Downloads |
Table Of Contents
Compulsory and Voluntary Tunneling
Supported Standards, MIBs, and RFCs
Configuring AAA on the RADIUS Server
Creating the Virtual Template for Dial-In Sessions
Specifying the IP Address Pool and BOOTP Servers
Configuring a Tunnel Server to Accept PPTP Tunnels
Configuring MPPE on the ISA Card
Monitoring and Maintaining PPTP Sessions
pptp flow-control receive-window
PPTP with MPPE
This document includes the following sections:
•
Supported Standards, MIBs, and RFCs
•
Feature Overview
The Point to Point Tunneling Protocol (PPTP) with Microsoft Point-to-Point Encryption (MPPE) feature enables Cisco Virtual Private Networks (VPNs) to use PPTP as the tunneling protocol.
PPTP Overview
PPTP is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a VPN across TCP/IP-based data networks. PPTP supports on-demand, multiprotocol, virtual private networking over public networks, such as the Internet. This section describes the following aspects of PPTP:
•
Compulsory and Voluntary Tunneling
VPNs are designed based on one of the two following tunneling architecture options:
Compulsory Tunneling
Compulsory tunneling (also referred to as NAS-initiated tunneling) enables users to dial in to a NAS, which then establishes an encrypted tunnel to the tunnel server. The connection between the client of the user and the NAS is not encrypted.
Voluntary Tunneling
Voluntary tunneling (also referred to as client-initiated tunneling) enables clients to configure and establish encrypted tunnels to tunnel servers without an intermediate NAS participating in the tunnel negotiation and establishment.
For PPTP, only voluntary tunneling is supported.
PPTP Tunnel Negotiation
Table 1 describes the protocol negotiation events that establish a PPTP tunnel.
Flow Control Alarm
The flow control alarm is a new function that indicates if PPTP detects congestion or lost packets. When a flow control alarm goes off, PPTP reduces volatility and additional control traffic by establishing an accompanying stateful MPPE session.
For more information, see the pptp flow-control static-rtt command, and the output from the show vpdn session commands in the "Verifying a PPTP Connection" section.
MPPE Overview
MPPE is an encryption technology developed by Microsoft to encrypt point-to-point links. These PPP connections can be over a dialup line or over a VPN tunnel. MPPE works as a subfeature of Microsoft Point-to-Point Compression (MPPC).
MPPC is a scheme used to compress PPP packets between Cisco and Microsoft client devices. The MPPC algorithm is designed to optimize bandwidth utilization in order to support multiple simultaneous connections.
MPPE is negotiated using bits in the MPPC option within the Compression Control Protocol (CCP) MPPC configuration option (CCP configuration option number 18).
MPPE uses the RC4 algorithm with either 40- or 128-bit keys. All keys are derived from the cleartext authentication password of the user. RC4 is stream cipher; therefore, the sizes of the encrypted and decrypted frames are the same size as the original frame. The Cisco implementation of MPPE is fully interoperable with that of Microsoft and uses all available options, including historyless mode. Historyless mode can increase throughput in lossy environments such as VPNs, because neither side needs to send CCP Resets Requests to synchronize encryption contexts when packets are lost.
MPPE Encryption Types
Two modes of MPPE encryption are offered:
Stateful MPPE Encryption
Stateful encryption will provide the best performance but may be adversely affected by networks experiencing substantial packet loss. If you choose stateful encryption you should also configure flow control to minimize the detrimental effects of this lossiness.
Because of the way that the RC4 tables are reinitialized during stateful synchronization, it is possible that two packets may be encrypted using the same key. For this reason, stateful encryption may not be appropriate for lossy network environments (such as Layer 2 tunnels on the Internet).
Stateless MPPE Encryption
Stateless encryption provides a lower level of performance, but will be more reliable in a lossy network environment.
Caution
Benefits
This feature allows lower-cost, secure services and scalability, as described in the following sections.
Lower-Cost, Secure Services
Enterprises are increasingly looking to the Internet as a means of enabling new, lower-cost services for their users. The ubiquity of the Internet makes it very easy for remote and mobile users to connect anywhere on the planet; all that is required is an ISP to provide Internet access. At the same time, enterprises are hesitant to trust the Internet as a transport for private company data and are looking for means to use the Internet in a secure way.
PPTP with MPPE provides a solution to this need. PPTP provides a mechanism to tunnel user data across the Internet to the edge of the enterprise network, which allows users to use any ISP account and any Internet-routable IP address to access the edge of the Enterprise network. At the edge, the IP packet is de-tunneled and the IP address space of the enterprise is used for traversing the internal network. MPPE provides an encryption service that protects the datastream as it traverses the Internet. MPPE is available in two strengths: 40-bit encryption, which is widely available throughout the world, and 128-bit encryption, which may be subject to certain export controls when used outside the United States.
ISPs can also to leverage PPTP with MPPE when deploying managed services for enterprise customers. In this model, the ISP deploys and manages the PPTP with MPPE tunnel server of the enterprise, or PPTP Network Server (PNS), and manages this service on behalf of the enterprise. The tunnel server may be located at the point of presence (POP) of the ISP, or it may be located at the edge of the enterprise network, but it is managed by the ISP.
Scalability
A Cisco router running PPTP can support up to 2000 simultaneous PPTP tunnels without MPPE encryption. For PPTP tunnels with MPPE encryption, Cisco routers can currently support up to 500 simultaneous tunnels.
Restrictions
Only Cisco Express Forwarding (CEF) and process switching are supported. Regular fast switching is not supported.
Only voluntary tunneling—not compulsory tunneling—is supported.
PPTP does not support multilink.
VPDN multihop is not supported.
Because all PPTP signalling is over TCP, TCP configurations will affect PPTP performance in large-scale environments.
MPPE is not supported with TACACS.
MPPE is supported with RADIUS in Cisco IOS Releases 12.0(7)XE1 and later.
MPPE keys are not supported with SNT and CSU.
Supported Platforms
•
–
–
–
–
–
–
–
–
–
–
–
–
–
•
–
–
–
Supported Standards, MIBs, and RFCs
Standards
None
MIBs
None
For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
RFCs
RFC 2637 PPTP
Prerequisites
Note
If you are performing mutual authentication with MS-CHAP and MPPE, both sides of the tunnel must use the same password.
To use MPPE with AAA, you must use a RADIUS server that supports the Microsoft Vendor Specific Attribute for MPPE-KEYS.
CiscoSecure ACS NT supports MPPE beginning with release 2.6. CiscoSecure ACS UNIX does not support MPPE.
Before configuring PPTP, enable the following configurations:
•
•
•
•
Configuring AAA
To configure Authentication, Authorization, and Accounting (AAA) on the tunnel server, use the following commands in global configuration mode:
Configuring AAA on the RADIUS Server
To configure AAA on the RADIUS server, include the following attributes with the Return List Attributes:
Framed-Protocol = PPPMS-CHAP-MPPE-KeysService-Type = FramedCreating the Virtual Template for Dial-In Sessions
To configure the tunnel server to create virtual-access interfaces from a virtual template for incoming PPTP calls, use the following commands beginning in global configuration mode:
Specifying the IP Address Pool and BOOTP Servers
The IP address pool consists of the IP addresses that the tunnel server assigns to clients. You can also provide BOOTP servers. DNS servers, which are specified using the async-bootp dns-server command, translate host names to IP addresses. WINS servers, which are specified using the async-bootp nbns-server command, provide dynamic NetBIOS names that Windows devices use to communicate without IP addresses.
Configuration Tasks
See the following sections for configuration tasks for the PPTP with MPPE feature.
•
•
•
Configuring a Tunnel Server to Accept PPTP Tunnels
To configure a tunnel to accept tunneled PPP connections from a client, use the following commands beginning in global configuration mode:
Configuring MPPE on the ISA Card
To offload MPPE encryption from the tunnel server processor to the ISA card, use the following commands beginning in global configuration mode:
1
Enters controller configuration mode on the ISA card.
2
Enables MPPE encryption.
Tuning PPTP
To tune PPTP, use one or more of the following commands in VPDN configuration mode:
Verifying a PPTP Connection
To verify that a PPTP network functions properly, perform the following steps:
Step 1
Step 2
Step 3
a.
b.
c.
d.
e.
Step 4
PNS# show vpdn% No active L2TP tunnels% No active L2F tunnelsPPTP Tunnel and Session Information (Total tunnels=1 sessions=1)LocID RemID Remote Name State Remote Address Port Sessions13 13 10.1.2.41 estabd 10.1.2.41 1136 1LocID RemID TunID Intf Username State Last Chg13 0 13 Vi3 estabd 000030Step 5
PNS# show vpdn session all% No active L2TP tunnels% No active L2F tunnelsPPTP Session Information (Total tunnels=1 sessions=1)Call id 13 is up on tunnel id 13Remote tunnel name is 10.1.2.41Internet Address is 10.1.2.41Session username is unknown, state is estabdTime since change 000106, interface Vi3Remote call id is 010 packets sent, 10 received, 332 bytes sent, 448 receivedSs 11, Sr 10, Remote Nr 10, peer RWS 160 out of order packetsFlow alarm is clear.The last line of output from the show vpdn session window command indicates the current status of the flow control alarm (under the heading "Congestion") and the number of flow control alarms that have gone off during the session (under the heading "Alarms").
PNS# show vpdn session window% No active L2TP tunnels% No active L2F tunnelsPPTP Session Information (Total tunnels=1 sessions=1)LocID RemID TunID ZLB-tx ZLB-rx Congestion Alarms Peer-RWS13 0 13 0 1 clear 0 16Step 6
PNS# show ppp mppe virtual-access3Interface Virtual-Access3 (current connection)Hardware (ISA5/1, flow_id=13) encryption, 40 bit encryption, Stateless modepackets encrypted = 0 packets decrypted = 1sent CCP resets = 0 receive CCP resets = 0next tx coherency = 0 next rx coherency = 0tx key changes = 0 rx key changes = 0rx pkt dropped = 0 rx out of order pkt= 0rx missed packets = 0To update the key change information, reissue the show ppp mppe virtual-access3 command.
PNS# show ppp mppe virtual-access3Interface Virtual-Access3 (current connection)Hardware (ISA5/1, flow_id=13) encryption, 40 bit encryption, Stateless modepackets encrypted = 0 packets decrypted = 1sent CCP resets = 0 receive CCP resets = 0next tx coherency = 0 next rx coherency = 0tx key changes = 0 rx key changes = 1rx pkt dropped = 0 rx out of order pkt= 0rx missed packets = 0Monitoring and Maintaining PPTP Sessions
To monitor and maintain PPTP with MPPE sessions, use the following EXEC commands:
Configuration Examples
The following example shows the running configuration of a tunnel server configured for PPTP using an ISA card to perform 40-bit MPPE encryption. It does not have a AAA configuration.
Current configuration!version 12.0service timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname PNS!no logging console guaranteedenable password lab!username tester41 password 0 lab41!!!!ip subnet-zerono ip domain-lookup!vpdn enable!vpdn-group 1! Default PPTP VPDN groupaccept-dialinprotocol pptpvirtual-template 1local name cisco_pns!!!memory check-interval 1!!controller ISA 5/0encryption mppe!process-max-time 200!interface FastEthernet0/0ip address 10.1.1.12 255.255.255.0no ip directed-broadcastduplex autospeed auto!interface FastEthernet0/1ip address 10.1.2.12 255.255.255.0no ip directed-broadcastduplex autospeed auto!interface Serial1/0no ip addressno ip directed-broadcastshutdownframing c-bitcablelength 10dsu bandwidth 44210!interface Serial1/1no ip addressno ip directed-broadcastshutdownframing c-bitcablelength 10dsu bandwidth 44210!interface FastEthernet4/0no ip addressno ip directed-broadcastshutdownduplex half!interface Virtual-Template1ip unnumbered FastEthernet0/0no ip directed-broadcastip mroute-cacheno keepaliveppp encrypt mppe 40ppp authentication ms-chap!ip classlessip route 172.29.1.129 255.255.255.255 1.1.1.1ip route 172.29.63.9 255.255.255.255 1.1.1.1no ip http server!!line con 0exec-timeout 0 0transport input noneline aux 0line vty 0 4login!endCommand Reference
This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command reference publications.
•
clear vpdn tunnel
To shut down a specified tunnel and all the message identifiers (MIDs) within it, use the clear vpdn tunnel EXEC command.
clear vpdn tunnel [pptp | l2f | l2tp] network-access-server gateway-name
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
This command is used primarily for troubleshooting. You can use the command to force the tunnel to come down without unconfiguring it (the tunnel could be restarted immediately by a user logging in).
Examples
The following example clears a tunnel between a network access server called orion and a home gateway called samson:
clear vpdn tunnel orion samsonencryption mppe
To enable Microsoft Point-to-Point Encryption (MPPE) encryption on an Industry-Standard Architecture (ISA) card, use the encryption mppe ISA controller configuration command. To disable MPPE encryption, use the no form of this command.
encryption mppe
no encryption mppe
Syntax Description
This command has no keywords or arguments.
Defaults
IPSec is the default encryption type.
Command Modes
ISA controller configuration
Command History
Usage Guidelines
Using the ISA card offloads MPPE from the router processor and will improve performance in large-scale environments.
The router must be rebooted for the change from encryption ipsec to encryption mppe to take effect.
Examples
The following example enables MPPE encryption on the ISA card in slot 5, port 0:
PNS(config)# controller isa 5/0PNS(config-controller)# encryption mppeRelated Commands
Enables MPPE encryption on the virtual template.
Displays MPPE information for an interface.
Displays debug messages for MPPE events.
ppp encrypt mppe
To enable Microsoft Point-to-Point Encryption (MPPE) encryption on the virtual template, use the ppp encrypt mppe interface configuration command. Use the no form of this command to disable MPPE encryption.
ppp encrypt mppe {auto | 40 | 128} [passive | required] [stateful]
no ppp encrypt mppe
Syntax Description
Defaults
Disabled.
The default encryption type is stateless.
Command Modes
Interface configuration
Command History
Usage Guidelines
To use the encryption mppe command, PPP encapsulation must be enabled.
Note
The auto keyword is only offered on 128-bit images.
All of the configurable MPPE options must be identical on both tunnel endpoints.
Caution
Examples
The following example shows a virtual template configured to perform 40-bit MPPE encryption:
interface Virtual-Template1ip unnumbered FastEthernet0/0no ip directed-broadcastip mroute-cacheno keepaliveppp encrypt mppe 40ppp authentication ms-chapRelated Commands
pptp flow-control receive-window
To specify how many packets the client can send before it has to wait for the tunnel server's acknowledgment, use the pptp flow-control receive-window VPDN configuration command. Use the no form of this command to return to the default value.
pptp flow-control receive-window packets
no pptp flow-control receive-window
Syntax Description
packets
Number of packets the client can send before it has to wait for the tunnel server's acknowledgment.
Range: 1 - 64 packets.
Defaults
16 packets
Command Modes
VPDN configuration
Command History
Related Commands
Specifies the tunnel server's timeout interval between sending a packet to the client and receiving a response.
pptp flow-control static-rtt
To specify the timeout interval of the tunnel server between sending a packet to the client and receiving a response, use the pptp flow-control static-rtt VPDN configuration command. Use the no form of this command to return to the default value of 1500 milliseconds (ms).
pptp flow-control static-rtt milliseconds
no pptp flow-control static-rtt
Syntax Description
milliseconds
Timeout interval of the tunnel server between sending a packet to the client and receiving a response.
Range: 100 -to 5000 milliseconds.
Defaults
1500 ms
Command Modes
VPDN configuration
Command History
Usage Guidelines
If the session times out, the tunnel server does not retry or resend the packet. Instead the flow control alarm is set off, and stateful mode is automatically switched to stateless.
Related Commands
pptp tunnel echo
To specify the period of idle time on the tunnel that will trigger an echo message from the tunnel server to the client, use the pptp tunnel echo VPDN configuration command. Use the no form of this command to return to the default value of 60 seconds.
pptp tunnel echo seconds
no pptp tunnel echo
Syntax Description
Defaults
60 seconds
Command Modes
VPDN configuration
Command History
Usage Guidelines
If the tunnel server does not receive an echo reply within 20 seconds, it will tear down the tunnel. This 20-second interval is hard coded.
Related Commands
show ppp mppe
To display Microsoft Point-to-Point Encryption (MPPE) information for an interface, use the show ppp mppe privileged EXEC command.
show ppp mppe {serial | virtual-access}[number]
Syntax Description
Command Modes
Privileged EXEC mode
Command History
Usage Guidelines
None of the fields in the output from the show ppp mppe command are fatal errors. Excessive packet drops, misses, out of orders, or CCP-Resets indicate that packets are getting lost. If you see such activity and have stateful MPPE configured, you may want to consider switching to stateless mode.
Examples
The following example displays MPPE information for virtual-access interface 3:
PNS# show ppp mppe virtual-access3Interface Virtual-Access3 (current connection)Hardware (ISA5/1, flow_id=13) encryption, 40 bit encryption, Stateless modepackets encrypted = 0 packets decrypted = 1sent CCP resets = 0 receive CCP resets = 0next tx coherency = 0 next rx coherency = 0tx key changes = 0 rx key changes = 0rx pkt dropped = 0 rx out of order pkt= 0rx missed packets = 0To update the key change information, reissue the show ppp mppe virtual-access3 command:
PNS# show ppp mppe virtual-access3Interface Virtual-Access3 (current connection)Hardware (ISA5/1, flow_id=13) encryption, 40 bit encryption, Stateless modepackets encrypted = 0 packets decrypted = 1sent CCP resets = 0 receive CCP resets = 0next tx coherency = 0 next rx coherency = 0tx key changes = 0 rx key changes = 1rx pkt dropped = 0 rx out of order pkt= 0rx missed packets = 0Table 2 describes significant fields in the output:
Table 2 show ppp mppe Output Field Descriptions
Related Commands
Specifies the timeout interval of the tunnel server between sending a packet to the client and receiving a response.
Debug Commands
This section documents the new debug ppp mppe command. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command reference publications.
debug ppp mppe
To display debug messages for Microsoft Point-to-Point Compression (MPPC) events, use the debug ppp mppe EXEC command. Use the no form of this command to disable MPPC debugging.
debug ppp mppe
no debug ppp mppc
Syntax Description
This command has no keywords or arguments.
Defaults
Disabled
Command History
Related Commands
Enables MPPE encryption on the ISA card.
Enables MPPE encryption on the virtual template.
Displays MPPE information for an interface.
