Knowledge Is Power

Cisco VPN Routers with Windows PPTP Clients

Companion pages:

How To Use Your CGI-BIN About htaccess & XBitHack Trying Sun Solaris For Intel x86 Automate Cisco Device Monitoring CGI Scripts On Windows NT / IIS Find Out About Bad Links To Your Websites

Our other Cisco router page:
Setting Up a DMZ with Cisco Routers
Automate the Monitoring of Cisco Devices

After spending nearly a week with a Cisco TAC engineer trying to figure out why I couldn't get Windows PPTP clients to connect to a Cisco 806 router set up as a VPN gateway, we finally arrived at some answers. I thought I would put these answers on a Web page so that hopefully others will benefit from our work. Included is a listing of the Cisco router config file needed to get things to work and screen prints of the Windows client DUN (Dial-Up Networking) configurations.

First of all, note that you don't need any special hardware to get a Cisco router to act as a VPN gateway or "server" to remote access clients who wish to VPN in over the Internet to access your LAN. (I've seen Cisco 806 routers, which is their dual ethernet with integrated hub model, go for less than $300 on eBay.) You may need to add more memory though. We had to upgrade our 806 to 32 meg but Crucial has great prices on Cisco router memory (a 32-meg stick for the 806 only costs $13) and all you do is select your router model and the correct memory options will be listed so you know you're getting the right thing. You also don't need any special hardware for setting one up to act as an "end-point" when setting up a router-to-router tunnel using IPSec. However, be aware of the following key points:

• You do need a special IOS software image with the words IPSEC or 3DES in the "Feature Set" name (as is listed in the Feature Set column of the "IOS Upgrade Planner" on Cisco's Web site). Cisco refers to these images as their "CiscoSecure Integrated Software".
  
  

  The "IPSEC" images are straight DES offering 56-bit encryption. The "3DES" images offer up to 168-bit encryption.

• The actual file names of 12.2 IOS image files will have k8 (DES) or k9 (3DES) in them.
  
  
• Earlier version images will have 56i (DES) or k2 (3DES) in the file name.
  
  

  If the IPSEC and 3DES images do not show up in the listing of available feature sets for the IOS version you select, it's because your TAC login doesn't have the appropriate level of access. Because this technology is export-restricted, you will need to apply to get a higher level of access in order to see these encryption-capable images. The link to apply (once you are logged in with your Cisco TAC ID) is:
  www.cisco.com/cgi-bin/Software/Crypto/crypto_main.pl?param0=Strong&param1

• From what I've been able to see in IOS listings, 3DES is not available for the 2500 platform. 2600 and newer platforms are supported, including the small 800 series broadband access routers.
  
  
• Most DES/3DES images require 8 meg of flash. However, I did find one 3DES image for the 1720 series (which sold with 4 meg of flash standard) that only requires 4 meg. Use the Cisco IOS Upgrade Planner and drill down to the 1720 12.0 images and look for the 12.0.3T3 selection. The c1700-k2osy-mz.120-3.T3.bin file is the "IP/FW PLUS IPSEC 3DES" feature set IOS.

Note:  In playing around with a DES (k8) image on a 2514 router I had NO luck trying to get either a W2K or an NT client to connect. The DES image for this platform (and possibly others) only allows 40-bit encryption and only the MS-CHAP authentication protocol (not MS-CHAP-V2).

If you get the following error:

734: The PPP link control protocol was terminated

try simply adding the required keyword to the end of the ppp encrypt statement in the virtual template configuration (example shown below).


The Problem and the Solution

Scenario:  We had an 806 router set up per sample configs found on Cisco's Web site. We were using AAA for authentication and a Windows 2000 IAS (Internet Authentication Services) was used as a RADIUS server. (IAS gets installed automatically when you install the IIS Web server piece.) We couldn't get Windows 2000 or Windows NT Workstation clients to connect. The two errors we would get when trying to connect were:

Error 742: The remote computer does not support the required data encryption type (Windows 2000 DUN error)

or

Error 742: The remote host does not support encryption (Windows NT DUN error)

If you run debug ppp negotiation on the router you'll also see the error:

MPPE: Required encryption not negotiated

shortly before the disconnect.

It was thought that using Windows 2000 IAS would be the perfect solution since it would allow authentication to the Windows domain as well as to the access router. Think again. If you're using Windows 98, 95, or NT clients it won't work. (See No. 2 below.)

And now are the following two key points that the TAC engineer and I concluded after a week of testing:

1. Windows 2000 clients require the use of a aaa authorization statement in the router config (see the Windows 2000 config listed below). This was not mentioned in any of Cisco's documentation or sample configs and it was what caused me to open a TAC case initially. It is required no matter which method of authentication you are using (local, RADIUS, etc). It is also likely still needed if you are using L2TP instead of PPTP.
   
   
2. Windows NT clients will NOT work if you are using Windows 2000 IAS to provide RADIUS services. (We didn't try any Windows 95 or 98 clients but I would assume, since it's the same DUN family, that these clients won't work either.)

The following is the Cisco router configuration for supporting Windows 2000 PPTP clients. If you TFTP or paste this config into your router the order of the statements may change. The order was modified here to group statements of similar functionality together to aid in readability.

Note:  One person contacted me saying he had a problem when the local LAN and the remote LAN had the same network address (ex: both were set up as 172.16.x.x). The is true because the routers would see the traffic destined for the target network as local. The local and remote networks should have different network addresses.

NOTE:  This config is from a lab setup and are presented for educational purposes only. It should NOT be used on production routers because it do not implement the security features necessary for securing Internet-connected routers. See the information below on the book "Hardening Cisco Routers" if you plan to set up production Internet-connected routers.

version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
scheduler max-task-time 5000
!
no ip http server
no ip domain lookup
!
ip subnet-zero
ip classless
!
!
hostname 806-pptp
enable secret 5 $1$CD8.$mZPRQ4nMwOKjdksI4XKMz.
!
!
!    Fall-back local auth parameters in case of RADIUS server failure
username keith password 0 LETMEIN
!
!
!    Set up authentication to use RADIUS server as
!    the primary and local (above) as a fall-back
aaa new-model
aaa authentication ppp default group radius local
aaa authorization network default if-authenticated
aaa session-id common
!
!
!    Point to RADIUS server on private LAN for
!    authentication of connecting users
radius-server host 172.17.1.20 auth-port 1645 acct-port 1646
radius-server key LETMEIN
radius-server authorization permit missing Service-Type
!
!
vpdn enable
!
!    Default PPTP VPDN group
vpdn-group 1
 accept-dialin
  protocol pptp
  virtual-template 1
!
!
!    This virtual interface is set up on the
!    router for each connecting client PC
interface Virtual-Template1
 ip unnumbered Ethernet0
 ip mroute-cache
 peer default ip address pool DIAL-IN
 ppp encrypt mppe auto required
 ppp authentication ms-chap ms-chap-v2
!
!
!    Set up a pool of 11 addresses on the private LAN dynamially
!    assigned to the DUN interfaces of connecting client PCs
ip local pool DIAL-IN 172.17.8.210 172.17.8.220
!
!
!    DNS and WINS server values given to client PCs
!    during client dynamic address assignments
async-bootp dns-server 172.17.1.26
async-bootp nbns-server 172.17.1.26
!
!
!     'Inside' interface with private LAN address
interface Ethernet0
 ip address 172.17.8.200 255.255.0.0
 hold-queue 100 out
!
!    'Outside' interface with public IP address [ficticous address]
interface Ethernet1
 ip address 205.148.34.77 255.255.255.240
!
!    Default route out to ISP  [ficticous address]
ip route 0.0.0.0 0.0.0.0 205.148.34.65
!
!
line con 0
 exec-timeout 30 0
 stopbits 1
line vty 0 4
 login
 password LETMEIN
!
end

Remember that NT (and probably 9x) clients won't work with W2K IAS so if you want to support these clients also, you'll need to change the aaa authentication line to:
aaa authentication ppp default local
and this will necessitate creating an entry in the router's local database for each user dialing in using the IOS command:
username <user's ID> password <user's password>
Also, they will NOT be authenticated to the Windows domain (Active Directory) when using this form of local authentication. (Yeah, it sucks.) Some alternatives might be (I have not tried these):

• Try Cisco's VPN client software (which you also need a higher level of access to download) on your NT and 9x clients rather than creating a RAS VPN DUN connection. I don't know if it will handle the domain authentication piece (in addition to authenticating to the router).
  
  
• Use a RADIUS server other than IAS. Cisco's ACS (Access Control Server) is one solution that would also support the Cisco proprietary TACACS+ AAA functionality and is available for Windows or UNIX servers. Cisco's VPN client software will work with ACS.
  
  
• The Windows NT 4 Option Pack supposedly has a RADIUS server that you can install which may work with 9x and NT clients but I don't know how well it would handle Active Directory authentication if you have a Windows 2000 network.

PPTP Client Setup

NOTE:  It is VERY important that you select "Require encryption" in the Windows 2000 DUN configuration or check the "Require data encyption" check-box in the Windows NT DUN configuration. A VPN without encryption isn't much of a VPN. It's just an authenticated tunnel.

If you are trying to set up an unencrypted tunnel for some reason and you get the error:

Error 718: Timed out waiting for a valid response from the remote PPP peer

go into the DUN connection's TCP/IP properties and UNcheck the "Use IP header compression" check-box.

The Windows 2000 DUN configuration looks like this:










For Windows NT the configuration is:





Cisco has a PPTP FAQ available on their Web site at:
https://www.cisco.com/c/en/us/support/docs/ip/point-to-point-tunneling-protocol-pptp/18761-pptp-faq.html
If you're only going to be supporting Windows 2000 clients, don't even bother with PPTP. Use L2TP instead. However, even with L2TP you would likely still need the aaa authorization statement shown in the above config.

If you're going to have any Cisco router interface connected to the Internet or any other type of "untrusted" network (trading partner extranet, etc.) I strongly suggest you get this book:

More info...

Any kind of Internet connection is risky from a security perspective. If you connect Cisco routers to the Internet you'll want Hardening Cisco Routers. It's an administrator's book. Threats and the IOS commands needed to mitigate them are given. Each chapter has a checklist you can use to check your routers to make sure they comply with all of the points mentioned. Just the information on setting up your routers for secure remote access alone is worth the price of the book. It also shows you how to limit your router's SNMP exposure which, if you've looked at Cisco's "IOS Upgrade Planner" Web page lately, you know presents a big security threat to IOS devices. At $18 it's got to be the biggest bargain in the Cisco world. Another fine book in the O'Reilly tradition of real world info for real world situtations. (After you get the book be sure to check O'Reilly's Web site - www.oreilly.com - for the errata. There are a couple minor things and some reader comments that are important, more so with a book of this nature which focuses on securing routers.)

Luckily there are a lot less problems when setting up a router-to-router tunnel using IPSec (because Microsoft protocols are not involved). However, IPSec is NOT an easy thing to learn. The IETF created six different categories just to organize all of the RFCs associated with it. There are crypto, hashing, and key-exchange algorithms (DES, MD5, SHA, IKE, etc), protocol options (AS or ESP), and modes (transport and tunnel). However, given the substantial potential cost savings (by replacing dedicated leased lines and frame relay links) and the resulting growing popularity of VPNs it would be well worth your effort to get good at them.

More info...

I've bought quite a few (both Cisco Press and other publishers) books dealing with Cisco VPNs. The best one of the bunch is the book which prepares you for the MCNS (Managing Cisco Network Security) certification exam. Managing Cisco Network Security has three chapters devoted VPNs and IPSec. The MCNS exam is the foundation exam for most of Cisco's security-related certifications (Cisco Security Specialist 1 and Cisco VPN Specialist, etc.).

Don't confuse IPSec tunnels with the GRE/CET tunnels you can set up to do routing over tunneled links. While they both set up encrypted tunnels, the application of these two technologies are entirely different. For example, an IPSec tunnel is called for if you want to set up a private "extranet" connection to a partner while a GRE/CET tunnel would allow you to keep IPX and AppleTalk protocols off of your backbone.

Did you find this page helpful ? If so, please use the Amazon book links to help pay the costs associated with making this page available.

Top of page





Contents, diagrams, and images    Copyright © 2004-2023    Keith Parkansky    All rights reserved.
Certain graphics, symbols, and terms used on this site and in its documents are registered trademarks
of their respective owners and are contained herein for identification purposes only.
No endorsement of this site, its contents, or its documents by these owners is expressed or implied.

LIABILITY

IN NO EVENT WILL KEITH PARKANSKY BE LIABLE TO ANY PARTY (i) FOR ANY DIRECT, INDIRECT, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF PROGRAMS OR INFORMATION, AND THE LIKE), OR ANY OTHER DAMAGES ARISING IN ANY WAY OUT OF THE AVAILABILITY, USE, RELIANCE ON, OR INABILITY TO USE THE INFORMATION, METHODS, HTML OR COMPUTER CODE, OR "KNOWLEDGE" PROVIDED ON OR THROUGH THIS WEBSITE OR ANY OF ITS' ASSOCIATED DOCUMENTS, DIAGRAMS, IMAGES, REPRODUCTIONS, COMPUTER EXECUTED CODE, OR ELECTRONICALLY STORED OR TRANSMITTED FILES OR GENERATED COMMUNICATIONS OR DATA EVEN IF KEITH PARKANSKY SHALL HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, AND REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT, OR OTHERWISE; OR (ii) FOR ANY CLAIM ATTRIBUTABLE TO ERRORS, OMISSIONS, OR OTHER INACCURACIES IN, OR DESTRUCTIVE PROPERTIES OF ANY INFORMATION, METHODS, HTML OR COMPUTER CODE, OR "KNOWLEDGE" PROVIDED ON OR THROUGH THIS WEBSITE OR ANY OF ITS' ASSOCIATED DOCUMENTS, DIAGRAMS, IMAGES, REPRODUCTIONS, COMPUTER EXECUTED CODE, OR ELECTRONICALLY STORED, TRANSMITTED, OR GENERATED FILES, COMMUNICATIONS, OR DATA. USE OF THIS SITE CONSTITUTES ACCEPTANCE OF ALL STATED TERMS AND CONDITIONS.