically consists of configured IP addresses on interfaces, VLAN set up, and NAT activated:

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
no aaa new-model
memory-size iomem 5
ip cef
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
interface FastEthernet0/0
ip address
ip nat outside
ip virtual-reassembly
speed 100
interface FastEthernet0/1
no ip address
duplex auto
speed auto
interface FastEthernet1/0
switchport access vlan 10
interface FastEthernet1/1
interface Vlan1
no ip address
interface Vlan10
ip address
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
ip route
ip http server
no ip http secure-server
ip nat inside source list nat-addresses interface FastEthernet0/0 overload
ip access-list standard nat-addresses
line con 0
line aux 0
line vty 0 4

Initially we’ll start by setting up a local account on the Cisco router itself to use for VPN client authentication.  Later once we’ve confirmed that this configuration works we’ll move on to modifying it to authenticate users against a central Radius server to ease our administrative burdens.

Let’s begin by adding a user to the local router database.  We’ll use the secret command modifier instead of password to specify a type 5 password that uses the MD5 hashing algorithm.  This is more secure and will make decryption tougher:

R1(config)# conf t
R1(config)# username aaron secret MyPassword

Now we need to activate aaa new model to expose new commands:

R1(config)# aaa new-model

Set up ppp authentication for local database by default:

R1(config)# aaa authentication ppp default local

We must provide authorization for the client computer, in this case we’ll do this automatically if the user has successfully authenticated:

R1(config)# aaa authorization network default if-authenticated

Now we need to activate VPDN which along with dial up networking will activate remote access PPTP VPN connections:

R1(config)# vpdn enable

Enter the VPDN group configuration for group VPN:

R1(config)# vpdn-group VPN

Configure the VPDN group for dialin connections which is how we define our inbound PPTP VPN connections.  Also specify PPTP as the protocol to be used and a virtual template with additional parameters for these connections:

R1(config-vpdn)# accept-dialin
R1(config-vpdn-acc-in)# protocol pptp
R1(config-vpdn-acc-in)# virtual-template 1

Type exit twice to return to get out of vpdn config.

Now we need to configure a virtual interface that VPN clients will use when connecting to the router:

R1(config)# interface Virtual-Template1

In my example the client will bind to VLAN 10 which is my internal LAN interface, standard Ethernet/FastEthernet ports can also be used:

R1(config-if)# ip unnumbered Vlan 10

We’ll tell the PPTP VPN clients to use an IP address from a pool defined locally on the router:

R1(config-if)# peer default ip address pool PPTP-VPN-POOL

We need to set up encryption and authentication  for the PPP tunnel.  I’ll tell it to require Microsoft 128-bit which XP supports and I’ll use MS-CHAP-V2 for authentication:

R1(config-if)# ppp encrypt mppe 128
R1(config-if)# ppp authentication ms-chap-v2
R1(config-if)# exit

Now create the local pool of IP addresses for the VPN clients to use when connected to our internal network and save our configuration:

R1(config)# ip local pool PPTP-VPN-POOL
R1(config)# exit
R1# copy run start

Pages: 1 2

Categories: Cisco, VPN, Windows Tags: , ,
  1. cindy
    April 7, 2011 at 2:41 pm

    hai, aaron…nice to meet u…
    i need to setup this pptp remote access vpn by using gns3 in coming 2 days. i have followed what you have written at here, but i cannot configure the router. i even dont know how to configure the router with NAT overload and those VLAN setup and IP address configuration. im new to GNS3…

    can you teach me step by step on how to do this? i need to success establish the VPN connection at the end by using this topology..
    Plz could u send me the copy of this?
    the first step until the end.
    thanks a lot….

    • April 8, 2011 at 3:52 am

      Hi Cindy,

      I’m sorry but I don’t have any detailed instructions on setting up a router initially step by step. But if want to have a router set up the same as what I did you can basically copy and paste the initial config that I provided into the router console at the “configure terminal” prompt. One thing that I may not have included in the article is configuring vlan’s, before you copy the config you will need to set up the non-standard vlan 10 that I used in the vlan database of the router. This can different depending on the switch/router hardware involved, but for this GNS3 router with the NM16-ESW switch module at the enable mode you would enter something like:

      vlan database
      vlan 10

      Also I would highly recommend checking out the excellent documentation and videos that you can find over at the GNS3 website, http://www.gns3.net/. They have a lot of detail including how to set up GNS3 from scratch including the initial router configuration all the way up to very advanced network topology scenarios.

      Best Wishes,


  2. waple
    April 18, 2011 at 10:57 am

    Hi Aaron,
    I want to know how did you connect the two clouds the vlan clouds and external clouds. Which interfaces you used for the two clouds?

    • April 22, 2011 at 11:43 pm

      Hi Waple,

      It’s been a while since I have done anything in GNS3. But from what I can remember I believe I had to tie each cloud to a network device configured on the system running GNS3. It could be an actual physical NIC, or if you are running this on Windows you could install the Microsoft loopback adapter as an additional NIC. If you are in a virtual machine you could make network interfaces within that. Also if you have something like VMware Workstation/Server installed on a host and run GNS3 there you to create several private “host only” network adapters.

      Best Wishes,


  3. July 20, 2011 at 1:24 am

    What if I need to enter a password for the router? Where do I key it in and how do I do it?

  4. November 2, 2011 at 12:35 pm

    @ papa..Read the article attentively..then You will get your answer.

  5. Juan Pablo Vilchis
    January 29, 2013 at 8:25 pm

    hi Aaron, thanks for your blog, i need help
    i traying configure a cisco 887 and i have a problem in this part:

    ISATELNET#conf term
    Enter configuration commands, one per line. End with CNTL/Z.
    ISATELNET(config)# interface Virtual-Template1
    ISATELNET(config-if)#ip unnumbered Vlan 1
    ISATELNET(config-if)#peer default ip address pool PPTP-VPN-POOL
    % Invalid input detected at ‘^’ marker.
    ISATELNET(config-if)#ppp encrypt mppe 128
    % Invalid input detected at ‘^’ marker.

    ISATELNET(config-if)# ppp authentication ms-chap-v2
    % Invalid input detected at ‘^’ marker.

    put “marker” in the P
    Vlan is the Lan where i have my LAN, can you help me thanks

    traslated with google

  6. Arthur Blackmouth
    May 17, 2013 at 4:04 am

    How do I surf the internet using the tunnel, ie, I want to navigate using the remote connection and not the local connection. I noticed that when configuring pptp server VPDN remote hosts do not get the default gateway. The question is, how do I navigate the internet using remote access (through vpn tunnel).

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: