What is PPTP
PPTP (Point to Point Tunneling Protocol) is a quick and easy solution to offer remote access to users. Since it is natively supported on almost all Windows operating systems (Windows XP, 7, 8 etc), this kind of remote access makes an ideal solution for clients using windows OS. Also, you don’t need to install any additional software on the client machine.
However, you should note that PPTP does not offer the strong encryption and security offered by IPSEC or SSL VPN remote access solutions. Although the Microsoft Point-to-Point Encryption (MPPE) supported by Cisco routers offers a good degree of security, PPTP remote access should not be used in situations where you need to provide access to high security resources and highly confidential data.
Like other types of remote access solutions, a remote user can use PPTP to connect to a corporate network and be treated as directly connected to that internal network even if he is physically outside the network.
PPTP is always implemented between a server (e.g a Cisco router) and a client (e.g a windows workstation). Cisco supports PPTP on its IOS routers. Cisco ASA firewalls do not support termination of PPTP on the firewall itself.
There are numerous resources for configuring PPTP on windows machines. See some good tutorials below:
For Windows 7:
For Windows 8:
Configuring PPTP on Cisco Router
For this tutorial I propose the following scenario: The enterprise has a network with multiple sites connected via a VPN (this can be MPLS VPN, IPSEC VPN etc). There is a single point connected to the internet and we need to offer a quick and easy remote access solution for teleworkers to access the whole network resources.
Assume that “Interface VLAN 1” with IP range 10.10.10.0/24 has routing access to the whole VPN network. If we “attach” the remote access users via the PPTP tunnel to this VLAN and assign them an IP address in the range 10.10.10.0/24, then they will have full access to the whole network resources.
In this scenario we will be authenticating users from local usernames configured on the Cisco router. For a more scalable and secure solution, I recommend using an external RADIUS server to authenticate users.
For this example our hardware is a cisco 867VAE-k9 with image c860vae-advsecurityk9-mz.152-4.M3.bin installed.
The configuration needed to enable PPTP on the cisco router is described below :
vpdn enable <—- Enable VDPN (Virtual Private Dialup Network).
vpdn source-ip 18.104.22.168 < —– The IP used for the incoming connections
vpdn-group Networkstraining < ———— The name of the group
accept-dialin < —– Enables the router to accept dial in
protocol pptp < ———- Protocol to be used
virtual-template 1 < ———- The interface used for access
interface Virtual-Template1 < ——– The interface used for cloning
description PPTP Access
ip unnumbered Vlan1 < ———— Uses the IP configured on Vlan1 interface
ip virtual-reassembly in
peer default ip address pool PPTP-Pool < —- Assign IP’s to clients in the range stated in PPTP-Pool
ppp encrypt mppe auto< —- Use Microsoft mppe encryption with automatically selected encryption strength (40, 56, or 128 bits)
ppp authentication ms-chap ms-chap-v2 < —- Configure the authentication methods allowed
ip local pool PPTP-Pool 10.10.10.90 10.10.10.100 < —— The range of IP’s that the dial in client will receive
username RemoteUser password letmein < ——– Creates a local username and password used for authentication. You can add more users here but we suggest a RADIUS server.
Other config :
description WAN Interface
ip address 22.214.171.124 255.255.255.252
description LAN Network
ip address 10.10.10.1 255.255.255.0
Line User Host(s) Idle Location
* 6 vty 0 admin idle 00:00:00
Interface User Mode Idle Peer Address
Vi3 RemoteUser PPPoVPDN 00:05:40 126.96.36.199
%No active L2F tunnels
%No active L2TP tunnels
PPTP Tunnel and Session Information Total tunnels 1 sessions 1
LocID Remote Name State Remote Address Port Sessions VPDN Group
182 estabd 188.8.131.52 37277 1 Networkstraining
LocID RemID TunID Intf Username State Last Chg Uniq ID
64 49152 182 Vi3 RemoteUser estabd 2d15h 63