Cisco PPTP VPDN server
From Internetworkpro
Using a Cisco ISR as a PPTP VPN Endpoint
A typical setup is for port 1723 (PPTP) to be forwarded through to an internal server which then acts as the VPN endpoint, here security policies can be applied from the server and so forth. But what happens if the VPN Server is offline or has failed? What if your staff or you still require remote access for fault correction? Below i will attempt to explain the pros and configurational examples of using a Cisco ISR as the VPN endpoint.
I will write the relevant config first, then explain each section below....
aaa new-model
aaa authorization network default group radius local aaa authentication ppp default group radius local
vpdn enable vpdn-group 1 accept-dialin protocol pptp virtual-template 1
async-bootp dns-server 192.168.0.1 async-bootp nbns-server 192.168.0.2
interface Virtual-Template 1 ip unnumbered vlan1 ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip tcp header-compression peer default ip addres pool DIAL-IN no keepalive compress mppc ppp encrypt mppe auto required ppp authentication ms-chap ms-chap-v2
ip local pool DIAL-IN 192.168.0.81 192.168.0.90
radius-server host 192.168.0.3 auth-port 1645 acct-port 1646 radius-server key MYRADIUSKEY
The first part of the config enables AAA (Accounting, Authorization and Authenticaion) and then specifies how AAA is used for PPP and Network connections on the router. In this example i specify the "default" method to be radius as primary, then local as secondary. Dial-in users will first be checked against radius, the relevant security policies passed and then permitted or denied based on the security policy enforced. If the radius server isnt available then local user accounts on the ISR will be checked. Here you could specify a local user account called "vpnbackup" which is only used for this purpose. Thus making remote management of the site still possible when the server is offline.
Next i enable the VPDN (Virtual Private Dial-in Network) service on the router and create a group, assign the protocol used being PPTP here, and associate it with an interface, Virtual-Template1.
The 'async-bootp' commands are used to assign DNS and WINS servers to your VPN clients. Typically staff remotely connecting in will require access to local servers/applications, thus requiring internal DNS to function. In this example im assigning 192.168.0.1 and 192.168.0.2 as DNS and WINS servers respectively.
Now i create the virtual interface dial-in users will connect to. The command 'ip address unnumbered vlan1' will vary depending on what LAN interface you have in your setup. It could be Fastethernet0/0 or a sub interface Fastethernet0/0.10. We also specify the address pool to be assigned to VPN clients. Here we are using the local pool DIAL-IN. We also specify the different authentication methods available for dial-in clients.
We now create the local pool. In this pool i specify a range thats actually in the same subnet as my LAN. This is purely by design and you can assign it any range you wish. If you're using a range thats in the same subnet as your LAN make sure your DHCP server has a reservation for that range so its not assigned to any local devices.
And finally we specify radius specific information. We assign the radius host, auth and acct ports (these are currently default settings), and the radius key used to authenticate the ISR with the radius server and back again. **Please note, setting up radius is beyond the scope of this document**
You can now VPN to your ISR router. Confirming current users connected by doing the 'show users' command at the privleged exec mode.
I hope this has been helpful, and as always, any modifications to production equipment can cause service interuptions. I advise testing this in a lab environment first.
