PPTP VPN (Vyatta)

Instructions on how to set-up a client/user PPTP VPN solution using a Vyatta router. For anymore than a handful of users, its best to use centralised user account management, eg RADIUS running on a Win2008 DC.

Prerequisites

• Range of internal addresses to be assigned to users when they connect
• IP of RADIUS server and shared secret (if using RADIUS authentication)
• DNS server IP's for VPN clients
• VPN address (external IP of router)

Even if you expect to use RADIUS configuration, its probably best to configure using local authentication and a test account, so that you can test its basically working. Then add the two lines for RADIUS authentication.

Firewall Configuration

Create a rule to allow the initial connection...

set firewall name eth0-local rule 10 description "PPTP access - Initial"
set firewall name eth0-local rule 10 destination port 1723
set firewall name eth0-local rule 10 protocol tcp
set firewall name eth0-local rule 10 action accept

There should be an existing rule to allow established and related connections. Show the config and look for

rule 10 {
   action accept
   description ESTABLISHED
   state {
     established enable
     related enable
    }
}

You can either add missing rule above, o0r create on specifically for PPTP Data traffic...

set firewall name eth0-local rule 60 description "PPTP access - Data"
set firewall name eth0-local rule 60 protocol gre (or "protocol 47")
set firewall name eth0-local rule 60 action accept

PPTP Configuration

Local Authentication

Example using local accounts for authentication.

set vpn pptp
set vpn pptp remote-access client-ip-pool start 192.168.11.100
set vpn pptp remote-access client-ip-pool stop 192.168.11.149
set vpn pptp remote-access authentication mode local
set vpn pptp remote-access authentication local-users username user1 password pass1
set vpn pptp remote-access dns-servers server-1 192.168.11.10
set vpn pptp remote-access dns-servers server-2 192.168.11.20
set vpn pptp remote-access outside-address 88.164.78.54
commit

Repeat the set vpn pptp remote-access authentication local-users line for each required user.

RADIUS Authentication

Example using centrally managed RADIUS for authentication.

set vpn pptp
set vpn pptp remote-access client-ip-pool start 192.168.11.100
set vpn pptp remote-access client-ip-pool stop 192.168.11.149
set vpn pptp remote-access authentication mode radius
set vpn pptp remote-access authentication radius-server 10.255.96.5 key 456479vrf
set vpn pptp remote-access dns-servers server-1 192.168.11.10
set vpn pptp remote-access dns-servers server-2 192.168.11.20
set vpn pptp remote-access outside-address 88.164.78.54
commit

MS NPS Setup

Microsoft Network Policy Server setup guidance. Use the following as a guide...

• http://www.ranjodh.com/networking/setup-windows-server-2008-r2-as-radius-server-for-cisco-asa/

Make sure you remove the following attributes

• Framed-Protocol PPP
• Service-Type Framed

Ensure that the only Network Policy | Settings encryption option ticked is

• Strongest encryption (MPPE 128-Bit)

Troubleshooting

If connections are not completing properly use show log to see the Vyatta activity log.

• MPPE required, but keys are not available. Possible plugin problem?
  • Make sure that only 128 bit MPPE Encryption is configured in the connection profile on the RADIUS server.