|
|
| Command | Description |
Specifies the timeout interval of the tunnel server between sending a packet to the client and receiving a response. |
This document includes the following sections:
The Point to Point Tunneling Protocol (PPTP) with Microsoft Point-to-Point Encryption (MPPE) feature enables Cisco Virtual Private Networks (VPNs) to use PPTP as the tunneling protocol.
PPTP is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a VPN across TCP/IP-based data networks. PPTP supports on-demand, multiprotocol, virtual private networking over public networks, such as the Internet. This section describes the following aspects of PPTP:
VPNs are designed based on one of the two following tunneling architecture options:
Compulsory tunneling (also referred to as NAS-initiated tunneling) enables users to dial in to a NAS, which then establishes an encrypted tunnel to the tunnel server. The connection between the client of the user and the NAS is not encrypted.
Voluntary tunneling (also referred to as client-initiated tunneling) enables clients to configure and establish encrypted tunnels to tunnel servers without an intermediate NAS participating in the tunnel negotiation and establishment.
For PPTP, only voluntary tunneling is supported.
Table 1describes the protocol negotiation events that establish a PPTP tunnel.
Table 1 Protocol Negotiation Event Descriptions
The flow control alarm is a new function that indicates if PPTP detects congestion or lost packets. When a flow control alarm goes off, PPTP reduces volatility and additional control traffic by establishing an accompanying stateful MPPE session.
For more information, see the pptp flow-control static-rtt command, and the output from the show vpdn session commands in the "Verifying a PPTP Connection" section.
MPPE is an encryption technology developed by Microsoft to encrypt point-to-point links. These PPP connections can be over a dialup line or over a VPN tunnel. MPPE works as a subfeature of Microsoft Point-to-Point Compression (MPPC).
MPPC is a scheme used to compress PPP packets between Cisco and Microsoft client devices. The MPPC algorithm is designed to optimize bandwidth utilization in order to support multiple simultaneous connections.
MPPE is negotiated using bits in the MPPC option within the Compression Control Protocol (CCP) MPPC configuration option (CCP configuration option number 18).
MPPE uses the RC4 algorithm with either 40- or 128-bit keys. All keys are derived from the cleartext authentication password of the user. RC4 is stream cipher; therefore, the sizes of the encrypted and decrypted frames are the same size as the original frame. The Cisco implementation of MPPE is fully interoperable with that of Microsoft and uses all available options, including historyless mode. Historyless mode can increase throughput in lossy environments such as VPNs, because neither side needs to send CCP Resets Requests to synchronize encryption contexts when packets are lost.
Two modes of MPPE encryption are offered:
Stateful encryption will provide the best performance but may be adversely affected by networks experiencing substantial packet loss. If you choose stateful encryption you should also configure flow control to minimize the detrimental effects of this lossiness.
Because of the way that the RC4 tables are reinitialized during stateful synchronization, it is possible that two packets may be encrypted using the same key. For this reason, stateful encryption may not be appropriate for lossy network environments (such as Layer 2 tunnels on the Internet).
Stateless encryption provides a lower level of performance, but will be more reliable in a lossy network environment.
 | Caution If you choose stateless encryption you should not configure flow control. |
Enterprises are increasingly looking to the Internet as a means of enabling new, lower-cost services for their users. The ubiquity of the Internet makes it very easy for remote and mobile users to connect anywhere on the planet; all that is required is an ISP to provide Internet access. At the same time, enterprises are hesitant to trust the Internet as a transport for private company data and are looking for means to use the Internet in a secure way.
PPTP with MPPE provides a solution to this need. PPTP provides a mechanism to tunnel user data across the Internet to the edge of the enterprise network, which allows users to use any ISP account and any Internet-routable IP address to access the edge of the Enterprise network. At the edge, the IP packet is de-tunneled and the IP address space of the enterprise is used for traversing the internal network. MPPE provides an encryption service that protects the datastream as it traverses the Internet. MPPE is available in two strengths: 40-bit encryption, which is widely available throughout the world, and 128-bit encryption, which may be subject to certain export controls when used outside the United States.
ISPs can also to leverage PPTP with MPPE when deploying managed services for enterprise customers. In this model, the ISP deploys and manages the PPTP with MPPE tunnel server of the enterprise, or PPTP Network Server (PNS), and manages this service on behalf of the enterprise. The tunnel server may be located at the point of presence (POP) of the ISP, or it may be located at the edge of the enterprise network, but it is managed by the ISP.
A Cisco router running PPTP can support up to 2000 simultaneous PPTP tunnels without MPPE encryption. For PPTP tunnels with MPPE encryption, Cisco routers can currently support up to 500 simultaneous tunnels. Subsequent releases will be able to support up to 1800 simultaneous tunnels.
Only Cisco Express Forwarding (CEF) and process switching are supported. Regular fast switching is not supported.
Only voluntary tunneling—not compulsory tunneling—is supported.
PPTP will not support multilink.
VPDN multihop is not supported.
Because all PPTP signalling is over TCP, TCP configurations will affect PPTP performance in large-scale environments.
MPPE is not supported with TACACS.
MPPE is supported with RADIUS in Cisco IOS Releases 12.0(7)XE1 and later.
MPPE keys are not supported with SNT and CSU.
For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
If you are performing mutual authentication with MS-CHAP and MPPE, both sides of the tunnel must use the same password.
To use MPPE with AAA, you must use a RADIUS server that supports the Microsoft Vendor Specific Attribute for MPPE-KEYS. CiscoSecure does not currently support this attribute.
CiscoSecure ACS NT supports MPPE beginning with release 2.6. CiscoSecure ACS UNIX does not support MPPE.
Before configuring PPTP, enable the following configurations:
To configure Authentication, Authorization, and Accounting (AAA) on the tunnel server, use the following commands in global configuration mode:
|
To configure AAA on the RADIUS server, include the following attributes with the Return List Attributes:
To configure the tunnel server to create virtual-access interfaces from a virtual template for incoming PPTP calls, use the following commands beginning in global configuration mode
|
The IP address pool consists of the IP addresses that the tunnel server assigns to clients. You can also provide BOOTP servers. DNS servers, which are specified using the async-bootp dns-server command, translate host names to IP addresses. WINS servers, which are specified using the async-bootp nbns-server command, provide dynamic NetBIOS names that Windows devices use to communicate without IP addresses.
|
See the following sections for configuration tasks for the PPTP with MPPE feature. Each task in the list indicates if the task is optional or required.
To configure a tunnel to accept tunneled PPP connections from a client, use the following commands beginning in global configuration mode:
|
To offload MPPE encryption from the tunnel server processor to the ISA card, use the following commands beginning in global configuration mode:
To tune PPTP, use one or more of the following commands in VPDN configuration mode:
|
To verify that a PPTP network functions properly, perform the following steps:
Step 2 From the client, dial in to the tunnel server.
Step 3 From the client, ping the tunnel server. From the client desktop:
(c). Enter ping tunnel-server-ip-address.
(e). Look at the terminal screen and verify that the tunnel server is sending ping reply packets to the client.
Step 4 From the tunnel server, enter the show vpdn command and verify that the client has established a PPTP session.
Step 5 For more detailed information, enter the show vpdn session all or show vpdn session window commands. The last line of output from the show vpdn session all command indicates the current status of the flow control alarm.
The last line of output from the show vpdn session window command indicates the current status of the flow control alarm (under the heading "Congestion") and the number of flow control alarms that have gone off during the session (under the heading "Alarms").
Step 6 For information on the virtual-access interface, enter the show ppp mppe virtual-accessnumber command:
To update the key change information, reissue the show ppp mppe virtual-access3 command.
To monitor and maintain PPTP with MPPE sessions, use the following EXEC commands:
|
The following example shows the running configuration of a tunnel server configured for PPTP using an ISA card to perform 40-bit MPPE encryption. It does not have a AAA configuration.
This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command reference publications.