Sstrutt: Initial creation

2013-11-26T14:16:29Z

Initial creation

New page

Instructions on how to set-up a client/user PPTP VPN solution using a Vyatta router. For anymore than a handful of users, its best to use centralised user account management, eg RADIUS running on a Win2008 DC.

== Prerequisites ==
* Range of internal addresses to be assigned to users when they connect
* IP of RADIUS server and shared secret (if using RADIUS authentication)
* DNS server IP's for VPN clients
* VPN address (external IP of router)

Even if you expect to use RADIUS configuration, its probably best to configure using local authentication and a test account, so that you can test its basically working. Then add the two lines for RADIUS authentication.

== Firewall Configuration ==
Create a rule to allow the initial connection...
set firewall name eth0-local rule 10 description "PPTP access - Initial"
set firewall name eth0-local rule 10 destination port 1723
set firewall name eth0-local rule 10 protocol tcp
set firewall name eth0-local rule 10 action accept

There should be an existing rule to allow established and related connections. Show the config and look for

rule 10 {
action accept
description ESTABLISHED
state {
established enable
related enable
}
}

You can either add missing rule above, o0r create on specifically for PPTP Data traffic...
set firewall name eth0-local rule 60 description "PPTP access - Data"
set firewall name eth0-local rule 60 protocol gre (or "protocol 47")
set firewall name eth0-local rule 60 action accept

== PPTP Configuration ==
=== Local Authentication ===
Example using local accounts for authentication.
<pre>
set vpn pptp
set vpn pptp remote-access client-ip-pool start 192.168.11.100
set vpn pptp remote-access client-ip-pool stop 192.168.11.149
set vpn pptp remote-access authentication mode local
set vpn pptp remote-access authentication local-users username user1 password pass1
set vpn pptp remote-access dns-servers server-1 192.168.11.10
set vpn pptp remote-access dns-servers server-2 192.168.11.20
set vpn pptp remote-access outside-address 88.164.78.54
commit
</pre>

Repeat the <code>set vpn pptp remote-access authentication local-users</code> line for each required user.

=== RADIUS Authentication ===
Example using centrally managed RADIUS for authentication.
<pre>
set vpn pptp
set vpn pptp remote-access client-ip-pool start 192.168.11.100
set vpn pptp remote-access client-ip-pool stop 192.168.11.149
set vpn pptp remote-access authentication mode radius
set vpn pptp remote-access authentication radius-server 10.255.96.5 key 456479vrf
set vpn pptp remote-access dns-servers server-1 192.168.11.10
set vpn pptp remote-access dns-servers server-2 192.168.11.20
set vpn pptp remote-access outside-address 88.164.78.54
commit
</pre>

== MS NPS Setup ==
Microsoft Network Policy Server setup guidance. Use the following as a guide...
* http://www.ranjodh.com/networking/setup-windows-server-2008-r2-as-radius-server-for-cisco-asa/

Make sure you remove the following attributes
* Framed-Protocol PPP
* Service-Type Framed

Ensure that the only Network Policy | Settings encryption option ticked is
* Strongest encryption (MPPE 128-Bit)

== Troubleshooting ==
If connections are not completing properly use <code>show log</code> to see the Vyatta activity log.

* '''MPPE required, but keys are not available. Possible plugin problem?'''
** Make sure that ''only'' 128 bit MPPE Encryption is configured in the connection profile on the RADIUS server.

[[Category:Vyatta]]

PPTP VPN (Vyatta) - Revision history

Sstrutt: Initial creation