Downloads |
Table of Contents
PPTP with MPPEFeature Overview
PPTP Overview
MPPE Overview
Benefits
Restrictions
Supported Platforms
Supported Standards, MIBs, and RFCs
Prerequisites
Configuring AAA
Configuring AAA on the RADIUS Server
Creating the Virtual Template for Dial-In Sessions
Specifying the IP Address Pool and BOOTP Servers
Configuration Tasks
Configuring a Tunnel Server to Accept PPTP Tunnels
Configuring MPPE on the ISA Card
Tuning PPTP
Verifying a PPTP Connection
Monitoring and Maintaining PPTP Sessions
Configuration Examples
Command Reference
clear vpdn tunnel
encryption mppe
ppp encrypt mppe
pptp flow-control receive-window
pptp flow-control static-rtt
pptp tunnel echo
show ppp mppe
Command Modes
Command History
Usage Guidelines
Examples
Related Commands
| Command | Description |
|
Specifies the timeout interval of the tunnel server between sending a packet to the client and receiving a response. |
debug ppp mppe
PPTP with MPPE
This document includes the following sections:
Feature Overview
The Point to Point Tunneling Protocol (PPTP) with Microsoft Point-to-Point Encryption (MPPE) feature enables Cisco Virtual Private Networks (VPNs) to use PPTP as the tunneling protocol.
PPTP Overview
PPTP is a network protocol that enables the secure transfer of data from a remote client to a private enterprise server by creating a VPN across TCP/IP-based data networks. PPTP supports on-demand, multiprotocol, virtual private networking over public networks, such as the Internet. This section describes the following aspects of PPTP:
Compulsory and Voluntary Tunneling
VPNs are designed based on one of the two following tunneling architecture options:
Compulsory Tunneling
Compulsory tunneling (also referred to as NAS-initiated tunneling) enables users to dial in to a NAS, which then establishes an encrypted tunnel to the tunnel server. The connection between the client of the user and the NAS is not encrypted.
Voluntary Tunneling
Voluntary tunneling (also referred to as client-initiated tunneling) enables clients to configure and establish encrypted tunnels to tunnel servers without an intermediate NAS participating in the tunnel negotiation and establishment.
For PPTP, only voluntary tunneling is supported.
PPTP Tunnel Negotiation
Table 1describes the protocol negotiation events that establish a PPTP tunnel.
Table 1 Protocol Negotiation Event Descriptions
Flow Control Alarm
The flow control alarm is a new function that indicates if PPTP detects congestion or lost packets. When a flow control alarm goes off, PPTP reduces volatility and additional control traffic by establishing an accompanying stateful MPPE session.
For more information, see the pptp flow-control static-rtt command, and the output from the show vpdn session commands in the "Verifying a PPTP Connection" section.
MPPE Overview
MPPE is an encryption technology developed by Microsoft to encrypt point-to-point links. These PPP connections can be over a dialup line or over a VPN tunnel. MPPE works as a subfeature of Microsoft Point-to-Point Compression (MPPC).
MPPC is a scheme used to compress PPP packets between Cisco and Microsoft client devices. The MPPC algorithm is designed to optimize bandwidth utilization in order to support multiple simultaneous connections.
MPPE is negotiated using bits in the MPPC option within the Compression Control Protocol (CCP) MPPC configuration option (CCP configuration option number 18).
MPPE uses the RC4 algorithm with either 40- or 128-bit keys. All keys are derived from the cleartext authentication password of the user. RC4 is stream cipher; therefore, the sizes of the encrypted and decrypted frames are the same size as the original frame. The Cisco implementation of MPPE is fully interoperable with that of Microsoft and uses all available options, including historyless mode. Historyless mode can increase throughput in lossy environments such as VPNs, because neither side needs to send CCP Resets Requests to synchronize encryption contexts when packets are lost.
MPPE Encryption Types
Two modes of MPPE encryption are offered:
Stateful MPPE Encryption
Stateful encryption will provide the best performance but may be adversely affected by networks experiencing substantial packet loss. If you choose stateful encryption you should also configure flow control to minimize the detrimental effects of this lossiness.
Because of the way that the RC4 tables are reinitialized during stateful synchronization, it is possible that two packets may be encrypted using the same key. For this reason, stateful encryption may not be appropriate for lossy network environments (such as Layer 2 tunnels on the Internet).
Stateless MPPE Encryption
Stateless encryption provides a lower level of performance, but will be more reliable in a lossy network environment.
 |
Caution
If you choose stateless encryption you should not configure flow control. |
Benefits
Enterprises are increasingly looking to the Internet as a means of enabling new, lower-cost services for their users. The ubiquity of the Internet makes it very easy for remote and mobile users to connect anywhere on the planet; all that is required is an ISP to provide Internet access. At the same time, enterprises are hesitant to trust the Internet as a transport for private company data and are looking for means to use the Internet in a secure way.
PPTP with MPPE provides a solution to this need. PPTP provides a mechanism to tunnel user data across the Internet to the edge of the enterprise network, which allows users to use any ISP account and any Internet-routable IP address to access the edge of the Enterprise network. At the edge, the IP packet is de-tunneled and the IP address space of the enterprise is used for traversing the internal network. MPPE provides an encryption service that protects the datastream as it traverses the Internet. MPPE is available in two strengths: 40-bit encryption, which is widely available throughout the world, and 128-bit encryption, which may be subject to certain export controls when used outside the United States.
ISPs can also to leverage PPTP with MPPE when deploying managed services for enterprise customers. In this model, the ISP deploys and manages the PPTP with MPPE tunnel server of the enterprise, or PPTP Network Server (PNS), and manages this service on behalf of the enterprise. The tunnel server may be located at the point of presence (POP) of the ISP, or it may be located at the edge of the enterprise network, but it is managed by the ISP.
Scalability
A Cisco router running PPTP can support up to 2000 simultaneous PPTP tunnels without MPPE encryption. For PPTP tunnels with MPPE encryption, Cisco routers can currently support up to 500 simultaneous tunnels. Subsequent releases will be able to support up to 1800 simultaneous tunnels.
Restrictions
Only Cisco Express Forwarding (CEF) and process switching are supported. Regular fast switching is not supported.
Only voluntary tunneling—not compulsory tunneling—is supported.
PPTP will not support multilink.
VPDN multihop is not supported.
Because all PPTP signalling is over TCP, TCP configurations will affect PPTP performance in large-scale environments.
MPPE is not supported with TACACS.
MPPE is supported with RADIUS in Cisco IOS Releases 12.0(7)XE1 and later.
MPPE keys are not supported with SNT and CSU.
Supported Platforms
Supported Standards, MIBs, and RFCs
Standards
MIBs
For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
RFCs
Prerequisites
If you are performing mutual authentication with MS-CHAP and MPPE, both sides of the tunnel must use the same password.
To use MPPE with AAA, you must use a RADIUS server that supports the Microsoft Vendor Specific Attribute for MPPE-KEYS. CiscoSecure does not currently support this attribute.
CiscoSecure ACS NT supports MPPE beginning with release 2.6. CiscoSecure ACS UNIX does not support MPPE.
Before configuring PPTP, enable the following configurations:
- Configuring AAA (Optional)
- Configuring AAA on the RADIUS Server (Optional)
- Creating the Virtual Template for Dial-in Sessions (Required)
- Specifying the IP Address Pool and BOOTP Servers (Optional)
Configuring AAA
To configure Authentication, Authorization, and Accounting (AAA) on the tunnel server, use the following commands in global configuration mode:
|
Configuring AAA on the RADIUS Server
To configure AAA on the RADIUS server, include the following attributes with the Return List Attributes:
Creating the Virtual Template for Dial-In Sessions
To configure the tunnel server to create virtual-access interfaces from a virtual template for incoming PPTP calls, use the following commands beginning in global configuration mode
|
Specifying the IP Address Pool and BOOTP Servers
The IP address pool consists of the IP addresses that the tunnel server assigns to clients. You can also provide BOOTP servers. DNS servers, which are specified using the async-bootp dns-server command, translate host names to IP addresses. WINS servers, which are specified using the async-bootp nbns-server command, provide dynamic NetBIOS names that Windows devices use to communicate without IP addresses.
|
Configuration Tasks
See the following sections for configuration tasks for the PPTP with MPPE feature. Each task in the list indicates if the task is optional or required.
- Configuring a Tunnel Server to Accept PPTP Tunnels (Required)
- Configuring MPPE on the ISA Card (Optional)
- Tuning PPTP (Optional)
Configuring a Tunnel Server to Accept PPTP Tunnels
To configure a tunnel to accept tunneled PPP connections from a client, use the following commands beginning in global configuration mode:
|
Configuring MPPE on the ISA Card
To offload MPPE encryption from the tunnel server processor to the ISA card, use the following commands beginning in global configuration mode:
Tuning PPTP
To tune PPTP, use one or more of the following commands in VPDN configuration mode:
|
Verifying a PPTP Connection
To verify that a PPTP network functions properly, perform the following steps:
Step 1 From the client, dial in to the ISP and establish a PPP session.
Step 2 From the client, dial in to the tunnel server.
Step 3 From the client, ping the tunnel server. From the client desktop:
(c). Enter ping tunnel-server-ip-address.
(e). Look at the terminal screen and verify that the tunnel server is sending ping reply packets to the client.
Step 4 From the tunnel server, enter the show vpdn command and verify that the client has established a PPTP session.
Step 5 For more detailed information, enter the show vpdn session all or show vpdn session window commands. The last line of output from the show vpdn session all command indicates the current status of the flow control alarm.
The last line of output from the show vpdn session window command indicates the current status of the flow control alarm (under the heading "Congestion") and the number of flow control alarms that have gone off during the session (under the heading "Alarms").
Step 6 For information on the virtual-access interface, enter the show ppp mppe virtual-accessnumber command:
To update the key change information, reissue the show ppp mppe virtual-access3 command.
Monitoring and Maintaining PPTP Sessions
To monitor and maintain PPTP with MPPE sessions, use the following EXEC commands:
|
Configuration Examples
The following example shows the running configuration of a tunnel server configured for PPTP using an ISA card to perform 40-bit MPPE encryption. It does not have a AAA configuration.
Command Reference
This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command reference publications.
clear vpdn tunnel
To shut down a specified tunnel and all the message identifiers (MIDs) within it, use the clear vpdn tunnel EXEC command.
- clear vpdn tunnel [pptp | l2f | l2tp] network-access-server gateway-name
Syntax Description
|
(Optional) Clears the specified Point-to-Point Tunneling Protocol (PPTP) tunnel. |
|
|
(Optional) Clears the specified Layer 2 Forwarding (L2F) tunnel. |
|
|
(Optional) Clears the specified Layer 2 Tunneling Protocol (L2TP) tunnel. |
|
|
Name of the network access server at the far end of the tunnel, probably the point of presence of the public data network or the ISP. |
|
Command Modes
Command History
|
Usage Guidelines
This command is used primarily for troubleshooting. You can use the command to force the tunnel to come down without unconfiguring it (the tunnel could be restarted immediately by a user logging in).
Examples
The following example clears a tunnel between a network access server called orion and a home gateway called samson:
encryption mppe
To enable Microsoft Point-to-Point Encryption (MPPE) encryption on an Industry-Standard Architecture (ISA) card, use the encryption mppe ISA controller configuration command. To disable MPPE encryption, use the no form of this command.
- encryption mppe
- no encryption mppe
Syntax Description
This command has no keywords or arguments.
Defaults
IPSec is the default encryption type.
Command Modes
Command History
|
Usage Guidelines
Using the ISA card offloads MPPE from the router processor and will improve performance in large-scale environments.
The router must be rebooted for the change from encryption ipsec to encryption mppe to take effect.
Examples
The following example enables MPPE encryption on the ISA card in slot 5, port 0:
Related Commands
| Command | Description |
ppp encrypt mppe
To enable Microsoft Point-to-Point Encryption (MPPE) encryption on the virtual template, use the ppp encrypt mppe interface configuration command. Use the no form of this command to disable MPPE encryption.
- ppp encrypt mppe {auto | 40 | 128} [passive | required] [stateful]
- no ppp encrypt mppe
Syntax Description
|
(Optional) MPPE will not offer encryption, but will negotiate if the other tunnel endpoint requests encryption. |
|
|
(Optional) MPPE must be negotiated, or the connection will be terminated. |
|
|
(Optional) MPPE will only negotiate stateful encryption. If the stateful keyword is not used, MPPE will first attempt to negotiate stateless encryption, but will fall back to stateful if the other tunnel endpoint requests stateful. |
Defaults
The default encryption type is stateless.
Command Modes
Command History
|
Usage Guidelines
To use the encryption mppe command, PPP encapsulation must be enabled.
Note The ppp authentication ms-chap command must be added to the interface that will carry PPTP-MPPE traffic. All Windows clients using MPPE need MS-CHAP. This is a Microsoft design requirement.
The auto keyword is only offered on 128-bit images.
All of the configurable MPPE options must be identical on both tunnel endpoints.
 |
Caution
Because of the way that the RC4 tables are reinitialized during stateful synchronization, it is possible that two packets may be encrypted using the same key. For this reason, stateful encryption may not be appropriate for lossy network environments (such as Layer 2 tunnels on the Internet). |
Examples
The following example shows a virtual template configured to perform 40-bit MPPE encryption:
Related Commands
| Command | Description |
|
Enables CHAP, PAP, MS-CHAP or a combination of methods and specifies the order in which the authentication methods are selected on the interface. |
pptp flow-control receive-window
To specify how many packets the client can send before it has to wait for the tunnel server's acknowledgment, use the pptp flow-control receive-window VPDN configuration command. Use the no form of this command to return to the default value.
- pptp flow-control receive-window packets
- no pptp flow-control receive-window
Syntax Description
|
Number of packets the client can send before it has to wait for the tunnel server's acknowledgment. |
Defaults
Command Modes
Command History
|
Related Commands
|
pptp flow-control static-rtt
To specify the timeout interval of the tunnel server between sending a packet to the client and receiving a response, use the pptp flow-control static-rtt VPDN configuration command. Use the no form of this command to return to the default value of 1500 milliseconds (ms).
- pptp flow-control static-rtt milliseconds
- no pptp flow-control static-rtt
Syntax Description
|
Timeout interval of the tunnel server between sending a packet to the client and receiving a response. |
Defaults
Command Modes
Command History
|
Usage Guidelines
If the session times out, the tunnel server does not retry or resend the packet. Instead the flow control alarm is set off, and stateful mode is automatically switched to stateless.
Related Commands
| Command | Description |
|
Specifies how many packets the client can send before it must wait for the acknowledgment from the tunnel server. |
|
|
Specifies the period of idle time on the tunnel that will trigger an echo message from the tunnel server to the client. |
pptp tunnel echo
To specify the period of idle time on the tunnel that will trigger an echo message from the tunnel server to the client, use the pptp tunnel echo VPDN configuration command. Use the no form of this command to return to the default value of 60 seconds.
- pptp tunnel echo seconds
- no pptp tunnel echo
Syntax Description
Defaults
Command Modes
Command History
|
Usage Guidelines
If the tunnel server does not receive an echo reply within 20 seconds, it will tear down the tunnel. This 20-second interval is hard coded.
Related Commands
| Command | Description |
|
Specifies how many packets the client can send before it must wait for the acknowledgment from the tunnel server. |
|
|
Specifies the timeout interval of the tunnel server between sending a packet to the client and receiving a response. |
show ppp mppe
To display Microsoft Point-to-Point Encryption (MPPE) information for an interface, use the show ppp mppe privileged EXEC command.
- show ppp mppe {serial | virtual-access}[number]
Syntax Description
|
Displays MPPE information for all virtual-access interfaces. |
|
|
(Optional) Displays MPPE information for only the specified interface. |
Command Modes
Command History
|
Usage Guidelines
None of the fields in the output from the show ppp mppe command are fatal errors. Excessive packet drops, misses, out of orders, or CCP-Resets indicate that packets are getting lost. If you see such activity and have stateful MPPE configured, you may want to consider switching to stateless mode.
Examples
The following example displays MPPE information for virtual-access interface 3:
To update the key change information, reissue the show ppp mppe virtual-access3 command:
Table 2 describes significant fields in the output:
Table 2 show ppp mppe Field Descriptions
|
Related Commands
| Command | Description |
|
Specifies the timeout interval of the tunnel server between sending a packet to the client and receiving a response. |
Debug Commands
This section documents the new debug ppp mppe command. All other commands used with this feature are documented in the Cisco IOS Release 12.0 command reference publications.
debug ppp mppe
To display debug messages for Microsoft Point-to-Point Compression (MPPC) events, use the debug ppp mppe EXEC command. Use the no form of this command to disable MPPC debugging.
- debug ppp mppe
- no debug ppp mppc
Syntax Description
This command has no keywords or arguments.
Defaults
Command History
|
Related Commands
|