Guest

Cisco IOS Software Releases 12.0 Special and Early Deployments

PPTP with MPPE

Downloads


Table of Contents

PPTP with MPPE
Feature Overview
PPTP Overview
MPPE Overview
Benefits
Restrictions
Supported Platforms
Supported Standards, MIBs, and RFCs
Prerequisites
Configuring AAA
Configuring AAA on the RADIUS Server
Creating the Virtual Template for Dial-In Sessions
Specifying the IP Address Pool and BOOTP Servers
Configuration Tasks
Configuring a Tunnel Server to Accept PPTP Tunnels
Configuring MPPE on the ISA Card
Tuning PPTP
Verifying a PPTP Connection
Monitoring and Maintaining PPTP Sessions
Configuration Examples
Command Reference
clear vpdn tunnel
encryption mppe
ppp encrypt mppe
pptp flow-control receive-window
pptp flow-control static-rtt
pptp tunnel echo
show ppp mppe
Syntax Description

Command Modes
Command History

Usage Guidelines
Examples
Related Commands
Command Description

pptp flow-control static-rtt

Specifies the timeout interval of the tunnel server between sending a packet to the client and receiving a response.


Debug Commands
debug ppp mppe

PPTP with MPPE


This document includes the following sections:

Feature Overview


The Point to Point Tunneling Protocol (PPTP) with Microsoft Point-to-Point Encryption (MPPE) feature enables Cisco Virtual Private Networks (VPNs) to use PPTP as the tunneling protocol.

PPTP Overview

PPTP is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a VPN across TCP/IP-based data networks. PPTP supports on-demand, multiprotocol, virtual private networking over public networks, such as the Internet. This section describes the following aspects of PPTP:

Compulsory and Voluntary Tunneling

VPNs are designed based on one of the two following tunneling architecture options:

Compulsory Tunneling

Compulsory tunneling (also referred to as NAS-initiated tunneling) enables users to dial in to a NAS, which then establishes an encrypted tunnel to the tunnel server. The connection between the client of the user and the NAS is not encrypted.

Voluntary Tunneling

Voluntary tunneling (also referred to as client-initiated tunneling) enables clients to configure and establish encrypted tunnels to tunnel servers without an intermediate NAS participating in the tunnel negotiation and establishment.

For PPTP, only voluntary tunneling is supported.

PPTP Tunnel Negotiation

Table 1describes the protocol negotiation events that establish a PPTP tunnel.

Table 1   Protocol Negotiation Event Descriptions

Event  Description 
1.

The client dials in to the ISP and establishes a PPP session.

2.

The client establishes a TCP connection with the tunnel server.

3.

The tunnel server accepts the TCP connection.

4.

The client sends a PPTP SCCRQ message to the tunnel server.

5.

The tunnel server establishes a new PPTP tunnel and replies with a SCCRP message.

6.

The client initiates the session by sending a OCRQ message to the tunnel server.

7.

The tunnel server creates a virtual-access interface.

8.

The tunnel server replies with a OCRP message.

Flow Control Alarm

The flow control alarm is a new function that indicates if PPTP detects congestion or lost packets. When a flow control alarm goes off, PPTP reduces volatility and additional control traffic by establishing an accompanying stateful MPPE session.

For more information, see the pptp flow-control static-rtt command, and the output from the show vpdn session commands in the "Verifying a PPTP Connection" section.

MPPE Overview

MPPE is an encryption technology developed by Microsoft to encrypt point-to-point links. These PPP connections can be over a dialup line or over a VPN tunnel. MPPE works as a subfeature of Microsoft Point-to-Point Compression (MPPC).

MPPC is a scheme used to compress PPP packets between Cisco and Microsoft client devices. The MPPC algorithm is designed to optimize bandwidth utilization in order to support multiple simultaneous connections.

MPPE is negotiated using bits in the MPPC option within the Compression Control Protocol (CCP) MPPC configuration option (CCP configuration option number 18).

MPPE uses the RC4 algorithm with either 40- or 128-bit keys. All keys are derived from the cleartext authentication password of the user. RC4 is stream cipher; therefore, the sizes of the encrypted and decrypted frames are the same size as the original frame. The Cisco implementation of MPPE is fully interoperable with that of Microsoft and uses all available options, including historyless mode. Historyless mode can increase throughput in lossy environments such as VPNs, because neither side needs to send CCP Resets Requests to synchronize encryption contexts when packets are lost.

MPPE Encryption Types

Two modes of MPPE encryption are offered:

Stateful MPPE Encryption

Stateful encryption will provide the best performance but may be adversely affected by networks experiencing substantial packet loss. If you choose stateful encryption you should also configure flow control to minimize the detrimental effects of this lossiness.

Because of the way that the RC4 tables are reinitialized during stateful synchronization, it is possible that two packets may be encrypted using the same key. For this reason, stateful encryption may not be appropriate for lossy network environments (such as Layer 2 tunnels on the Internet).

Stateless MPPE Encryption

Stateless encryption provides a lower level of performance, but will be more reliable in a lossy network environment.


Caution

If you choose stateless encryption you should not configure flow control.


Benefits

Enterprises are increasingly looking to the Internet as a means of enabling new, lower-cost services for their users. The ubiquity of the Internet makes it very easy for remote and mobile users to connect anywhere on the planet; all that is required is an ISP to provide Internet access. At the same time, enterprises are hesitant to trust the Internet as a transport for private company data and are looking for means to use the Internet in a secure way.

PPTP with MPPE provides a solution to this need. PPTP provides a mechanism to tunnel user data across the Internet to the edge of the enterprise network, which allows users to use any ISP account and any Internet-routable IP address to access the edge of the Enterprise network. At the edge, the IP packet is de-tunneled and the IP address space of the enterprise is used for traversing the internal network. MPPE provides an encryption service that protects the datastream as it traverses the Internet. MPPE is available in two strengths: 40-bit encryption, which is widely available throughout the world, and 128-bit encryption, which may be subject to certain export controls when used outside the United States.

ISPs can also to leverage PPTP with MPPE when deploying managed services for enterprise customers. In this model, the ISP deploys and manages the PPTP with MPPE tunnel server of the enterprise, or PPTP Network Server (PNS), and manages this service on behalf of the enterprise. The tunnel server may be located at the point of presence (POP) of the ISP, or it may be located at the edge of the enterprise network, but it is managed by the ISP.

Scalability

A Cisco router running PPTP can support up to 2000 simultaneous PPTP tunnels without MPPE encryption. For PPTP tunnels with MPPE encryption, Cisco routers can currently support up to 500 simultaneous tunnels. Subsequent releases will be able to support up to 1800 simultaneous tunnels.

Restrictions

Only Cisco Express Forwarding (CEF) and process switching are supported. Regular fast switching is not supported.

Only voluntary tunneling—not compulsory tunneling—is supported.

PPTP will not support multilink.

VPDN multihop is not supported.

Because all PPTP signalling is over TCP, TCP configurations will affect PPTP performance in large-scale environments.

MPPE is not supported with TACACS.

MPPE is supported with RADIUS in Cisco IOS Releases 12.0(7)XE1 and later.

MPPE keys are not supported with SNT and CSU.

Supported Platforms


  • Cisco Platforms:
    • Cisco 7100 series
    • Cisco 7200 series
  • Windows Clients:
    • Windows 95/98
    • Windows NT 4.0
    • Windows 2000

Supported Standards, MIBs, and RFCs


Standards

None

MIBs

None

For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.

RFCs
  • RFC 2637 PPTP

Prerequisites



Note      Windows clients must use MS-CHAP authentication for MPPE to work.


If you are performing mutual authentication with MS-CHAP and MPPE, both sides of the tunnel must use the same password.

To use MPPE with AAA, you must use a RADIUS server that supports the Microsoft Vendor Specific Attribute for MPPE-KEYS. CiscoSecure does not currently support this attribute.

CiscoSecure ACS NT supports MPPE beginning with release 2.6. CiscoSecure ACS UNIX does not support MPPE.

Before configuring PPTP, enable the following configurations:

  • Configuring AAA (Optional)
  • Configuring AAA on the RADIUS Server (Optional)
  • Creating the Virtual Template for Dial-in Sessions (Required)
  • Specifying the IP Address Pool and BOOTP Servers (Optional)

Configuring AAA

To configure Authentication, Authorization, and Accounting (AAA) on the tunnel server, use the following commands in global configuration mode:

Step  Command  Purpose 
1.
PNS(config)# aaa authentication ppp default {group radius local}

Configures either local or RADIUS AAA authentication.

2.
PNS(config)# aaa authorization network default {group radius local}

Configures either local or RADIUS AAA authorization.

3.
PNS(config)# aaa accounting network default start-stop radius

(Optional) Enables AAA accounting that sends a stop accounting notice at the end of the requested user process.

4.
PNS(config)# radius-server host ip-address [auth-port number] [acct-port number]

PNS(config)# radius-server key key 

Specifies the IP address of the RADIUS server and optionally the ports to be used for authentication and accounting requests.

Sets the authentication key and encryption key for all RADIUS communication.

Configuring AAA on the RADIUS Server

To configure AAA on the RADIUS server, include the following attributes with the Return List Attributes:

Framed-Protocol = PPP
MS-CHAP-MPPE-Keys
Service-Type = Framed

Creating the Virtual Template for Dial-In Sessions

To configure the tunnel server to create virtual-access interfaces from a virtual template for incoming PPTP calls, use the following commands beginning in global configuration mode

Step Command Purpose
1.
PNS(config)# interface virtual-template number

Creates the virtual template that is used to clone virtual-access interfaces.

2.
PNS(config-if)# ip unnumbered interface-type number

Specifies the IP address of the interface the virtual-access interfaces uses.

3.
PNS(config-if)# ppp authentication ms-chap

Enables MS-CHAP authentication using the local username database. All windows clients using MPPE need to use MS-CHAP.

4.
PNS(config-if)# peer default ip address pool default

Returns an IP address from the default pool to the client.

5.
PNS(config-if)# ip mroute-cache

Disables fast switching of IP multicast.

6.
PNS(config-if)# ppp encrypt mppe {auto 40 | 128} [passive | required] [stateful]

Enables MPPE encryption on the virtual template.

Specifying the IP Address Pool and BOOTP Servers

The IP address pool consists of the IP addresses that the tunnel server assigns to clients. You can also provide BOOTP servers. DNS servers, which are specified using the async-bootp dns-server command, translate host names to IP addresses. WINS servers, which are specified using the async-bootp nbns-server command, provide dynamic NetBIOS names that Windows devices use to communicate without IP addresses.

Step Command Purpose
1.
PNS(config)# ip local pool default first-ip-address last-ip-address

Configures the default local pool of IP addresses that will be used by clients.

2.
PNS(config)# async-bootp dns-server ip-address1 [additional-ip-address]

(Optional) Returns the configured addresses of domain dame servers in response to BOOTP requests.

3.
PNS(config)# async-bootp nbns-server ip-address1 [additional-ip-address]

(Optional) Returns the configured addresses of Windows NT servers in response to BOOTP requests.

Configuration Tasks


See the following sections for configuration tasks for the PPTP with MPPE feature. Each task in the list indicates if the task is optional or required.

Configuring a Tunnel Server to Accept PPTP Tunnels

To configure a tunnel to accept tunneled PPP connections from a client, use the following commands beginning in global configuration mode:

Step  Command  Purpose 
1.
PNS(config)# vpdn-group 1

Creates VPDN group 1.

2.
PNS(config-vpdn)# accept dialin

Enables the tunnel server to accept dial-in requests.

3.
PNS(config-vpdn-acc-in)# protocol pptp

Specifies that the tunneling protocol will be PPTP.

4.
PNS(config-vpdn-acc-in)# virtual-template template-number

Specifies the number of the virtual template that will be used to clone the virtual-access interface.

5.
PNS(config-vpdn-acc-in)# exit
PNS(config-vpdn)# local name localname

(Optional) Specifies that the tunnel server will identify itself with this local name.

If no local name is specified, the tunnel server will identify itself with its host name.

Configuring MPPE on the ISA Card

To offload MPPE encryption from the tunnel server processor to the ISA card, use the following commands beginning in global configuration mode:

Step  Command  Purpose 
1.
PNS(config)# controller isa slot/port

Enters controller configuration mode on the ISA card.

2.
PNS(config-controller)# encryption mppe

Enables MPPE encryption.

Tuning PPTP

To tune PPTP, use one or more of the following commands in VPDN configuration mode:

Command  Purpose 
PNS(config-vpdn)# pptp flow-control receive-window packets

Specifies how many packets the client can send before it must wait for the acknowledgment from the tunnel server.

PNS(config-vpdn)# pptp flow-control static-rtt milliseconds

Specifies the timeout interval of the tunnel server between sending a packet to the client and receiving a response.

PNS(config-vpdn)# pptp tunnel echo seconds

Specifies the period of idle time on the tunnel that will trigger an echo message from the tunnel server to the client.

Verifying a PPTP Connection

To verify that a PPTP network functions properly, perform the following steps:


Step 1   From the client, dial in to the ISP and establish a PPP session.

Step 2   From the client, dial in to the tunnel server.

Step 3   From the client, ping the tunnel server. From the client desktop:

(a). Click Start.

(b). Select Run.

(c). Enter ping tunnel-server-ip-address.

(d). Click OK.

(e). Look at the terminal screen and verify that the tunnel server is sending ping reply packets to the client.

Step 4   From the tunnel server, enter the show vpdn command and verify that the client has established a PPTP session.

PNS# show vpdn

% No active L2TP tunnels

% No active L2F tunnels

PPTP Tunnel and Session Information (Total tunnels=1 sessions=1)

LocID RemID Remote Name     State    Remote Address  Port  Sessions
13    13    10.1.2.41       estabd   10.1.2.41       1136  1       

LocID RemID TunID Intf    Username      State   Last Chg
13    0     13    Vi3                   estabd  000030        

Step 5   For more detailed information, enter the show vpdn session all or show vpdn session window commands. The last line of output from the show vpdn session all command indicates the current status of the flow control alarm.

PNS# show vpdn session all

% No active L2TP tunnels

% No active L2F tunnels

PPTP Session Information (Total tunnels=1 sessions=1)

Call id 13 is up on tunnel id 13
Remote tunnel name is 10.1.2.41
  Internet Address is 10.1.2.41
  Session username is unknown, state is estabd
    Time since change 000106, interface Vi3
    Remote call id is 0
    10 packets sent, 10 received, 332 bytes sent, 448 received
      Ss 11, Sr 10, Remote Nr 10, peer RWS 16
      0 out of order packets
      Flow alarm is clear.

The last line of output from the show vpdn session window command indicates the current status of the flow control alarm (under the heading "Congestion") and the number of flow control alarms that have gone off during the session (under the heading "Alarms").

PNS# show vpdn session window

% No active L2TP tunnels

% No active L2F tunnels

PPTP Session Information (Total tunnels=1 sessions=1)

LocID RemID TunID ZLB-tx  ZLB-rx  Congestion Alarms   Peer-RWS
13    0     13    0       1       clear      0        16 

Step 6   For information on the virtual-access interface, enter the show ppp mppe virtual-accessnumber command:

PNS# show ppp mppe virtual-access3
Interface Virtual-Access3 (current connection)
  Hardware (ISA5/1, flow_id=13) encryption, 40 bit encryption, Stateless mode
  packets encrypted = 0        packets decrypted  = 1     
  sent CCP resets   = 0        receive CCP resets = 0     
  next tx coherency = 0        next rx coherency  = 0     
  tx key changes    = 0        rx key changes     = 0     
  rx pkt dropped    = 0        rx out of order pkt= 0     
  rx missed packets = 0     

To update the key change information, reissue the show ppp mppe virtual-access3 command.

PNS# show ppp mppe virtual-access3
Interface Virtual-Access3 (current connection)
  Hardware (ISA5/1, flow_id=13) encryption, 40 bit encryption, Stateless mode
  packets encrypted = 0        packets decrypted  = 1     
  sent CCP resets   = 0        receive CCP resets = 0     
  next tx coherency = 0        next rx coherency  = 0     
  tx key changes    = 0        rx key changes     = 1     
  rx pkt dropped    = 0        rx out of order pkt= 0     
  rx missed packets = 0     

Monitoring and Maintaining PPTP Sessions


To monitor and maintain PPTP with MPPE sessions, use the following EXEC commands:

Command  Purpose 

clear vpdn tunnel [pptp | l2f | l2tp] network-access-server gateway-name

Shuts down a specific tunnel and all the sessions within the tunnel.

debug aaa authentication

Displays information on AAA authentication.

debug aaa authorization

Displays information on AAA authorization.

debug ppp chap

Displays CHAP packet exchanges.

debug ppp negotiation

Displays information about packets sent during PPP start-up and detailed PPP negotiation options.

debug ppp mppe

Displays debug messages for MPPE events.

debug vpdn event [protocol | flow-control]

Displays VPDN errors and basic events within the protocol (such as L2TP, L2F, PPTP) and errors associated with flow control. Flow control is only possible if you are using L2TP and the remote peer "receive window" is configured for a value greater than zero.

debug vpdn l2x-events

Displays L2F and L2TP events that are part of tunnel establishment or shutdown.

debug vpdn l2x-errors

Displays L2F and L2TP protocol errors that prevent tunnel establishment or normal operation.

debug vpdn packet [control | data] [detail]

Displays protocol-specific packet header information, such as sequence numbers if present, such as flags and length.

Configuration Examples


The following example shows the running configuration of a tunnel server configured for PPTP using an ISA card to perform 40-bit MPPE encryption. It does not have a AAA configuration.

Current configuration
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname PNS
!
no logging console guaranteed
enable password lab
!
username tester41 password 0 lab41
!
!
!
!
ip subnet-zero
no ip domain-lookup
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
 local name cisco_pns
!
!
!
memory check-interval 1
!
!
controller ISA 5/0
 encryption mppe
!
process-max-time 200
!
interface FastEthernet0/0
 ip address 10.1.1.12 255.255.255.0
 no ip directed-broadcast
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.1.2.12 255.255.255.0
 no ip directed-broadcast
 duplex auto
 speed auto
!
interface Serial1/0
 no ip address
 no ip directed-broadcast
 shutdown
 framing c-bit
 cablelength 10
 dsu bandwidth 44210
!
interface Serial1/1
 no ip address
 no ip directed-broadcast
 shutdown
 framing c-bit
 cablelength 10
 dsu bandwidth 44210
!
interface FastEthernet4/0
 no ip address
 no ip directed-broadcast
 shutdown
 duplex half
!
interface Virtual-Template1
 ip unnumbered FastEthernet0/0
 no ip directed-broadcast
 ip mroute-cache
 no keepalive
 ppp encrypt mppe 40
 ppp authentication ms-chap
!
ip classless
ip route 172.29.1.129 255.255.255.255 1.1.1.1
ip route 172.29.63.9 255.255.255.255 1.1.1.1
no ip http server
!
!
line con 0
 exec-timeout 0 0
 transport input none
line aux 0
line vty 0 4
 login
!
end

Command Reference


This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command reference publications.

clear vpdn tunnel

To shut down a specified tunnel and all the message identifiers (MIDs) within it, use the clear vpdn tunnel EXEC command.

clear vpdn tunnel [pptp | l2f | l2tp] network-access-server gateway-name

Syntax Description

pptp

(Optional) Clears the specified Point-to-Point Tunneling Protocol (PPTP) tunnel.

l2f

(Optional) Clears the specified Layer 2 Forwarding (L2F) tunnel.

l2tp

(Optional) Clears the specified Layer 2 Tunneling Protocol (L2TP) tunnel.

network-access-server

Name of the network access server at the far end of the tunnel, probably the point of presence of the public data network or the ISP.

gateway-name

Host name of home gateway at the local end of the tunnel.

Command Modes

EXEC

Command History

Release  Modification 

11.2 P

This command was introduced.

12.0(5)XE5

The pptp keyword was added.

Usage Guidelines

This command is used primarily for troubleshooting. You can use the command to force the tunnel to come down without unconfiguring it (the tunnel could be restarted immediately by a user logging in).

Examples

The following example clears a tunnel between a network access server called orion and a home gateway called samson:

clear vpdn tunnel orion samson

encryption mppe

To enable Microsoft Point-to-Point Encryption (MPPE) encryption on an Industry-Standard Architecture (ISA) card, use the encryption mppe ISA controller configuration command. To disable MPPE encryption, use the no form of this command.

encryption mppe
no encryption mppe

Syntax Description

This command has no keywords or arguments.

Defaults

IPSec is the default encryption type.

Command Modes

ISA controller configuration

Command History

Release  Modification 

12.0(5)XE5

This command was introduced.

Usage Guidelines

Using the ISA card offloads MPPE from the router processor and will improve performance in large-scale environments.

The router must be rebooted for the change from encryption ipsec to encryption mppe to take effect.

Examples

The following example enables MPPE encryption on the ISA card in slot 5, port 0:

PNS(config)# controller isa 5/0
PNS(config-controller)# encryption mppe

Related Commands

Command Description

ppp encrypt mppe

Enables MPPE encryption on the virtual template.

show ppp mppe

Displays MPPE information for an interface.

debug ppp mppe

Displays debug messages for MPPE events.

ppp encrypt mppe

To enable Microsoft Point-to-Point Encryption (MPPE) encryption on the virtual template, use the ppp encrypt mppe interface configuration command. Use the no form of this command to disable MPPE encryption.

ppp encrypt mppe {auto | 40 | 128} [passive | required] [stateful]
no ppp encrypt mppe

Syntax Description

auto

All available encryption strengths are allowed.

40

Only 40-bit encryption is allowed.

128

Only 128-bit encryption is allowed.

passive

(Optional) MPPE will not offer encryption, but will negotiate if the other tunnel endpoint requests encryption.

required

(Optional) MPPE must be negotiated, or the connection will be terminated.

stateful

(Optional) MPPE will only negotiate stateful encryption. If the stateful keyword is not used, MPPE will first attempt to negotiate stateless encryption, but will fall back to stateful if the other tunnel endpoint requests stateful.

Defaults

Disabled.

The default encryption type is stateless.

Command Modes

Interface configuration

Command History

Release  Modification 

12.0(5)XE5

This command was introduced.

Usage Guidelines

To use the encryption mppe command, PPP encapsulation must be enabled.


Note      The ppp authentication ms-chap command must be added to the interface that will carry PPTP-MPPE traffic. All Windows clients using MPPE need MS-CHAP. This is a Microsoft design requirement.


The auto keyword is only offered on 128-bit images.

All of the configurable MPPE options must be identical on both tunnel endpoints.


Caution

Because of the way that the RC4 tables are reinitialized during stateful synchronization, it is possible that two packets may be encrypted using the same key. For this reason, stateful encryption may not be appropriate for lossy network environments (such as Layer 2 tunnels on the Internet).


Examples

The following example shows a virtual template configured to perform 40-bit MPPE encryption:

interface Virtual-Template1
 ip unnumbered FastEthernet0/0
 no ip directed-broadcast
 ip mroute-cache
 no keepalive
 ppp encrypt mppe 40
 ppp authentication ms-chap

Related Commands

Command Description

encryption mppe

Enables MPPE encryption on the ISA card.

interface virtual-template

Creates a virtual template interface.

ppp authentication

Enables CHAP, PAP, MS-CHAP or a combination of methods and specifies the order in which the authentication methods are selected on the interface.

pptp flow-control receive-window

To specify how many packets the client can send before it has to wait for the tunnel server's acknowledgment, use the pptp flow-control receive-window VPDN configuration command. Use the no form of this command to return to the default value.

pptp flow-control receive-window packets
no pptp flow-control receive-window

Syntax Description

packets

Number of packets the client can send before it has to wait for the tunnel server's acknowledgment.

Range: 1 - 64 packets.

Defaults

16 packets

Command Modes

VPDN configuration

Command History

Release  Modification 

12.0(5)XE5

This command was introduced

Related Commands

Command  Description 

pptp flow-control static-rtt

Specifies the tunnel server's timeout interval between sending a packet to the client and receiving a response.

pptp flow-control static-rtt

To specify the timeout interval of the tunnel server between sending a packet to the client and receiving a response, use the pptp flow-control static-rtt VPDN configuration command. Use the no form of this command to return to the default value of 1500 milliseconds (ms).

pptp flow-control static-rtt milliseconds
no pptp flow-control static-rtt

Syntax Description

milliseconds

Timeout interval of the tunnel server between sending a packet to the client and receiving a response.

Range: 100 -to 5000 milliseconds.

Defaults

1500 ms

Command Modes

VPDN configuration

Command History

Release  Modification 

12.0(5)XE5

This command was introduced.

Usage Guidelines

If the session times out, the tunnel server does not retry or resend the packet. Instead the flow control alarm is set off, and stateful mode is automatically switched to stateless.

Related Commands

Command Description

pptp flow-control receive-window

Specifies how many packets the client can send before it must wait for the acknowledgment from the tunnel server.

pptp tunnel echo

Specifies the period of idle time on the tunnel that will trigger an echo message from the tunnel server to the client.

pptp tunnel echo

To specify the period of idle time on the tunnel that will trigger an echo message from the tunnel server to the client, use the pptp tunnel echo VPDN configuration command. Use the no form of this command to return to the default value of 60 seconds.

pptp tunnel echo seconds
no pptp tunnel echo

Syntax Description

seconds

Echo packet interval in seconds.

Range: 0 to 1000 seconds.

Defaults

60 seconds

Command Modes

VPDN configuration

Command History

Release  Modification 

12.0(5)XE5

This command was introduced.

Usage Guidelines

If the tunnel server does not receive an echo reply within 20 seconds, it will tear down the tunnel. This 20-second interval is hard coded.

Related Commands

Command Description

pptp flow-control receive-window

Specifies how many packets the client can send before it must wait for the acknowledgment from the tunnel server.

pptp flow-control static-rtt

Specifies the timeout interval of the tunnel server between sending a packet to the client and receiving a response.

show ppp mppe

To display Microsoft Point-to-Point Encryption (MPPE) information for an interface, use the show ppp mppe privileged EXEC command.

show ppp mppe {serial | virtual-access}[number]

Syntax Description

serial

Displays MPPE information for all serial interfaces.

virtual-access

Displays MPPE information for all virtual-access interfaces.

number

(Optional) Displays MPPE information for only the specified interface.

Command Modes

Privileged EXEC mode

Command History

Release  Modification 

12.0(5)XE5

This command was introduced.

Usage Guidelines

None of the fields in the output from the show ppp mppe command are fatal errors. Excessive packet drops, misses, out of orders, or CCP-Resets indicate that packets are getting lost. If you see such activity and have stateful MPPE configured, you may want to consider switching to stateless mode.

Examples

The following example displays MPPE information for virtual-access interface 3:

PNS# show ppp mppe virtual-access3
Interface Virtual-Access3 (current connection)
  Hardware (ISA5/1, flow_id=13) encryption, 40 bit encryption, Stateless mode
  packets encrypted = 0        packets decrypted  = 1     
  sent CCP resets   = 0        receive CCP resets = 0     
  next tx coherency = 0        next rx coherency  = 0     
  tx key changes    = 0        rx key changes     = 0     
  rx pkt dropped    = 0        rx out of order pkt= 0     
  rx missed packets = 0     

To update the key change information, reissue the show ppp mppe virtual-access3 command:

PNS# show ppp mppe virtual-access3
Interface Virtual-Access3 (current connection)
  Hardware (ISA5/1, flow_id=13) encryption, 40 bit encryption, Stateless mode
  packets encrypted = 0        packets decrypted  = 1     
  sent CCP resets   = 0        receive CCP resets = 0     
  next tx coherency = 0        next rx coherency  = 0     
  tx key changes    = 0        rx key changes     = 1     
  rx pkt dropped    = 0        rx out of order pkt= 0     
  rx missed packets = 0 

Table 2 describes significant fields in the output:

Table 2   show ppp mppe Field Descriptions

Field  Description 

packets encrypted

Number of packets that have been encrypted

packets decrypted

Number of packets that have been decrypted

sent CCP resets

Number of CCP-Resets sent. One CCP-Reset is sent for each packet loss that is detected in stateful mode. When configured for stateless MPPE, this field is always zero.

next tx coherency

The coherency count (the sequence number) of the next packet to be encrypted.

next rx coherency

The coherency count (the sequence number) of the next packet to be decrypted.

key changes

Number of times the session key has been reinitialized. In stateless mode, the key is reinitialized once per packet. In stateful mode, the key is reinitialized every 256 packets or when a CCP-Reset is received.

rx packet dropped

Number of packets received and dropped. A packet is dropped because it is suspected of being a duplicate or already received packet.

rx out of order pkt

Number of packets received that are out of order.

rx missed packets

Number of packets received that indicated that a packet has been missed elsewhere.

Related Commands

Command Description

pptp flow-control static-rtt

Specifies the timeout interval of the tunnel server between sending a packet to the client and receiving a response.

Debug Commands


This section documents the new debug ppp mppe command. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command reference publications.

debug ppp mppe

To display debug messages for Microsoft Point-to-Point Compression (MPPC) events, use the debug ppp mppe EXEC command. Use the no form of this command to disable MPPC debugging.

debug ppp mppe
no debug ppp mppc

Syntax Description

This command has no keywords or arguments.

Defaults

Disabled

Command History

Release  Modification 

12.0(5)XE5

This command was introduced.

Related Commands

Command Description

encryption mppe

Enables MPPE encryption on the ISA card.

ppp encrypt mppe

Enables MPPE encryption on the virtual template.

show ppp mppe

Displays MPPE information for an interface.